Secrets

Declaring secrets

export default defineConfig({
  secrets: {
    "apps/api": ["AUTH_SECRET", "API_KEY"],
    "apps/worker": ["API_KEY"],
  },
});

Checking

wd secrets --stage staging

apps/api:
  + AUTH_SECRET: set
  x API_KEY: missing

1 missing. Run "wd secrets set --stage staging" to fix

Setting interactively

wd secrets set --stage staging
# Prompts for each missing secret

Syncing from env file

wd secrets sync --to pr-123 --from-env-file .dev.vars

Reads the file, matches keys to declared secrets, sets each via wrangler secret put.

Deploy gating

Deploy blocks if any declared secret is missing:

Blocked: 1 missing secret(s):
  x apps/api/API_KEY

Run "wd secrets set --stage staging"

State encryption

By default, state includes sensitive values like Hyperdrive origins and stored secrets in plain text. You can encrypt these at rest using AES-256-GCM with a password you provide:

$ wd apply --stage staging --encrypt
Enter encryption password: ********

Or set it in your .wdrc:

// .wdrc or .wdrc.json
{
  "stage": "staging",
  "encryptPassword": "your-password-here"
}

How it works

• On apply, the password encrypts HyperdriveOutput.origin and values in storedSecrets before writing state to disk
• On commands that read state (deploy, status, etc.), the password decrypts those fields
• If the password is wrong or omitted, encrypted fields are left as-is — the command runs but can’t access those values

State files are typically .wrangler-deploy/<stage>/state.json. With encryption enabled, they look like:

{
  "resources": {
    "payments-db": {
      "output": {
        "origin": "v1:AQAAAA...==:AAAAAAAA:BBBBBBBB:CCCCCCCC:encrypted-base64"
      }
    }
  },
  "storedSecrets": {
    "apps/api": {
      "AUTH_SECRET": "v1:AAAA...:BBBB...:CCCC...:DDDD..."
    }
  }
}

The v1: prefix marks encrypted fields. Decrypting restores the original values for runtime use.