Skip to content
Layeron Doc

Secrets

The Secret product gives a Layeron backend a typed way to declare, bind, and consume application secrets while keeping plaintext values outside application code.

Secret declarations live in TypeScript with the rest of the backend. The compiled app records which product owns the secret, which runtime surface can read it, and which Cloudflare Secrets Store binding is required. At runtime, application code calls the Secret product object. The app Worker reaches the Secret Product Worker through Service Binding RPC, and the Secret Product Worker reads the Cloudflare binding that belongs to that secret.

Layeron stores secret metadata and usage. Secret values stay in the user’s Cloudflare account. Current Cloudflare Secrets Store APIs support creating, editing, duplicating, deleting, listing, and reading metadata for secrets. The Secret product treats the plaintext value as a runtime-only binding value.

What The Product Covers

Section titled “What The Product Covers”

Use Secret for values that should be configured outside application code:

  • API keys and webhook signing secrets.
  • JWT, HMAC, cookie, and session signing keys.
  • Encryption keys that require version-aware reads.
  • Generated application keys that should rotate over time.

The product supports three declaration modes:

ModeUse
secret.static()A value supplied by the operator, such as a provider API key.
secret.random()A generated random secret, 32 bytes by default.
secret.generated()Generated secret metadata for values produced by product-specific apply flows.

Runtime Boundary

Section titled “Runtime Boundary”

Cloudflare Secrets Store is global within an account. Layeron derives a short physical name from workspace, project, environment, namespace, and name. The hash input includes the same ownership fields, which keeps resource names stable without exposing user-level naming details in app code.

Cloudflare Secrets Store is currently in open beta. Cloudflare’s Secrets Store limits currently allow one store per account and up to 100 production secrets per account, and only production secrets count toward that account limit.

Application code consumes a Secret through high-level product methods where possible. For integrations that require a raw value, the Secret product exposes current and version-aware reads.

Next Steps

Section titled “Next Steps”
  • Get started: Declare a secret, consume it from runtime code, and set a Cloudflare secret value.
  • Values and versioning: Use static, random, generated, and versioned secret values.
  • Cloudflare values: Write deploy values, local CLI values, versioned values, and generated rotations.
  • Rotation: Configure rotation intervals, retention modes, direct deploy behavior, and rotation state.
  • API reference: Review Secret options, value formats, ownership, consume settings, and module methods.