Skip to content

Secrets

Background

Secrets are a type of binding that allow you to attach encrypted text values to your Worker. You cannot see secrets after you set them and can only access secrets via Wrangler or programmatically via the env parameter. Secrets are used for storing sensitive information like API keys and auth tokens. Secrets are available on the env parameter passed to your Worker’s fetch event handler.

Local Development with Secrets

When developing your Worker or Pages Function, create a .dev.vars file in the root of your project to define secrets that will be used when running wrangler dev or wrangler pages dev, as opposed to using environment variables in wrangler.toml. This works both in local and remote development modes.

The .dev.vars file should be formatted like a dotenv file, such as KEY="VALUE":

.dev.vars
SECRET_KEY="value"
API_TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"

You can set secrets per environment by creating additional files with the naming convention .dev.vars.<environment-name>. Like other environment variables, secrets are non-inheritable and must be defined per environment.

Secrets on deployed Workers

Adding secrets to your project

Via Wrangler

Secrets can be added through wrangler secret put or wrangler versions secret put commands.

wrangler secret put creates a new version of the Worker and deploys it immediately.

Terminal window
npx wrangler secret put <KEY>

If using gradual deployments, instead use the wrangler versions secret put command. This will only create a new version of the Worker, that can then be deploying using wrangler versions deploy.

Terminal window
npx wrangler versions secret put <KEY>

Via the dashboard

To add a secret via the dashboard:

  1. Log in to Cloudflare dashboard and select your account.
  2. Select Workers & Pages.
  3. In Overview, select your Worker > Settings.
  4. Under Environment Variables, select Add variable.
  5. Input a Variable name and its value, which will be made available to your Worker.
  6. Select Encrypt to protect the secret’s value. This will prevent the value from being visible via Wrangler and the dashboard.
  7. (Optional) To add multiple secrets, select Add variable.
  8. Save or Save and Deploy your changes.

Delete secrets from your project

Via Wrangler

Secrets can be deleted through wrangler secret delete or wrangler versions secret delete commands.

wrangler secret delete creates a new version of the Worker and deploys it immediately.

Terminal window
npx wrangler secret delete <KEY>

If using gradual deployments, instead use the wrangler versions secret delete command. This will only create a new version of the Worker, that can then be deploying using wrangler versions deploy.

Terminal window
npx wrangler versions secret delete <KEY>

Via the dashboard

To delete a secret from your Worker project via the dashboard:

  1. Log in to Cloudflare dashboard and select your account.
  2. Select Workers & Pages.
  3. In Overview, select your Worker > Settings.
  4. Under Environment Variables, select Edit variables.
  5. Select X next to the secret you want to delete.
  6. Save or Save and Deploy your changes.

Compare secrets and environment variables

Secrets are environment variables. The difference is secret values are not visible within Wrangler or Cloudflare dashboard after you define them. This means that sensitive data, including passwords or API tokens, should always be encrypted to prevent data leaks. To your Worker, there is no difference between an environment variable and a secret. The secret’s value is passed through as defined.