Skip to content
Latchkey

wrangler secret put: Usage & Common CI Errors

Store an encrypted secret your Cloudflare Worker can read at runtime.

wrangler secret put adds or updates an encrypted environment secret for a Worker. In CI you pipe the value in from stdin so it never appears in logs or the interactive prompt.

What it does

wrangler secret put <NAME> creates or updates a secret binding on the deployed Worker; the value is encrypted and exposed to the Worker as env.<NAME> at runtime. Interactively it prompts for the value; non-interactively it reads the value from stdin.

Common usage

Terminal
# Interactive (prompts for the value)
wrangler secret put API_KEY

# CI: pipe the value from stdin (no prompt)
echo "$API_KEY" | wrangler secret put API_KEY

# Target a named environment
echo "$API_KEY" | wrangler secret put API_KEY --env production

Common error in CI: prompt blocks / not authenticated

In CI a bare wrangler secret put NAME hangs waiting for the interactive value prompt, or fails with "You are not authenticated". Fix: pipe the value via stdin (echo "$VALUE" | wrangler secret put NAME) so no prompt is needed, and set CLOUDFLARE_API_TOKEN + CLOUDFLARE_ACCOUNT_ID for auth. Pull the secret value from your CI secret store, not a literal - and target the right --env so prod and staging secrets do not collide.

Key options

OptionPurpose
<NAME>Secret name (becomes env.<NAME>)
--env NAMETarget a named environment
(stdin)Provide the value non-interactively
secret list / deleteList or remove secrets

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →