--- title: Cloudflare Secrets Store description: Use Secrets Store to encrypt and store sensitive information as secrets that are securely reusable across your Cloudflare account. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/secrets-store/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Cloudflare Secrets Store Encrypt and store sensitive information as secrets that are securely reusable across your account. Available in open beta Cloudflare Secrets Store is a secure, centralized location in which account-level secrets are stored and managed. The secrets are securely encrypted and stored across all [Cloudflare data centers ↗](https://www.cloudflare.com/network/). Secrets Store is currently compatible with [Cloudflare Workers](https://developers.cloudflare.com/secrets-store/integrations/workers/) and [AI Gateway](https://developers.cloudflare.com/ai-gateway/configuration/bring-your-own-keys/). Integrations with other products will be added in the future. China availability Secrets Store is unavailable in the [Cloudflare China Network](https://developers.cloudflare.com/china-network/), operated by Cloudflare's partner JD Cloud. ```json {"@context":"https://schema.org","@type":"WebPage","@id":"https://developers.cloudflare.com/secrets-store/#page","headline":"Overview · Cloudflare Secrets Store docs","description":"Use Secrets Store to encrypt and store sensitive information as secrets that are securely reusable across your Cloudflare account.","url":"https://developers.cloudflare.com/secrets-store/","inLanguage":"en","image":"https://developers.cloudflare.com/core-services-preview.png","dateModified":"2026-04-16","publisher":{"@type":"Organization","name":"Cloudflare","url":"https://www.cloudflare.com/"},"isPartOf":{"@type":"WebSite","@id":"https://developers.cloudflare.com/#website","name":"Cloudflare Docs","url":"https://developers.cloudflare.com/"}} {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/secrets-store/","name":"Secrets Store"}}]} ``` --- --- title: Secrets Store access control description: Learn about role-based access control with Cloudflare Secrets Store image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/secrets-store/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Secrets Store access control Secrets Store allows security administrators to have more control by implementing role-based access. For details about roles at Cloudflare, refer to [Fundamentals](https://developers.cloudflare.com/fundamentals/manage-members/). Availability While all Cloudflare accounts will have access to the Secrets Store section on the dashboard, only users with the necessary permissions will be able to interact with it, as described below. Access to a secret is controlled by two independent checks that must both pass: 1. **Authorization** — the caller must have permission to perform the action. The permission comes from either a [user role](#relevant-roles) (when the dashboard authenticates the request) or an [API token permission](#api-token-permissions) (when the request is made with an API token). A given request is evaluated against one or the other, not both. 2. **Secret scope** — the [scope list](#secret-scopes) on the secret must include the consuming service. For example, deploying a Worker that binds a secret requires a role or API token that can bind secrets, and a secret whose scope includes `workers`. ## Relevant roles Refer to the list below for default role definitions. #### Super Administrator * Can create, edit, duplicate, delete, and view secrets metadata. * Can [add a Secrets Store binding to a Worker](https://developers.cloudflare.com/secrets-store/integrations/workers/). * Can [create an association between a secret and an AI gateway](https://developers.cloudflare.com/ai-gateway/configuration/bring-your-own-keys/). #### Secrets Store Admin * Can create, edit, duplicate, delete, and view secrets metadata. #### Secrets Store Deployer * Can view secrets metadata but cannot create, edit, duplicate, nor delete secrets. * Can [add a Secrets Store binding to a Worker](https://developers.cloudflare.com/secrets-store/integrations/workers/). * Can [create an association between a secret and an AI gateway](https://developers.cloudflare.com/ai-gateway/configuration/bring-your-own-keys/). #### Secrets Store Reporter * Can view secrets metadata. * Cannot perform any actions (create, edit, duplicate, delete secrets), nor use Secrets Store integrations with other Cloudflare products. ## API token permissions [API tokens](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) have two Secrets Store permission levels: **Read** and **Edit**. The permission you need depends on what the token is doing, not on whether you intend to modify the secret itself. * **Account Secrets Store Read**: Allows the caller to view metadata for secrets (for example, listing secrets or fetching the name, ID, scopes, and comments of a secret). This permission does not grant access to the value of a secret, and does not allow binding a secret to another resource. * **Account Secrets Store Edit**: Allows the caller to create, edit, duplicate, or delete secrets. **Edit is also required to bind a secret to another Cloudflare resource**, such as adding a Secrets Store binding to a Worker or associating a secret with an AI Gateway. Attaching a secret to a resource is treated as a write against the secret. Deploying Workers from CI/CD If you use Wrangler in a CI/CD pipeline (for example, [wrangler-action ↗](https://github.com/cloudflare/wrangler-action) in GitHub Actions) to deploy a Worker that has a [Secrets Store binding](https://developers.cloudflare.com/secrets-store/integrations/workers/), the API token used by the pipeline must have **Account Secrets Store Edit** permission. A token with only **Read** will fail at deploy time with an authorization error such as `failed to fetch secrets store binding due to authorization error - check deploy permissions and secret scopes`. ## Secret scopes Each secret has a list of **scopes** that determine which Cloudflare services are allowed to consume it. Scopes are set when a secret is created, and can be updated later by editing the secret. The currently supported scopes are: * `workers` — allows the secret to be [bound to a Worker](https://developers.cloudflare.com/secrets-store/integrations/workers/). * `ai-gateway` — allows the secret to be [associated with an AI Gateway](https://developers.cloudflare.com/ai-gateway/configuration/bring-your-own-keys/). A request to bind or associate a secret with a service will be rejected if that service is not in the scope list, even if the caller has the correct role or API token permission. Deploying a Worker with a Secrets Store binding therefore requires both: * A user role or API token that can bind secrets (Super Administrator or Secrets Store Deployer role, or **Account Secrets Store Edit** API token permission). * A scope list on the secret that includes `workers`. You can set scopes when [creating a secret](https://developers.cloudflare.com/secrets-store/manage-secrets/) using the dashboard, the API (`scopes` field), or Wrangler (`--scopes` flag). ```json {"@context":"https://schema.org","@type":"TechArticle","@id":"https://developers.cloudflare.com/secrets-store/access-control/#page","headline":"Secrets Store access control · Cloudflare Secrets Store docs","description":"Learn about role-based access control with Cloudflare Secrets Store","url":"https://developers.cloudflare.com/secrets-store/access-control/","inLanguage":"en","image":"https://developers.cloudflare.com/core-services-preview.png","dateModified":"2026-06-29","publisher":{"@type":"Organization","name":"Cloudflare","url":"https://www.cloudflare.com/"},"isPartOf":{"@type":"WebSite","@id":"https://developers.cloudflare.com/#website","name":"Cloudflare Docs","url":"https://developers.cloudflare.com/"}} {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/secrets-store/","name":"Secrets Store"}},{"@type":"ListItem","position":3,"item":{"@id":"/secrets-store/access-control/","name":"Secrets Store access control"}}]} ``` --- --- title: Manage account secrets description: Learn about different operations to manage your secrets in Cloudflare Secrets Store. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/secrets-store/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Manage account secrets Secrets can be API tokens, public/private keys, authorization keys, passwords, or even code variables. The only limitation is that a secret must be a string that does not exceed 1024 bytes. Once a secret is added to the Secrets Store, it can no longer be decrypted or accessed via API or on the dashboard. Only the service associated with a given secret will be able to access it. ## Limits Customers who create a secrets store in the open beta can have up to 100 secrets per account. Also, there can only be one store per account. Production secrets If you use [Wrangler](https://developers.cloudflare.com/secrets-store/manage-secrets/how-to/#manage-via-wrangler), there is a difference between production secrets and secrets that are only created locally (without the `--remote` flag). The limit of 100 secrets per account only considers production secrets. ## Resources * [Manage via Wrangler](https://developers.cloudflare.com/workers/wrangler/commands/secrets-store/#secrets-store-secret) * [Create a secret](https://developers.cloudflare.com/secrets-store/manage-secrets/how-to/#create-a-secret) * [Duplicate a secret](https://developers.cloudflare.com/secrets-store/manage-secrets/how-to/#duplicate-a-secret) * [Edit a secret](https://developers.cloudflare.com/secrets-store/manage-secrets/how-to/#edit-a-secret) * [Delete a secret](https://developers.cloudflare.com/secrets-store/manage-secrets/how-to/#delete-a-secret) ```json {"@context":"https://schema.org","@type":"TechArticle","@id":"https://developers.cloudflare.com/secrets-store/manage-secrets/#page","headline":"Manage account secrets · Cloudflare Secrets Store docs","description":"Learn about different operations to manage your secrets in Cloudflare Secrets Store.","url":"https://developers.cloudflare.com/secrets-store/manage-secrets/","inLanguage":"en","image":"https://developers.cloudflare.com/core-services-preview.png","dateModified":"2026-04-16","publisher":{"@type":"Organization","name":"Cloudflare","url":"https://www.cloudflare.com/"},"isPartOf":{"@type":"WebSite","@id":"https://developers.cloudflare.com/#website","name":"Cloudflare Docs","url":"https://developers.cloudflare.com/"}} {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/secrets-store/","name":"Secrets Store"}},{"@type":"ListItem","position":3,"item":{"@id":"/secrets-store/manage-secrets/","name":"Manage account secrets"}}]} ``` --- --- title: How to description: Create, update, duplicate, and delete secrets using the dashboard, API, or Wrangler. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/secrets-store/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # How to Refer to the sections below to learn about common actions you might want to take when managing your data in Secrets Store. You must have a [Super Administrator or Secrets Store Admin role](https://developers.cloudflare.com/secrets-store/access-control/) within your Cloudflare account. ## Manage via Wrangler [Wrangler](https://developers.cloudflare.com/workers/wrangler/) is a command-line interface (CLI) that allows you to manage [Cloudflare Workers](https://developers.cloudflare.com/workers/) projects. Refer to [Wrangler commands](https://developers.cloudflare.com/workers/wrangler/commands/secrets-store/#secrets-store-secret) for guidance on how to use it with Secrets Store. ## Create a secret * [ Dashboard ](#tab-panel-10937) * [ API ](#tab-panel-10938) 1. In the Cloudflare dashboard, go to the **Secrets Store** page. [ Go to **Secrets Store** ](https://dash.cloudflare.com/?to=/:account/secrets-store) 2. Select **Create secret**. 3. Fill in the required fields. Note that, once the secret is saved, the secret value will no longer be available for viewing. 4. (Optional) Select **Add additional secret** to create more than one secret at a time. 5. Select **Save** to confirm. Note A secret `name` cannot contain spaces. Refer to [Secrets Store API](https://developers.cloudflare.com/api/resources/secrets%5Fstore/) for the full API documentation. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) is required: * `Secrets Store Write` Create a secret ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/secrets_store/stores/$STORE_ID/secrets" \ --request POST \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" \ --json '[ { "name": "", "value": "", "scopes": [ "workers" ], "comment": "" }, { "name": "", "value": "", "scopes": [ "workers" ], "comment": "" } ]' ``` ## Duplicate a secret Duplicate a secret to keep the same secret value but change name, scope, or comments. * [ Dashboard ](#tab-panel-10931) * [ API ](#tab-panel-10932) 1. In the Cloudflare dashboard, go to the **Secrets Store** page. [ Go to **Secrets Store** ](https://dash.cloudflare.com/?to=/:account/secrets-store) 2. Search for the secret you would like to duplicate within the existing secrets list. 3. Select the three dots next to the secret and choose **Duplicate**. 4. Edit the **Secret name**, **Permission scope**, or **Comment**, according to your needs. 5. Select **Save** to confirm. Note A secret `name` cannot contain spaces. Refer to [Secrets Store API](https://developers.cloudflare.com/api/resources/secrets%5Fstore/) for the full API documentation. Terminal window ``` curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/secrets_store/stores/$STORE_ID/secrets/$SECRET_ID/duplicate \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--header "Content-Type: application/json" \--data '{ "name":"", "scopes":["workers"], "comment":""}' ``` ## Edit a secret Edit a secret to replace an existing value with a new one. Warning This action will cause the replacement in all services using the secret. You can also edit the secret **Permission scope** and **Comment**. * [ Dashboard ](#tab-panel-10933) * [ API ](#tab-panel-10934) 1. In the Cloudflare dashboard, go to the **Secrets Store** page. [ Go to **Secrets Store** ](https://dash.cloudflare.com/?to=/:account/secrets-store) 2. Search for the secret you would like to edit within the existing secrets list. 3. Select the three dots next to the secret and choose **Edit**. 