Skip to content
Latchkey

wrangler secret put Command Reference

Set an encrypted secret on a Cloudflare Worker.

wrangler secret put stores an encrypted secret that a Worker reads from its environment at runtime. In CI you pipe the value via stdin so it is never interactive or logged.

What it does

wrangler secret put encrypts and stores a named secret bound to a Worker. The Worker accesses it as an env binding at runtime. The value is write-only; it cannot be read back after it is set.

Common flags and usage

  • KEY: the secret name to set (required)
  • --env NAME: target a named environment
  • --name NAME: override the Worker name
  • pipe the value via stdin to run non-interactively
  • same CLOUDFLARE_API_TOKEN / CLOUDFLARE_ACCOUNT_ID auth

Example

shell
- name: Set Worker secret
  env:
    CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
    CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
  run: |
    echo "${{ secrets.API_KEY }}" | \
      npx wrangler secret put API_KEY --env production

In CI

Pipe the secret value into wrangler secret put via stdin (echo ... | wrangler secret put) so the command runs without a prompt and the value never appears in process arguments. Source the value from your CI secret store and set it before or after deploy as your rollout requires.

Key takeaways

  • wrangler secret put stores a write-only encrypted secret for a Worker.
  • Pipe the value via stdin so the command is non-interactive and unlogged.
  • Authenticate with the same CLOUDFLARE_API_TOKEN and account id as deploy.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →