Environment variables & secrets

Configuration and secrets — API keys, feature flags, third-party credentials — are set on the app, encrypted where needed, and injected into env at deploy. Your route code just reads them off the env object.

Setting values

Manage values with the MCP tools (your assistant calls these for you):

  • set_app_env — set a variable. Pass secret: true for sensitive values: they're AES-GCM encrypted at rest and never shown again.
  • list_app_env — list configured values. Secret values are masked.
  • delete_app_env — remove a value.
Use secret: true for anything sensitive (API keys, tokens, webhook signing secrets). Plain variables stay readable in the dashboard; secrets can be replaced but never read back.

Reading them in your code

Set values appear directly on env in your route handlers:

// api/search.js
export default {
  async fetch(request, env, ctx) {
    const res = await fetch("https://api.example.com/search", {
      headers: { Authorization: "Bearer " + env.SEARCH_API_KEY },
    });
    return new Response(await res.text());
  },
};

Built-in variables

Two are always present, no setup required:

  • env.APP_ID — your app's unique identifier.
  • env.ENVIRONMENT"production" on a main deploy, or the preview / branch name otherwise. Branch on this to change behavior between preview and production.

Convention-named keys

Some platform features look for specific variable names. Set these with set_app_env (as secrets) to enable them:

  • OPENAI_API_KEY / ANTHROPIC_API_KEY — use your own AI account instead of managed credits (AI).
  • STRIPE_SECRET_KEY / STRIPE_WEBHOOK_SECRET — enable payments.
  • *_TEST variants (e.g. STRIPE_SECRET_KEY_TEST) are used automatically on non-production deploys when present — so previews can hit test credentials.

When values apply

Variables are injected at deploy. After changing one, redeploy (deploy_app) for it to take effect. Secrets are encrypted in storage and only decrypted into the running Worker's env.