Automatisch relies on PostgreSQL, Redis, and encrypted integration credentials. The priority is protecting ENCRYPTION_KEY, isolating execution components, and reducing privileged connector exposure.
¶ 1) Secure ENCRYPTION_KEY, WEBHOOK_SECRET_KEY, and APP_SECRET_KEY
Automatisch uses three critical secret keys:
ENCRYPTION_KEY: Encrypts credentials from third-party services using AES (Advanced Encryption Standard)WEBHOOK_SECRET_KEY: Verifies webhook requestsAPP_SECRET_KEY: User authentication and session management
Required controls:
- generate long random keys for all three variables (use
openssl rand -base64 36)
- store keys in secret management, not in plaintext repository files
- back up all keys with database backups so restores can decrypt stored credentials
- never change
ENCRYPTION_KEY or WEBHOOK_SECRET_KEY after setup - existing connections and flows will break
¶ 2) Keep PostgreSQL and Redis private
Automatisch depends on PostgreSQL and Redis. Exposing either service publicly increases compromise impact.
Network policy:
- bind PostgreSQL and Redis to private interfaces only
- enforce host firewall rules so only Automatisch services can connect
- require authentication for Redis in non-local deployments
¶ 3) Restrict connector credentials and token scope
Automatisch workflows execute external actions with API credentials.
Credential controls:
- create dedicated API clients per integration/workspace, not shared global tokens
- use least-privilege scopes on OAuth/API tokens
- rotate and revoke tokens immediately after incident or admin turnover
Automatisch commonly receives webhooks and trigger payloads.
Ingress controls:
- place webhook endpoints behind reverse proxy with TLS
- enforce payload limits at proxy level to reduce abuse risk
- validate webhook signature or shared secret where provider supports it
¶ 5) Patch and dependency update discipline
Automatisch and ecosystem dependencies evolve frequently.
Operations baseline:
- monitor upstream releases in
automatisch/automatisch
- pin image versions in production instead of floating tags
- stage upgrades and run regression flows before promoting to production
- Automatisch documentation: https://automatisch.io/docs
- Automatisch source repository: https://github.com/automatisch/automatisch
Any questions?
Feel free to contact us. Find all contact information on our contact page.