4. Edit the available fields according to your needs and select **Save** to confirm. Refer to [Secrets Store API](https://developers.cloudflare.com/api/resources/secrets%5Fstore/) for the full API documentation. Terminal window ``` curl --request PATCH \https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/secrets_store/stores/$STORE_ID/secrets/$SECRET_ID \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--header "Content-Type: application/json" \--data '{ "comment":"", "value":"", "scopes":["workers"]}' ``` ## Delete a secret Warning Before deleting a secret, make sure it is not deployed in your [Workers applications ↗](https://dash.cloudflare.com/?to=/:account/workers-and-pages/) or [AI gateways ↗](https://dash.cloudflare.com/?to=/:account/ai/ai-gateway). * [ Dashboard ](#tab-panel-10935) * [ API ](#tab-panel-10936) 1. In the Cloudflare dashboard, go to the **Secrets Store** page. [ Go to **Secrets Store** ](https://dash.cloudflare.com/?to=/:account/secrets-store) 2. Search for the secret you would like to delete within the existing secrets list. 3. Select the three dots next to the secret and choose **Delete**. 4. Type in the secret name and select **Delete** to confirm. Refer to [Secrets Store API](https://developers.cloudflare.com/api/resources/secrets%5Fstore/) for the full API documentation. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) is required: * `Secrets Store Write` Delete a secret ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/secrets_store/stores/$STORE_ID/secrets/$SECRET_ID" \ --request DELETE \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` ```json {"@context":"https://schema.org","@type":"TechArticle","@id":"https://developers.cloudflare.com/secrets-store/manage-secrets/how-to/#page","headline":"How to · Cloudflare Secrets Store docs","description":"Create, update, duplicate, and delete secrets using the dashboard, API, or Wrangler.","url":"https://developers.cloudflare.com/secrets-store/manage-secrets/how-to/","inLanguage":"en","image":"https://developers.cloudflare.com/core-services-preview.png","dateModified":"2026-04-16","publisher":{"@type":"Organization","name":"Cloudflare","url":"https://www.cloudflare.com/"},"isPartOf":{"@type":"WebSite","@id":"https://developers.cloudflare.com/#website","name":"Cloudflare Docs","url":"https://developers.cloudflare.com/"}} {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/secrets-store/","name":"Secrets Store"}},{"@type":"ListItem","position":3,"item":{"@id":"/secrets-store/manage-secrets/","name":"Manage account secrets"}},{"@type":"ListItem","position":4,"item":{"@id":"/secrets-store/manage-secrets/how-to/","name":"How to"}}]} ``` --- --- title: Audit logs description: Actions logged for Secrets Store operations, including create, update, and delete. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/secrets-store/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Audit logs [Audit logs](https://developers.cloudflare.com/fundamentals/account/account-security/review-audit-logs/) provide a comprehensive summary of changes made within your Cloudflare account. This page lists the actions that are logged for Secrets Store. * Access * Create * Duplicating a secret is presented as a `create` log with a field `duplicated_from_id`. * Update * A boolean `"value_modified": true` is presented when the secret value is edited. * Delete For information on how to access and use audit logs, refer to [Fundamentals](https://developers.cloudflare.com/fundamentals/account/account-security/review-audit-logs/). ```json {"@context":"https://schema.org","@type":"TechArticle","@id":"https://developers.cloudflare.com/secrets-store/audit-logs/#page","headline":"Audit logs · Cloudflare Secrets Store docs","description":"Actions logged for Secrets Store operations, including create, update, and delete.","url":"https://developers.cloudflare.com/secrets-store/audit-logs/","inLanguage":"en","image":"https://developers.cloudflare.com/core-services-preview.png","dateModified":"2026-04-16","publisher":{"@type":"Organization","name":"Cloudflare","url":"https://www.cloudflare.com/"},"isPartOf":{"@type":"WebSite","@id":"https://developers.cloudflare.com/#website","name":"Cloudflare Docs","url":"https://developers.cloudflare.com/"}} {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/secrets-store/","name":"Secrets Store"}},{"@type":"ListItem","position":3,"item":{"@id":"/secrets-store/audit-logs/","name":"Audit logs"}}]} ``` --- # Secrets Store # Stores ## List account stores **get** `/accounts/{account_id}/secrets_store/stores` Lists all the stores in an account ### Path Parameters - `account_id: string` Account Identifier ### Query Parameters - `direction: optional "asc" or "desc"` Direction to sort objects - `"asc"` - `"desc"` - `order: optional "name" or "comment" or "created" or 2 more` Order secrets by values in the given field - `"name"` - `"comment"` - `"created"` - `"modified"` - `"status"` - `page: optional number` Page number - `per_page: optional number` Number of objects to return per page ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of object { id, created, modified, 2 more }` - `id: string` Store Identifier - `created: string` Whenthe secret was created. - `modified: string` When the secret was modified. - `name: string` The name of the store - `account_id: optional string` Account Identifier - `result_info: optional object { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/secrets_store/stores \ -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ -H "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "023e105f4ecef8ad9ca31a8372d0c353", "created": "2023-09-21T18:56:32.624632Z", "modified": "2023-09-21T18:56:32.624632Z", "name": "service_x_keys", "account_id": "985e105f4ecef8ad9ca31a8372d0c353" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get a store by ID **get** `/accounts/{account_id}/secrets_store/stores/{store_id}` Returns details of a single store ### Path Parameters - `account_id: string` Account Identifier - `store_id: string` Store Identifier ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id, created, modified, 2 more }` - `id: string` Store Identifier - `created: string` Whenthe secret was created. - `modified: string` When the secret was modified. - `name: string` The name of the store - `account_id: optional string` Account Identifier - `result_info: optional object { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/secrets_store/stores/$STORE_ID \ -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ -H "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "023e105f4ecef8ad9ca31a8372d0c353", "created": "2023-09-21T18:56:32.624632Z", "modified": "2023-09-21T18:56:32.624632Z", "name": "service_x_keys", "account_id": "985e105f4ecef8ad9ca31a8372d0c353" }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Create a store **post** `/accounts/{account_id}/secrets_store/stores` Creates a store in the account ### Path Parameters - `account_id: string` Account Identifier ### Body Parameters - `name: string` The name of the store ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id, created, modified, 2 more }` - `id: string` Store Identifier - `created: string` Whenthe secret was created. - `modified: string` When the secret was modified. - `name: string` The name of the store - `account_id: optional string` Account Identifier - `result_info: optional object { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/secrets_store/stores \ -H 'Content-Type: application/json' \ -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ -H "X-Auth-Key: $CLOUDFLARE_API_KEY" \ -d '{ "name": "service_x_keys" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "023e105f4ecef8ad9ca31a8372d0c353", "created": "2023-09-21T18:56:32.624632Z", "modified": "2023-09-21T18:56:32.624632Z", "name": "service_x_keys", "account_id": "985e105f4ecef8ad9ca31a8372d0c353" }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Delete a store **delete** `/accounts/{account_id}/secrets_store/stores/{store_id}` Deletes a single store. By default, a store that still contains secrets cannot be deleted and returns HTTP 409 (Conflict) with the "store_not_empty" error. Pass `force=true` to cascade-delete all secrets in the store. Empty stores are always deleted regardless of the force parameter. ### Path Parameters - `account_id: string` Account Identifier - `store_id: string` Store Identifier ### Query Parameters - `force: optional boolean` When true, cascade-deletes all secrets in the store before deleting the store itself. Required when deleting a non-empty store. Without this parameter, attempting to delete a non-empty store returns 409. ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional unknown` Result is null for delete operations. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/secrets_store/stores/$STORE_ID \ -X DELETE \ -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ -H "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Store List Response - `StoreListResponse object { id, created, modified, 2 more }` - `id: string` Store Identifier - `created: string` Whenthe secret was created. - `modified: string` When the secret was modified. - `name: string` The name of the store - `account_id: optional string` Account Identifier ### Store Get Response - `StoreGetResponse object { id, created, modified, 2 more }` - `id: string` Store Identifier - `created: string` Whenthe secret was created. - `modified: string` When the secret was modified. - `name: string` The name of the store - `account_id: optional string` Account Identifier ### Store Create Response - `StoreCreateResponse object { id, created, modified, 2 more }` - `id: string` Store Identifier - `created: string` Whenthe secret was created. - `modified: string` When the secret was modified. - `name: string` The name of the store - `account_id: optional string` Account Identifier ### Store Delete Response - `StoreDeleteResponse = unknown` Result is null for delete operations. # Secrets ## List store secrets **get** `/accounts/{account_id}/secrets_store/stores/{store_id}/secrets` Lists all store secrets ### Path Parameters - `account_id: string` Account Identifier - `store_id: string` Store Identifier ### Query Parameters - `direction: optional "asc" or "desc"` Direction to sort objects - `"asc"` - `"desc"` - `order: optional "name" or "comment" or "created" or 2 more` Order secrets by values in the given field - `"name"` - `"comment"` - `"created"` - `"modified"` - `"status"` - `page: optional number` Page number - `per_page: optional number` Number of objects to return per page - `scopes: optional array of array of string` Only secrets with the given scopes will be returned - `search: optional string` Search secrets using a filter string, filtering across name and comment ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of object { id, created, modified, 5 more }` - `id: string` Secret identifier tag. - `created: string` Whenthe secret was created. - `modified: string` When the secret was modified. - `name: string` The name of the secret - `status: "pending" or "active" or "deleted"` - `"pending"` - `"active"` - `"deleted"` - `store_id: string` Store Identifier - `comment: optional string` Freeform text describing the secret - `scopes: optional array of string` The list of services that can use this secret. - `result_info: optional object { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/secrets_store/stores/$STORE_ID/secrets \ -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ -H "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "3fd85f74b32742f1bff64a85009dda07", "created": "2023-09-21T18:56:32.624632Z", "modified": "2023-09-21T18:56:32.624632Z", "name": "MY_API_KEY", "status": "pending", "store_id": "023e105f4ecef8ad9ca31a8372d0c353", "comment": "info about my secret", "scopes": [ "workers", "ai_gateway", "dex", "access" ] } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get a secret by ID **get** `/accounts/{account_id}/secrets_store/stores/{store_id}/secrets/{secret_id}` Returns details of a single secret ### Path Parameters - `account_id: string` Account Identifier - `store_id: string` Store Identifier - `secret_id: string` Secret identifier tag. ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id, created, modified, 5 more }` - `id: string` Secret identifier tag. - `created: string` Whenthe secret was created. - `modified: string` When the secret was modified. - `name: string` The name of the secret - `status: "pending" or "active" or "deleted"` - `"pending"` - `"active"` - `"deleted"` - `store_id: string` Store Identifier - `comment: optional string` Freeform text describing the secret - `scopes: optional array of string` The list of services that can use this secret. - `result_info: optional object { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/secrets_store/stores/$STORE_ID/secrets/$SECRET_ID \ -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ -H "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "3fd85f74b32742f1bff64a85009dda07", "created": "2023-09-21T18:56:32.624632Z", "modified": "2023-09-21T18:56:32.624632Z", "name": "MY_API_KEY", "status": "pending", "store_id": "023e105f4ecef8ad9ca31a8372d0c353", "comment": "info about my secret", "scopes": [ "workers", "ai_gateway", "dex", "access" ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Create a secret **post** `/accounts/{account_id}/secrets_store/stores/{store_id}/secrets` Creates a