Environment variables and secrets let your app use sensitive values — like a Stripe API key — without writing them into your code. You set them per app in the app’s settings, and your app reads them at runtime on Cloudflare Workers.Documentation Index
Fetch the complete documentation index at: https://fabricate.build/docs/llms.txt
Use this file to discover all available pages before exploring further.
What to Store as Secrets
Use environment secrets for any value that’s sensitive or that changes between environments:- API keys — Stripe secret keys, webhook signing secrets, third-party service keys
- Tokens — access tokens for external APIs
- Configuration — values you don’t want committed into your codebase
Where to Set Them
Environment variables and secrets are managed per app in the app’s settings. Each app you build has its own set — they aren’t shared between apps.Add a key and value
Enter the name (for example,
STRIPE_SECRET_KEY) and paste its value. Use the exact name the agent or integration expects.Secrets you set apply to your deployed app. If you add or change a secret after publishing, redeploy so the live app picks up the new value. See Deploying Your App.
How the Agent Flags Required Secrets
When you ask Fabricate to add an integration — payments, an external API, or anything that needs credentials — the agent tells you which secrets the integration requires. It names the exact variables to set, so you know what to add in settings. For example, when you add Stripe payments, the agent points you to set keys such asSTRIPE_SECRET_KEY and STRIPE_WEBHOOK_SECRET. The code is generated to read those variables, and your job is to supply the values in app settings.
How Your App Uses Them
Fabricate-generated apps run their backend on Cloudflare Workers. Secrets you set are exposed to your Worker code at runtime, so generated API routes can read them without the values ever appearing in your source code. You don’t wire this up yourself — the agent generates code that reads the variables you’ve configured.Security Best Practices
- Never hard-code secrets. Keep keys out of components, API routes, and anything that could end up in version control.
- Use test keys while building. For services like Stripe, use test-mode keys during development and switch to live keys only when you go to production.
- Keep secrets per app. Don’t reuse one app’s production keys in another app.
- Rotate if exposed. If a secret is ever leaked or pasted somewhere public, revoke it at the provider and set a fresh value.
- Mind GitHub sync. If you sync your code to GitHub, secrets stay in app settings — they are not committed — so your repository never contains them.
Frequently Asked Questions
Are my secrets visible in my code or exports?
Are my secrets visible in my code or exports?
No. Secrets live in app settings, not in your source files. Exporting your code or syncing to GitHub does not include them.
Do secrets carry over when I redeploy?
Do secrets carry over when I redeploy?
Yes. Secrets set in app settings persist across redeploys. If you change a secret, redeploy so the live app uses the new value.
Can I use different values for testing and production?
Can I use different values for testing and production?
Each app has its own set of secrets. A common pattern is to build with a service’s test keys, then update to live keys before publishing for real use.
How do I know which secrets an integration needs?
How do I know which secrets an integration needs?
When the agent adds an integration, it tells you the exact variable names to set. Add each one in your app’s settings.
What happens if a required secret is missing?
What happens if a required secret is missing?
The feature that depends on it will fail. Add the missing secret, confirm the name matches exactly, and redeploy.
Related
Payments
Add Stripe billing — and the keys it needs.
Deploying Your App
Publish your app and apply your secrets.