wrangler secret put Command Reference
Set an encrypted secret on a Cloudflare Worker.
wrangler secret put stores an encrypted secret that a Worker reads from its environment at runtime. In CI you pipe the value via stdin so it is never interactive or logged.
What it does
wrangler secret put encrypts and stores a named secret bound to a Worker. The Worker accesses it as an env binding at runtime. The value is write-only; it cannot be read back after it is set.
Common flags and usage
- KEY: the secret name to set (required)
- --env NAME: target a named environment
- --name NAME: override the Worker name
- pipe the value via stdin to run non-interactively
- same CLOUDFLARE_API_TOKEN / CLOUDFLARE_ACCOUNT_ID auth
Example
- name: Set Worker secret
env:
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
run: |
echo "${{ secrets.API_KEY }}" | \
npx wrangler secret put API_KEY --env productionIn CI
Pipe the secret value into wrangler secret put via stdin (echo ... | wrangler secret put) so the command runs without a prompt and the value never appears in process arguments. Source the value from your CI secret store and set it before or after deploy as your rollout requires.
Key takeaways
- wrangler secret put stores a write-only encrypted secret for a Worker.
- Pipe the value via stdin so the command is non-interactive and unlogged.
- Authenticate with the same CLOUDFLARE_API_TOKEN and account id as deploy.