Skip to main content

Secrets & configuration

There are three secret stores in play:

  1. Cloudflare Workers secret store — runtime API secrets.
  2. GitHub Actions secrets — CI/CD.
  3. Local dev filesapps/api/.dev.vars, apps/mobile/.env.local.

Cloudflare Workers (API runtime)

Set with wrangler secret put <NAME>:

NamePurpose
PRIVY_APP_SECRETServer-side Privy operations (currently only JWKS is used, but reserved)
BRIDGE_API_KEYsk-live-... in prod, sk-test-... in sandbox
BRIDGE_WEBHOOK_SECRETRSA public key from Bridge for signature verification
NEON_DB_URLPostgres URL (production Neon branch)
BASE_RPC_URLOverride default https://mainnet.base.org

PRIVY_APP_ID is a public identifier and lives in wrangler.toml [vars], not as a secret.

Rotate by re-running wrangler secret put <NAME> with the new value.

GitHub Actions secrets

See deployment for the full list.

Local development

apps/api/.dev.vars (git-ignored — .env* in root .gitignore):

PRIVY_APP_ID=cmml7h69l00kn0cjji6fskqcm
PRIVY_APP_SECRET=<...>
BRIDGE_API_KEY=sk-test-<...>
BRIDGE_WEBHOOK_SECRET=<...>
NEON_DB_URL=postgresql://.../neondb?sslmode=require
TEST_NEON_DB_URL=postgresql://.../neondb-test?sslmode=require
BASE_RPC_URL=https://mainnet.base.org

Wrangler picks .dev.vars up automatically for wrangler dev. Vitest reads TEST_NEON_DB_URL from the process env.

apps/mobile/.env.local (git-ignored):

EXPO_PUBLIC_API_BASE_URL=http://localhost:8787
EXPO_PUBLIC_PRIVY_APP_ID=cmml7h69l00kn0cjji6fskqcm

Only EXPO_PUBLIC_* vars are readable at runtime in the RN bundle.

Rotation checklist

When rotating Bridge or Privy credentials:

  1. Update in the provider dashboard (Bridge or Privy).
  2. wrangler secret put <NAME> on the Workers app.
  3. Update GitHub secrets if they were also used by CI/CD (Bridge webhook secret is only used at runtime — usually no CI change needed).
  4. Update local .dev.vars for anyone doing local dev.
  5. Redeploy is not required for Workers secret changes — they're picked up on next request.