secret in the account ### Path Parameters - `account_id: string` Account Identifier - `store_id: string` Store Identifier ### Body Parameters - `body: array of object { name, scopes, value, comment }` - `name: string` The name of the secret - `scopes: array of string` The list of services that can use this secret. - `value: string` The value of the secret. Maximum 64 KiB (65,536 bytes). Note that this is 'write only' - no API response will provide this value, it is only used to create/modify secrets. - `comment: optional string` Freeform text describing the secret ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of object { id, created, modified, 5 more }` - `id: string` Secret identifier tag. - `created: string` Whenthe secret was created. - `modified: string` When the secret was modified. - `name: string` The name of the secret - `status: "pending" or "active" or "deleted"` - `"pending"` - `"active"` - `"deleted"` - `store_id: string` Store Identifier - `comment: optional string` Freeform text describing the secret - `scopes: optional array of string` The list of services that can use this secret. - `result_info: optional object { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/secrets_store/stores/$STORE_ID/secrets \ -H 'Content-Type: application/json' \ -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ -H "X-Auth-Key: $CLOUDFLARE_API_KEY" \ -d '[ { "name": "MY_API_KEY", "scopes": [ "workers", "ai_gateway", "dex", "access" ], "value": "api-token-secret-123", "comment": "info about my secret" } ]' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "3fd85f74b32742f1bff64a85009dda07", "created": "2023-09-21T18:56:32.624632Z", "modified": "2023-09-21T18:56:32.624632Z", "name": "MY_API_KEY", "status": "pending", "store_id": "023e105f4ecef8ad9ca31a8372d0c353", "comment": "info about my secret", "scopes": [ "workers", "ai_gateway", "dex", "access" ] } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Patch a secret **patch** `/accounts/{account_id}/secrets_store/stores/{store_id}/secrets/{secret_id}` Updates a single secret ### Path Parameters - `account_id: string` Account Identifier - `store_id: string` Store Identifier - `secret_id: string` Secret identifier tag. ### Body Parameters - `comment: optional string` Freeform text describing the secret - `scopes: optional array of string` The list of services that can use this secret. - `value: optional string` The value of the secret. Maximum 64 KiB (65,536 bytes). Note that this is 'write only' - no API response will provide this value, it is only used to create/modify secrets. ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id, created, modified, 5 more }` - `id: string` Secret identifier tag. - `created: string` Whenthe secret was created. - `modified: string` When the secret was modified. - `name: string` The name of the secret - `status: "pending" or "active" or "deleted"` - `"pending"` - `"active"` - `"deleted"` - `store_id: string` Store Identifier - `comment: optional string` Freeform text describing the secret - `scopes: optional array of string` The list of services that can use this secret. - `result_info: optional object { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/secrets_store/stores/$STORE_ID/secrets/$SECRET_ID \ -X PATCH \ -H 'Content-Type: application/json' \ -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ -H "X-Auth-Key: $CLOUDFLARE_API_KEY" \ -d '{ "comment": "info about my secret", "scopes": [ "workers", "ai_gateway", "dex", "access" ], "value": "api-token-secret-123" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "3fd85f74b32742f1bff64a85009dda07", "created": "2023-09-21T18:56:32.624632Z", "modified": "2023-09-21T18:56:32.624632Z", "name": "MY_API_KEY", "status": "pending", "store_id": "023e105f4ecef8ad9ca31a8372d0c353", "comment": "info about my secret", "scopes": [ "workers", "ai_gateway", "dex", "access" ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Delete a secret **delete** `/accounts/{account_id}/secrets_store/stores/{store_id}/secrets/{secret_id}` Deletes a single secret ### Path Parameters - `account_id: string` Account Identifier - `store_id: string` Store Identifier - `secret_id: string` Secret identifier tag. ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional unknown` Result is null for delete operations. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/secrets_store/stores/$STORE_ID/secrets/$SECRET_ID \ -X DELETE \ -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ -H "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Delete secrets **delete** `/accounts/{account_id}/secrets_store/stores/{store_id}/secrets` Deletes one or more secrets ### Path Parameters - `account_id: string` Account Identifier - `store_id: string` Store Identifier ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional unknown` Result is null for delete operations. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/secrets_store/stores/$STORE_ID/secrets \ -X DELETE \ -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ -H "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Duplicate Secret **post** `/accounts/{account_id}/secrets_store/stores/{store_id}/secrets/{secret_id}/duplicate` Duplicates the secret, keeping the value ### Path Parameters - `account_id: string` Account Identifier - `store_id: string` Store Identifier - `secret_id: string` Secret identifier tag. ### Body Parameters - `name: string` The name of the secret - `scopes: array of string` The list of services that can use this secret. - `comment: optional string` Freeform text describing the secret ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { id, created, modified, 5 more }` - `id: string` Secret identifier tag. - `created: string` Whenthe secret was created. - `modified: string` When the secret was modified. - `name: string` The name of the secret - `status: "pending" or "active" or "deleted"` - `"pending"` - `"active"` - `"deleted"` - `store_id: string` Store Identifier - `comment: optional string` Freeform text describing the secret - `scopes: optional array of string` The list of services that can use this secret. - `result_info: optional object { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/secrets_store/stores/$STORE_ID/secrets/$SECRET_ID/duplicate \ -H 'Content-Type: application/json' \ -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ -H "X-Auth-Key: $CLOUDFLARE_API_KEY" \ -d '{ "name": "MY_API_KEY", "scopes": [ "workers", "ai_gateway", "dex", "access" ], "comment": "info about my secret" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "3fd85f74b32742f1bff64a85009dda07", "created": "2023-09-21T18:56:32.624632Z", "modified": "2023-09-21T18:56:32.624632Z", "name": "MY_API_KEY", "status": "pending", "store_id": "023e105f4ecef8ad9ca31a8372d0c353", "comment": "info about my secret", "scopes": [ "workers", "ai_gateway", "dex", "access" ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Secret List Response - `SecretListResponse object { id, created, modified, 