Cloudflare Values

Direct Cloudflare deploys bind Secret declarations to Cloudflare Secrets Store values in the user’s account.

Write A Value

Use the local Secret command:

layer secret set STRIPE_SECRET --value-env STRIPE_SECRET

NAME is the Cloudflare Secrets Store secret name. The deploy graph binds the Layeron Secret product instance to that Cloudflare secret.

Layeron-generated names use a short stable hash derived from workspace, project, environment, namespace, and name:

lo_<stable-hash>

For example:

lo_310fec09bf29d33532eb83be

Value Sources

Read from an environment variable:

layer secret set SESSION_KEY --value-env SESSION_KEY

Pass a value directly:

layer secret set SESSION_KEY --value "local-generated-value"

Read from stdin:

printf '%s' "$SESSION_KEY" | layer secret set SESSION_KEY --from-stdin

Interactive entry is used when the command supplies the value from the prompt:

layer secret set SESSION_KEY

Local CLI Writes

The local CLI writes to the user’s Cloudflare account with credentials from layer login:

layer secret set SESSION_KEY

Versioned Values

Versioned values are written into one Cloudflare secret value.

layer secret set SESSION_KEY --value-env SESSION_KEYSET

Example environment value:

{
  "current": "v3",
  "versions": {
    "v2": {
      "value": "old-secret-value",
      "expiresAt": "2026-06-01T00:00:00.000Z"
    },
    "v3": {
      "value": "new-secret-value"
    }
  }
}

Application code can then use:

await sessionKey.current().text()
await sessionKey.version("v2").text()
await sessionKey.active()

Deploy Behavior

Direct deploys bind the Secret Product Worker to the Cloudflare Secrets Store secret. Random secrets are created during provider apply. Generated secrets with custom value sources report external_value_required until a product-specific apply step, operator, or local Secret rotation command writes the value. The secret value remains in the user’s Cloudflare account.

Rotate Generated Values

Check generated Secret declarations that have rotation.everyDays:

layer secret rotate --env production

Write due rotations:

layer secret rotate --env production --apply --yes

The command runs locally. It uses the Cloudflare credentials stored by layer login, writes through Cloudflare Secrets Store, and records rotation metadata under .layeron/secret-rotation.