# Secrets

## Allowed in igskill

- Commercial provider API keys such as `HIKERAPI_KEY`, `APIFY_TOKEN`, and `BRIGHTDATA_API_KEY`.
- Service-owned Stripe secrets: `STRIPE_SECRET_KEY`, `STRIPE_WEBHOOK_SECRET`, and price/session configuration.
- Hashed owner/admin `igsk_` key values.
- Optional signup invite code.
- Service token for a bounded Achronon AI endpoint.

## Not Allowed in igskill

- Personal Instagram login cookies.
- Customer Instagram credentials.
- Raw model-provider keys such as OpenAI, Anthropic, Google, or similar provider keys.
- SSH, kubectl, or local Claude/Codex shell paths for AI parsing.

## Customer API Keys

Customer keys use `igsk_` bearer tokens and are visible once at creation. Store only SHA-256 hashes.

`OWNER_ADMIN_KEY_SHA256` is optional. When set, the matching raw `igsk_` key authenticates as an owner/admin key and bypasses customer billing. Keep the raw owner key outside the repo and store only its hash in deployment config.

`IGSKILL_SIGNUP_INVITE_CODE` is optional. When set, signup requires the matching invite code. Treat it as a deployment secret, not a durable auth credential.

Stripe top-ups require `STRIPE_SECRET_KEY`, `STRIPE_TOPUP_PRICE_ID`, `STRIPE_SUCCESS_URL`, `STRIPE_CANCEL_URL`, and `STRIPE_WEBHOOK_SECRET`. Ops metrics expose whether Stripe is configured, but not secret values.

Hosted AI uses `ACHRONON_AI_ENDPOINT` and `ACHRONON_AI_SERVICE_TOKEN`. For the ClaudeVPS shape used by xskill, set `ACHRONON_AI_ENDPOINT` to the sandbox base URL and keep task paths in non-secret config:

```sh
ACHRONON_AI_ENDPOINT=https://api.claudevps.com/sandboxes/<sandbox-id>
ACHRONON_AI_TRANSCRIBE_PATH=/claudex/transcribe
ACHRONON_AI_TRANSCRIBE_MODEL=auto
ACHRONON_AI_TRANSCRIBE_MAX_DURATION_SEC=180
```

Do not configure OpenAI, Anthropic, Google, Claude, or Codex provider credentials directly in igskill. ClaudeVPS owns relay Codex auth and media processing.

`IGSKILL_STATE_FILE` may contain customer account metadata, key hashes, ledger history, and cache indexes. Treat it as sensitive operational state even though raw API keys are not stored in it.

## Logging

Logs must not include:

- Provider tokens.
- Customer `igsk_` keys.
- Raw AI service tokens.
- Stripe secrets and invite codes.
- Full raw provider responses unless deliberately enabled in a local redacted fixture workflow.

Provider errors returned to API callers must be sanitized.
