wrangler secret put: Usage & Common CI Errors
Store an encrypted secret your Cloudflare Worker can read at runtime.
wrangler secret put adds or updates an encrypted environment secret for a Worker. In CI you pipe the value in from stdin so it never appears in logs or the interactive prompt.
What it does
wrangler secret put <NAME> creates or updates a secret binding on the deployed Worker; the value is encrypted and exposed to the Worker as env.<NAME> at runtime. Interactively it prompts for the value; non-interactively it reads the value from stdin.
Common usage
# Interactive (prompts for the value)
wrangler secret put API_KEY
# CI: pipe the value from stdin (no prompt)
echo "$API_KEY" | wrangler secret put API_KEY
# Target a named environment
echo "$API_KEY" | wrangler secret put API_KEY --env productionCommon error in CI: prompt blocks / not authenticated
In CI a bare wrangler secret put NAME hangs waiting for the interactive value prompt, or fails with "You are not authenticated". Fix: pipe the value via stdin (echo "$VALUE" | wrangler secret put NAME) so no prompt is needed, and set CLOUDFLARE_API_TOKEN + CLOUDFLARE_ACCOUNT_ID for auth. Pull the secret value from your CI secret store, not a literal - and target the right --env so prod and staging secrets do not collide.
Key options
| Option | Purpose |
|---|---|
| <NAME> | Secret name (becomes env.<NAME>) |
| --env NAME | Target a named environment |
| (stdin) | Provide the value non-interactively |
| secret list / delete | List or remove secrets |