Platform TLS materials
Path: /admin-settings → Platform Settings tab → Platform Secrets section
Platform Secrets store operator-managed credentials and TLS materials. Metadata lives in Postgres; secret values live in AWS Secrets Manager. The secrets grid is embedded at the bottom of the Platform settings tab.
LLM keys (openaiDefaultKey, azureDefaultKey) copied to new teams on creation are configured here with purpose LLM API key / Azure API key. Operators must Set Secret before autopopulate can copy values — see Team default secrets.
List columns
| Column | Description |
|---|---|
| Key | Unique identifier (monospace, lowercase). |
| Purpose | CA_CERT / CLIENT_CERT / CLIENT_KEY. |
| Description | Optional notes. |
| Updated | Last modification. |
| Actions | Edit, Set Secret, Delete. |
Fields
| Field | Required | Description |
|---|---|---|
| Key | Yes | Lowercase + digits + underscores. Immutable. |
| Purpose | Yes | CA_CERT / CLIENT_CERT / CLIENT_KEY. Immutable. |
| Description | No | Notes. |
Set Secret
The PEM content is managed via the Set Secret action:
| Field | Required | Description |
|---|---|---|
| Secret Value | Yes | PEM-encoded cert or key. |
| Confirm Value | Yes | Must match. |
PEM content is stored in AWS Secrets Manager and never displayed in the UI after saving.
Workflows
Add a CA certificate
- Click Create.
- Key: e.g.
twilio_ca_cert. - Purpose:
CA_CERT. - Description: e.g. "Twilio carrier CA".
- Save.
- Set Secret → paste PEM → confirm.
Add a client certificate + key for mTLS
- Create one material with Purpose
CLIENT_CERT; set its PEM. - Create another with Purpose
CLIENT_KEY; set its PEM. - In SIP Trunks, reference the CA in TLS CA Certificate, enable Require Client Certificate, and configure Peer Name Verification as needed.
See also
- Team default secrets — LLM platform secrets copied to teams on create.
- SIP trunks.
- Internal encryption rollout.
- Team overview — team-side Secrets Manager configuration.