Skip to main content
Version: 0.9.14

Platform TLS materials

Path: /admin-settingsPlatform Settings tab → Platform Secrets section

Platform Secrets store operator-managed credentials and TLS materials. Metadata lives in Postgres; secret values live in AWS Secrets Manager. The secrets grid is embedded at the bottom of the Platform settings tab.

LLM keys (openaiDefaultKey, azureDefaultKey) copied to new teams on creation are configured here with purpose LLM API key / Azure API key. Operators must Set Secret before autopopulate can copy values — see Team default secrets.

List columns

ColumnDescription
KeyUnique identifier (monospace, lowercase).
PurposeCA_CERT / CLIENT_CERT / CLIENT_KEY.
DescriptionOptional notes.
UpdatedLast modification.
ActionsEdit, Set Secret, Delete.

Fields

FieldRequiredDescription
KeyYesLowercase + digits + underscores. Immutable.
PurposeYesCA_CERT / CLIENT_CERT / CLIENT_KEY. Immutable.
DescriptionNoNotes.

Set Secret

The PEM content is managed via the Set Secret action:

FieldRequiredDescription
Secret ValueYesPEM-encoded cert or key.
Confirm ValueYesMust match.

PEM content is stored in AWS Secrets Manager and never displayed in the UI after saving.

Workflows

Add a CA certificate

  1. Click Create.
  2. Key: e.g. twilio_ca_cert.
  3. Purpose: CA_CERT.
  4. Description: e.g. "Twilio carrier CA".
  5. Save.
  6. Set Secret → paste PEM → confirm.

Add a client certificate + key for mTLS

  1. Create one material with Purpose CLIENT_CERT; set its PEM.
  2. Create another with Purpose CLIENT_KEY; set its PEM.
  3. In SIP Trunks, reference the CA in TLS CA Certificate, enable Require Client Certificate, and configure Peer Name Verification as needed.

See also