Storing and using private secret keys with workers


I was thinking about using workers to authenticate users. It involves 3rd party API with it’s own private key. In the end I should generate JWT and sign it with another private key.

From the FAQ

Is my code public?

The content of your worker script will not be accessible to the public. However, Cloudflare employees may view your scripts for a variety of purposes, such as debugging, security audits, or to provide you with technical support.

I understand it is not secure to store private keys, secrets, etc. inside worker code itself. As far as I understand there is no way to use any kind of private config file or service where I can store “static” keys privately also.

Is there any secure solution or a way to store private keys so worker can load and use them? Do I miss anything?

Thank you in advance.

Hi @Dmytrii, Workers Key Value store was introduced as part of Birthday week, I’'m very curious to know if that meets this need?

1 Like

Hi @cloonan,

Thanks for fast response!

Worker KV might work, I have just found that it is possible to write values via API manually and later read them from worker side.

It may be great though to have some way to store small amount of secret data (like few strings representing keys) from web panel manually, or in other handy way. So I would not need to use whole namespace of worker kv just to store 2 keys and use API to save them only once.

Maybe I am missing something… Anyway, thanks for highlighting possible solution!

We should have support for storing secrets in exactly the way you describe in the near future. In the meantime, do feel free to use Workers KV! Once you get access you get up to 10 million reads included in your Workers minimum, and the performance difference should be negligible at scale.


You might try looking into the Cloudflare Workers Secrets Vault:

Hope that helps. :slight_smile:

What happened to Secrets Vault? It is not there anymore

Not sure if it applies to this use case but AWS has an api key service you might want to look into in the meantime of a Cloudflare solution.
I think it’s called Amazon API Gateway :slight_smile:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.