Secrets & configuration
There are three secret stores in play:
- Cloudflare Workers secret store — runtime API secrets.
- GitHub Actions secrets — CI/CD.
- Local dev files —
apps/api/.dev.vars,apps/mobile/.env.local.
Cloudflare Workers (API runtime)
Set with wrangler secret put <NAME>:
| Name | Purpose |
|---|---|
PRIVY_APP_SECRET | Server-side Privy operations (currently only JWKS is used, but reserved) |
BRIDGE_API_KEY | sk-live-... in prod, sk-test-... in sandbox |
BRIDGE_WEBHOOK_SECRET | RSA public key from Bridge for signature verification |
NEON_DB_URL | Postgres URL (production Neon branch) |
BASE_RPC_URL | Override default https://mainnet.base.org |
PRIVY_APP_ID is a public identifier and lives in wrangler.toml [vars], not as a secret.
Rotate by re-running wrangler secret put <NAME> with the new value.
GitHub Actions secrets
See deployment for the full list.
Local development
apps/api/.dev.vars (git-ignored — .env* in root .gitignore):
PRIVY_APP_ID=cmml7h69l00kn0cjji6fskqcm
PRIVY_APP_SECRET=<...>
BRIDGE_API_KEY=sk-test-<...>
BRIDGE_WEBHOOK_SECRET=<...>
NEON_DB_URL=postgresql://.../neondb?sslmode=require
TEST_NEON_DB_URL=postgresql://.../neondb-test?sslmode=require
BASE_RPC_URL=https://mainnet.base.org
Wrangler picks .dev.vars up automatically for wrangler dev. Vitest reads TEST_NEON_DB_URL from the process env.
apps/mobile/.env.local (git-ignored):
EXPO_PUBLIC_API_BASE_URL=http://localhost:8787
EXPO_PUBLIC_PRIVY_APP_ID=cmml7h69l00kn0cjji6fskqcm
Only EXPO_PUBLIC_* vars are readable at runtime in the RN bundle.
Rotation checklist
When rotating Bridge or Privy credentials:
- Update in the provider dashboard (Bridge or Privy).
wrangler secret put <NAME>on the Workers app.- Update GitHub secrets if they were also used by CI/CD (Bridge webhook secret is only used at runtime — usually no CI change needed).
- Update local
.dev.varsfor anyone doing local dev. - Redeploy is not required for Workers secret changes — they're picked up on next request.