Secrets
Background
Secrets are a type of binding that allow you to attach encrypted text values to your Worker. You cannot see secrets after you set them and can only access secrets via Wrangler or programmatically via the env
parameter. Secrets are used for storing sensitive information like API keys and auth tokens. Secrets are available on the env
parameter passed to your Worker’s fetch
event handler.
Local Development with Secrets
When developing your Worker or Pages Function, create a .dev.vars
file in the root of your project to define secrets that will be used when running wrangler dev
or wrangler pages dev
, as opposed to using environment variables in wrangler.toml
. This works both in local and remote development modes.
The .dev.vars
file should be formatted like a dotenv
file, such as KEY="VALUE"
:
You can set secrets per environment by creating additional files with the naming convention .dev.vars.<environment-name>
. Like other environment variables, secrets are non-inheritable and must be defined per environment.
Secrets on deployed Workers
Adding secrets to your project
Via Wrangler
Secrets can be added through wrangler secret put
or wrangler versions secret put
commands.
wrangler secret put
creates a new version of the Worker and deploys it immediately.
If using gradual deployments, instead use the wrangler versions secret put
command. This will only create a new version of the Worker, that can then be deploying using wrangler versions deploy
.
Via the dashboard
To add a secret via the dashboard:
- Log in to Cloudflare dashboard ↗ and select your account.
- Select Workers & Pages.
- In Overview, select your Worker > Settings.
- Under Variables and Secrets, select Add.
- Select the type Secret, input a Variable name, and input its Value. This secret will be made available to your Worker but the value will be hidden in Wrangler and the dashboard.
- (Optional) To add more secrets, select Add variable.
- Select Deploy to implement your changes.
Delete secrets from your project
Via Wrangler
Secrets can be deleted through wrangler secret delete
or wrangler versions secret delete
commands.
wrangler secret delete
creates a new version of the Worker and deploys it immediately.
If using gradual deployments, instead use the wrangler versions secret delete
command. This will only create a new version of the Worker, that can then be deploying using wrangler versions deploy
.
Via the dashboard
To delete a secret from your Worker project via the dashboard:
- Log in to Cloudflare dashboard ↗ and select your account.
- Select Workers & Pages.
- In Overview, select your Worker > Settings.
- Under Variables and Secrets, select Edit.
- In the Edit drawer, select X next to the secret you want to delete.
- Select Deploy to implement your changes.
- (Optional) Instead of using the edit drawer, you can click the delete icon next to the secret.
Compare secrets and environment variables
Secrets are environment variables. The difference is secret values are not visible within Wrangler or Cloudflare dashboard after you define them. This means that sensitive data, including passwords or API tokens, should always be encrypted to prevent data leaks. To your Worker, there is no difference between an environment variable and a secret. The secret’s value is passed through as defined.
Related resources
- Wrangler secret commands - Review the Wrangler commands to create, delete and list secrets.