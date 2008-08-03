Cloudflare Secrets Store is a secure, centralized location in which account-level secrets are stored and managed. The secrets are securely encrypted and stored across all Cloudflare data centers.

Consider the steps below to learn how to use values from your account secrets store with Cloudflare Workers.

Note This is different from Workers Variables and Secrets, where you define and manage your secrets on a per-Worker level.

Before you begin

If using the Dashboard, make sure you already have a Workers application. Refer to the Workers get started for guidance.

You should also have a store created under the Secrets Store tab on the Dashboard. The default store in your account is automatically created when a user with Super Administrator or Secrets Store Admin role interacts with it.

1. Set up account secrets in Secrets Store

If there are no account secrets yet, follow the steps below. You must have a Super Administrator or a Secrets Store Admin role within your Cloudflare account.

Note You may also add account secrets directly from the Workers settings on the dashboard. You can skip to step 2 to do that.

Wrangler

Dashboard

API Use the Wrangler command secrets-store secret create . To use the following example, replace the store ID and secret name by your actual data. You can find and copy the store ID from the Secrets Store tab ↗ on the dashboard. A secret name cannot contain spaces. Terminal window npx wrangler secrets-store secret create <STORE_ID> --name MY_SECRETS_STORE_SECRET --scopes workers --remote ✓ Enter a secret value: › *** 🔐 Creating secret... (Name: MY_SECRETS_STORE_SECRET, Value: REDACTED, Scopes: workers, Comment: undefined ) ✓ Select an account: › My account ✅ Created secret! (ID: 13bc7498c6374a4e9d13be091c3c65f1 ) Log in to the Cloudflare dashboard ↗ and select your account. Go to Secrets Store and select Create secret. Fill in the required fields, choosing Workers as the Permission scope. Once the secret is saved, the secret value will no longer be available for viewing. (Optional) Select Add additional secret to create more than one secret at a time. Select Save to confirm. You can find and copy the store ID from the Secrets Store tab ↗ on the dashboard. Also, make sure your secret name does not contain spaces. Refer to Secrets Store API for the full API documentation. Terminal window curl https://api.cloudflare.com/client/v4/accounts/ $ACCOUNT_ID /secrets_store/stores/ $STORE_ID /secrets \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN " \ --header "Content-Type: application/json" \ --data '[ { "name":"<MY_SECRET_NAME>", "value":"<SECRET_VALUE>", "scopes":["workers"], "comment":"" }, { "name":"<MY_SECRET_NAME_2>", "value":"<SECRET_VALUE>", "scopes":["workers"], "comment":"" } ]'

Refer to manage account secrets for further options.

2. Bind an account secret to your Worker

Bindings allow your Worker to interact with resources on your Cloudflare account.

To bind an account secret to your Worker, you must have one of the following roles within your Cloudflare account:

Super Administrator

Secrets Store Admin

Secrets Store Deployer

Via Wrangler

Add a Secrets Store binding to your Wrangler configuration file: binding : a descriptive name for your binding. This will be used in the Workers application when accessing your secret on the env object.

: a descriptive name for your binding. This will be used in the Workers application when accessing your secret on the object. store_id : the corresponding Secrets Store ID where your account secret was created.

: the corresponding Secrets Store ID where your account secret was created. secret_name : the unique secret name, defined when your account secret was created.

wrangler.jsonc

wrangler.jsonc wrangler.toml { " main " : "./src/index.js" , " secrets_store_secrets " : [ { " binding " : "MY_SECRETS_STORE_SECRET" , " store_id " : "<STORE_ID>" , " secret_name " : "<MY_SECRET_NAME>" } ] } main = "./src/index.js" secrets_store_secrets = [ { binding = "MY_SECRETS_STORE_SECRET" , store_id = '<STORE_ID>' , secret_name = "<MY_SECRET_NAME>" } ]

Via Dashboard

Log in to the Cloudflare dashboard ↗ and select your account. Go to Workers & Pages and select a Workers application. Go to Settings > Bindings and select Add. On the Add a resource binding side panel, choose Secrets Store. Fill in the required fields: Variable name : a name for the binding. This will be used for your Worker to access the secret (step 3 below).

: a name for the binding. This will be used for your Worker to access the secret (step 3 below). Secret name : select from the list of available account secrets created in step 1.

: select from the list of available account secrets created in step 1. (Optional - Admins only) If the secret you need does not exist yet, select Create secret. This will add an account level secret in the same way as if you had created it on the Secrets Store. Select Deploy to deploy your binding. When deploying, there are two options: Deploy: Immediately deploy the binding to 100% of your audience.

Immediately deploy the binding to 100% of your audience. Save version: Save a version of the binding which you can deploy in the future.

3. Access the secret on the env object

Bindings are located on the env object, which can be accessed in several ways. Two examples are presented below. For further options, refer to the Workers documentation.

Import env from cloudflare:workers

import { env } from "cloudflare:workers" ; import ApiClient from "example-api-client" ; // MY_SECRETS_STORE_SECRET is now usable in top-level scope let apiClient = ApiClient . new ( { apiKey : env . MY_SECRETS_STORE_SECRET } ) ; export default { fetch ( req ) { // you can use apiClient configured before any request is handled }, };

Pass env as an argument to fetch