5 more }` - `id: string` Secret identifier tag. - `created: string` Whenthe secret was created. - `modified: string` When the secret was modified. - `name: string` The name of the secret - `status: "pending" or "active" or "deleted"` - `"pending"` - `"active"` - `"deleted"` - `store_id: string` Store Identifier - `comment: optional string` Freeform text describing the secret - `scopes: optional array of string` The list of services that can use this secret. ### Secret Get Response - `SecretGetResponse object { id, created, modified, 5 more }` - `id: string` Secret identifier tag. - `created: string` Whenthe secret was created. - `modified: string` When the secret was modified. - `name: string` The name of the secret - `status: "pending" or "active" or "deleted"` - `"pending"` - `"active"` - `"deleted"` - `store_id: string` Store Identifier - `comment: optional string` Freeform text describing the secret - `scopes: optional array of string` The list of services that can use this secret. ### Secret Create Response - `SecretCreateResponse object { id, created, modified, 5 more }` - `id: string` Secret identifier tag. - `created: string` Whenthe secret was created. - `modified: string` When the secret was modified. - `name: string` The name of the secret - `status: "pending" or "active" or "deleted"` - `"pending"` - `"active"` - `"deleted"` - `store_id: string` Store Identifier - `comment: optional string` Freeform text describing the secret - `scopes: optional array of string` The list of services that can use this secret. ### Secret Edit Response - `SecretEditResponse object { id, created, modified, 5 more }` - `id: string` Secret identifier tag. - `created: string` Whenthe secret was created. - `modified: string` When the secret was modified. - `name: string` The name of the secret - `status: "pending" or "active" or "deleted"` - `"pending"` - `"active"` - `"deleted"` - `store_id: string` Store Identifier - `comment: optional string` Freeform text describing the secret - `scopes: optional array of string` The list of services that can use this secret. ### Secret Delete Response - `SecretDeleteResponse = unknown` Result is null for delete operations. ### Secret Bulk Delete Response - `SecretBulkDeleteResponse = unknown` Result is null for delete operations. ### Secret Duplicate Response - `SecretDuplicateResponse object { id, created, modified, 5 more }` - `id: string` Secret identifier tag. - `created: string` Whenthe secret was created. - `modified: string` When the secret was modified. - `name: string` The name of the secret - `status: "pending" or "active" or "deleted"` - `"pending"` - `"active"` - `"deleted"` - `store_id: string` Store Identifier - `comment: optional string` Freeform text describing the secret - `scopes: optional array of string` The list of services that can use this secret. # Quota ## View secret usage **get** `/accounts/{account_id}/secrets_store/quota` Lists the number of secrets used in the account. ### Path Parameters - `account_id: string` Account Identifier ### Returns - `errors: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `messages: array of object { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional object { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional object { secrets }` - `secrets: object { quota, usage }` - `quota: number` The number of secrets the account is entitlted to use - `usage: number` The number of secrets the account is currently using - `result_info: optional object { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/secrets_store/quota \ -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ -H "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "secrets": { "quota": 10, "usage": 10 } }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Quota Get Response - `QuotaGetResponse object { secrets }` - `secrets: object { quota, usage }` - `quota: number` The number of secrets the account is entitlted to use - `usage: number` The number of secrets the account is currently using --- --- title: BYOK (Store Keys) description: Securely store AI provider API keys in AI Gateway and reference them in your gateway configuration. image: https://developers.cloudflare.com/dev-products-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/ai-gateway/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # BYOK (Store Keys) ## Introduction Bring your own keys (BYOK) is a feature in Cloudflare AI Gateway that allows you to securely store your AI provider API keys directly in the Cloudflare dashboard. Instead of including API keys in every request to your AI models, you can configure them once in the dashboard, and reference them in your gateway configuration. The keys are stored securely with [Secrets Store](https://developers.cloudflare.com/secrets-store/) and allows for: * Secure storage and limit exposure * Easier key rotation * Rate limit, budget limit and other restrictions with [Dynamic Routes](https://developers.cloudflare.com/ai-gateway/features/dynamic-routing/) ## Setting up BYOK ### Prerequisites * Ensure your gateway is [authenticated](https://developers.cloudflare.com/ai-gateway/configuration/authentication/). * Ensure you have appropriate [permissions](https://developers.cloudflare.com/secrets-store/access-control/) to create and deploy secrets on Secrets Store. ### Configure API keys You can configure BYOK from the dashboard or by using the API. #### Dashboard When you add a provider key from the dashboard, AI Gateway creates and names the Secrets Store secret automatically. 1. Log into the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) and select your account. 2. Go to **AI** \> **AI Gateway**. 3. Select your gateway or create a new one. 4. Go to the **Provider Keys** section. 5. Click **Add API Key**. 6. Select your AI provider from the dropdown. 7. Enter your API key and optionally provide a description. 8. Click **Save**. #### API If you use the API to configure BYOK, create the Secrets Store secret before you create the provider configuration. Name the secret with this format: ``` {gateway_id}_{provider_slug}_{alias} ``` For example, for gateway `my-gateway`, provider `anthropic`, and alias `default`, create the Secrets Store secret as: ``` my-gateway_anthropic_default ``` Then create the provider configuration with the same `provider_slug` and `alias` values. The `secret_id` returned by Secrets Store is not used by AI Gateway for runtime lookup, so API-created secrets must follow the naming convention. ### Update your applications Once you've configured your API keys in the dashboard: 1. **Remove API keys from your code**: Delete any hardcoded API keys or environment variables. 2. **Update request headers**: Remove provider authorization headers from your requests. Note that you still need to pass `cf-aig-authorization`. 3. **Test your integration**: Verify that requests work without including API keys. ## Example With BYOK enabled, your workflow changes from: 1. **Traditional approach**: Include API key in every request header Terminal window ``` curl https://gateway.ai.cloudflare.com/v1/{account_id}/{gateway_id}/openai/chat/completions \ -H 'cf-aig-authorization: Bearer {CF_AIG_TOKEN}' \ -H "Authorization: Bearer YOUR_OPENAI_API_KEY" \ -H "Content-Type: application/json" \ -d '{"model": "gpt-4", "messages": [...]}' ``` 2. **BYOK approach**: Configure key once in dashboard, make requests without exposing keys Terminal window ``` curl https://gateway.ai.cloudflare.com/v1/{account_id}/{gateway_id}/openai/chat/completions \ -H 'cf-aig-authorization: Bearer {CF_AIG_TOKEN}' \ -H "Content-Type: application/json" \ -d '{"model": "gpt-4", "messages": [...]}' ``` ## Managing API keys ### Viewing configured keys In the AI Gateway dashboard, you can: * View all configured API keys by provider * See when each key was last used * Check the status of each key (active, expired, invalid) ### Rotating keys To rotate an API key: 1. Generate a new API key from your AI provider 2. In the Cloudflare dashboard, edit the existing key entry 3. Replace the old key with the new one 4. Save the changes Your applications will immediately start using the new key without any code changes or downtime. ### Revoking access To remove an API key: 1. In the AI Gateway dashboard, find the key you want to remove 2. Click the **Delete** button 3. Confirm the deletion Impact of key deletion Deleting an API key will immediately stop all requests that depend on it. Make sure to update your applications or configure alternative keys before deletion. ## Multiple keys per provider AI Gateway supports storing multiple API keys for the same provider. This allows you to: * Use different keys for different use cases (for example, development vs production) * Gradually migrate between keys during rotation ### Key aliases Each API key can be assigned an alias to identify it. When you add a key, you can specify a custom alias, or the system will use `default` as the alias. When making requests, AI Gateway uses the key with the `default` alias by default. To use a different key, include the `cf-aig-byok-alias` header with the alias of the key you want to use. ### Example: Using a specific key alias If you have multiple OpenAI keys configured with different aliases (for example, `default`, `production`, and `testing`), you can specify which one to use: Terminal window ``` # Uses the key with alias "default" (no header needed)curl https://gateway.ai.cloudflare.com/v1/{account_id}/{gateway_id}/openai/chat/completions \ -H 'cf-aig-authorization: Bearer {CF_AIG_TOKEN}' \ -H "Content-Type: application/json" \ -d '{"model": "gpt-4", "messages": [...]}' ``` Terminal window ``` # Uses the key with alias "production"curl https://gateway.ai.cloudflare.com/v1/{account_id}/{gateway_id}/openai/chat/completions \ -H 'cf-aig-authorization: Bearer {CF_AIG_TOKEN}' \ -H 'cf-aig-byok-alias: production' \ -H "Content-Type: application/json" \ -d '{"model": "gpt-4", "messages": [...]}' ``` Terminal window ``` # Uses the key with alias "testing"curl https://gateway.ai.cloudflare.com/v1/{account_id}/{gateway_id}/openai/chat/completions \ -H 'cf-aig-authorization: Bearer {CF_AIG_TOKEN}' \ -H 'cf-aig-byok-alias: testing' \ -H "Content-Type: application/json" \ -d '{"model": "gpt-4", "messages": [...]}' ``` ```json {"@context":"https://schema.org","@type":"WebPage","@id":"https://developers.cloudflare.com/ai-gateway/configuration/bring-your-own-keys/#page","headline":"BYOK (Store Keys) · Cloudflare AI Gateway docs","description":"Securely store AI provider API keys in AI Gateway and reference them in your gateway configuration.","url":"https://developers.cloudflare.com/ai-gateway/configuration/bring-your-own-keys/","inLanguage":"en","image":"https://developers.cloudflare.com/dev-products-preview.png","dateModified":"2026-06-09","publisher":{"@type":"Organization","name":"Cloudflare","url":"https://www.cloudflare.com/"},"isPartOf":{"@type":"WebSite","@id":"https://developers.cloudflare.com/#website","name":"Cloudflare Docs","url":"https://developers.cloudflare.com/"}} {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ai-gateway/","name":"AI Gateway"}},{"@type":"ListItem","position":3,"item":{"@id":"/ai-gateway/configuration/","name":"Configuration"}},{"@type":"ListItem","position":4,"item":{"@id":"/ai-gateway/configuration/bring-your-own-keys/","name":"BYOK (Store Keys)"}}]} ``` --- --- title: Workers integration description: Cloudflare Secrets Store is a secure, centralized location in which account-level secrets are stored and managed. The secrets are securely encrypted and stored across all Cloudflare data centers. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/secrets-store/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Workers integration [Cloudflare Secrets Store](https://developers.cloudflare.com/secrets-store/) is a secure, centralized location in which account-level secrets are stored and managed. The secrets are securely encrypted and stored across all Cloudflare data centers. Consider the steps below to learn how to use values from your account secrets store with [Cloudflare Workers](https://developers.cloudflare.com/workers/). Note This is different from Workers [Variables and Secrets](https://developers.cloudflare.com/workers/configuration/secrets/), where you define and manage your secrets on a per-Worker level. ## Before you begin * If [using the Dashboard](#via-dashboard), make sure you already have a Workers application. Refer to the [Workers get started](https://developers.cloudflare.com/workers/get-started/dashboard/) for guidance. * You should also have a store created under the **Secrets Store** tab on the Dashboard. The first store in your account is created automatically when a user with [Super Administrator or Secrets Store Admin role](https://developers.cloudflare.com/secrets-store/access-control/) interacts with it. * If no store exists in your account yet and you have the necessary permissions, you can use the [Wrangler command](https://developers.cloudflare.com/workers/wrangler/commands/secrets-store/#secrets-store-store) `secrets-store store create --remote` to create your first store. Local development mode This guide assumes you are working in production. To use Secrets Store locally, you must use `secrets-store secret` [Wrangler commands](https://developers.cloudflare.com/workers/wrangler/commands/) without the `--remote` flag. ## 1\. Set up account secrets in Secrets Store Follow the steps below to create secrets. You must have a [Super Administrator or a Secrets Store Admin role](https://developers.cloudflare.com/secrets-store/access-control/) within your Cloudflare account. Note You may also add account secrets directly from the Workers settings on the dashboard. You can skip to [step 2](#via-dashboard) to do that. * [ Wrangler ](#tab-panel-10928) * [ Dashboard ](#tab-panel-10929) * [ API ](#tab-panel-10930) Use the [Wrangler command](https://developers.cloudflare.com/workers/wrangler/commands/secrets-store/#secrets-store-secret) `secrets-store secret create`. To use the following example, replace the store ID and secret name by your actual data. You can find and copy the store ID from the [Secrets Store tab ↗](https://dash.cloudflare.com/?to=/:account/secrets-store/) on the dashboard or use `wrangler secrets-store store list`. Note that a secret name cannot contain spaces. Terminal window ``` npx wrangler secrets-store secret create --name MY_SECRET_NAME --scopes workers --remote ``` ``` ✓ Enter a secret value: › *** 🔐 Creating secret... (Name: MY_SECRET_NAME, Value: REDACTED, Scopes: workers, Comment: undefined)✓ Select an account: › My account✅ Created secret! (ID: 13bc7498c6374a4e9d13be091c3c65f1) ``` 1. In the Cloudflare dashboard, go to the **Secrets Store** page. [ Go to **Secrets Store** ](https://dash.cloudflare.com/?to=/:account/secrets-store) 2. Select **Create secret**. 3. Fill in the required fields, choosing _Workers_ as the **Permission scope**. Once the secret is saved, the secret value will no longer be available for viewing. 4. (Optional) Select **Add additional secret** to create more than one secret at a time. 5. Select **Save** to confirm. You can find and copy the store ID from the [Secrets Store tab ↗](https://dash.cloudflare.com/?to=/:account/secrets-store/) on the dashboard or use the [Wrangler command](https://developers.cloudflare.com/workers/wrangler/commands/secrets-store/#secrets-store-store). Also, make sure your secret `name` does not contain spaces. Refer to [Secrets Store API](https://developers.cloudflare.com/api/resources/secrets%5Fstore/) for the full API documentation. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) is required: * `Secrets Store Write` Create a secret ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/secrets_store/stores/$STORE_ID/secrets" \ --request POST \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" \ --json '[ { "name": "", "value": "", "scopes": [ "workers" ], "comment": "" }, { "name": "", "value": "", "scopes": [ "workers" ], "comment": "" } ]' ``` Refer to [manage account secrets](https://developers.cloudflare.com/secrets-store/manage-secrets/) for further options. ## 2\. Bind an account secret to your Worker [Bindings](https://developers.cloudflare.com/workers/runtime-apis/bindings/) allow your Worker to interact with resources on your Cloudflare account. To bind an account secret to your Worker, you must have one of the following [roles within your Cloudflare account](https://developers.cloudflare.com/secrets-store/access-control/): * Super Administrator * Secrets Store Deployer ### Via Wrangler 1. Add a Secrets Store binding to your [Wrangler configuration file](https://developers.cloudflare.com/workers/wrangler/configuration/): * `binding`: a descriptive name for your binding. This will be used in the Workers application when [accessing your secret on the env object](https://developers.cloudflare.com/secrets-store/integrations/workers/#3-access-the-secret-on-the-env-object). * `store_id`: the corresponding Secrets Store ID where your account secret was created. * `secret_name`: the unique secret name, defined when your account secret was created. * [ wrangler.jsonc ](#tab-panel-10926) * [ wrangler.toml ](#tab-panel-10927) JSONC ``` { "main": "./src/index.js", "secrets_store_secrets": [ { "binding": "", "store_id": "", "secret_name": "" } ]} ``` TOML ``` main = "./src/index.js" [[secrets_store_secrets]]binding = ""store_id = ""secret_name = "" ``` ### Via Dashboard 1. In the Cloudflare dashboard, go to **Workers & Pages**. [ Go to **Workers & Pages** ](https://dash.cloudflare.com/?to=/:account/workers-and-pages) 2. Select a Workers application. 3. Go to **Settings** \> **Bindings** and select **Add**. 4. On the **Add a resource binding** side panel, choose **Secrets Store**. 5. Fill in the required fields: * **Variable name**: a name for the binding. This will be used for your Worker to access the secret ([step 3](#3-access-the-secret-on-the-env-object) below). * **Secret name**: select from the list of available account secrets created in [step 1](#1-set-up-account-secrets-in-secrets-store). * (Optional - Admins only) If the secret you need does not exist yet, select **Create secret**. This will add an account level secret in the same way as if you had [created it on the Secrets Store](https://developers.cloudflare.com/secrets-store/manage-secrets/). 6. Select **Deploy** to deploy your binding. When deploying, there are two options: * **Deploy:** Immediately deploy the binding to 100% of your audience. * **Save version:** Save a version of the binding which you can deploy in the future. ## 3\. Access the secret on the `env` object [Bindings](https://developers.cloudflare.com/workers/runtime-apis/bindings/) are located on the `env` object. To access the secret you first need an asynchronous call. ### Call `get()` on the binding variable Local development mode You cannot access production secrets (created on the dashboard, via API, or with the `--remote` flag) from your local development setup. To use Secrets Store locally, you must use `secrets-store secret` [Wrangler commands](https://developers.cloudflare.com/workers/wrangler/commands/) without the `--remote` flag. JavaScript ``` export default { async fetch(request, env) { // Example of using the secret safely in an API request const APIkey = await env..get() const response = await fetch("https://api.example.com/data", { headers: { "Authorization": `Bearer ${APIKey}` }, }); if (!response.ok) { return new Response("Failed to fetch data", { status: response.status }); } const data = await response.json(); return new Response(JSON.stringify(data), { headers: { "Content-Type": "application/json" }, }); },}; ``` ```json {"@context":"https://schema.org","@type":"TechArticle","@id":"https://developers.cloudflare.com/secrets-store/integrations/workers/#page","headline":"Workers integration · Cloudflare Secrets Store docs","description":"Cloudflare Secrets Store is a secure, centralized location in which account-level secrets are stored and managed. The secrets are securely encrypted and stored across all Cloudflare data centers.","url":"https://developers.cloudflare.com/secrets-store/integrations/workers/","inLanguage":"en","image":"https://developers.cloudflare.com/core-services-preview.png","dateModified":"2026-05-05","publisher":{"@type":"Organization","name":"Cloudflare","url":"https://www.cloudflare.com/"},"isPartOf":{"@type":"WebSite","@id":"https://developers.cloudflare.com/#website","name":"Cloudflare Docs","url":"https://developers.cloudflare.com/"}} {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/secrets-store/","name":"Secrets Store"}},{"@type":"ListItem","position":3,"item":{"@id":"/secrets-store/integrations/","name":"Secrets Store integrations"}},{"@type":"ListItem","position":4,"item":{"@id":"/secrets-store/integrations/workers/","name":"Workers integration"}}]} ```