Product Factory requires environment variables configured per app and worker. In development, use .dev.vars files in each worker directory. In production, set them in the Cloudflare dashboard or via Wrangler secrets.
Gateway Worker
Variable
Required
Description
ALLOWED_ORIGINS
Yes (prod)
Comma-separated list of allowed CORS origins (e.g., https://app.example.com,https://admin.example.com). In development mode, all origins are allowed.
Service bindings (AUTH_SERVICE, BILLING_SERVICE, etc.) are configured in wrangler.toml, not as environment variables.
Auth Worker
Variable
Required
Description
JWT_SECRET
Yes
Secret key for Better Auth session signing
AUTH_BASE_URL
Yes
Public base URL for auth callbacks
RESEND_API_KEY
Yes
Resend API key for transactional emails
TURNSTILE_SECRET
No
Cloudflare Turnstile secret key for bot protection
GOOGLE_CLIENT_ID
No
Google OAuth client ID (enables Google login)
GOOGLE_CLIENT_SECRET
No
Google OAuth client secret
GITHUB_CLIENT_ID
No
GitHub OAuth client ID (enables GitHub login)
GITHUB_CLIENT_SECRET
No
GitHub OAuth client secret
OPS_WEBHOOK_URL
No
Discord/Feishu webhook for new user notifications
OAuth providers are automatically enabled when both client ID and secret are set. Login method toggles (email/password, Google, GitHub) are managed via the admin auth settings UI and stored in D1.
Admin Worker
Variable
Required
Description
GOOGLE_CLIENT_ID
Recommended for OAuth admin UI
Lets the admin auth settings page report Google as configured
GOOGLE_CLIENT_SECRET
Recommended for OAuth admin UI
Lets the admin auth settings page report Google as configured
GITHUB_CLIENT_ID
Recommended for OAuth admin UI
Lets the admin auth settings page report GitHub as configured
GITHUB_CLIENT_SECRET
Recommended for OAuth admin UI
Lets the admin auth settings page report GitHub as configured
Billing Worker
Variable
Required
Description
JWT_SECRET
Yes
Shared secret for internal token verification
STRIPE_SECRET_KEY
Conditional
Stripe API key (if using Stripe)
STRIPE_WEBHOOK_SECRET
Conditional
Stripe webhook signing secret
CREEM_API_KEY
Conditional
Creem API key (if using Creem)
CREEM_WEBHOOK_SECRET
Conditional
Creem webhook signing secret
OPS_WEBHOOK_URL
No
Webhook for payment notifications
AI Worker
Variable
Required
Description
AI_GATEWAY_ACCOUNT_ID
No
Cloudflare AI Gateway account ID
AI_GATEWAY_ID
No
Cloudflare AI Gateway ID
OPS_WEBHOOK_URL
No
Webhook for AI error notifications
AI provider API keys are stored in D1, not as environment variables. If the AI Gateway IDs are omitted, the app falls back to provider base URLs directly.
Support Worker
Variable
Required
Description
JWT_SECRET
Yes
Shared secret for internal token verification
NEWSLETTER_HMAC_SECRET
Recommended
HMAC secret for newsletter confirm/unsubscribe tokens (falls back to JWT_SECRET)
TURNSTILE_SECRET
No
Cloudflare Turnstile secret key for newsletter bot protection
RESEND_API_KEY
Yes
Resend API key for newsletter and support emails
RESEND_FROM_EMAIL
Yes
Sender email address (e.g., noreply@example.com)
OPS_WEBHOOK_URL
No
Webhook for support notifications
Frontend Apps
Variable
Required
Description
GATEWAY_URL
Yes
Gateway API URL for SSR middleware session verification
PUBLIC_SUPPORT_API
Yes (web)
Support worker URL for newsletter subscribe (web app only)
PUBLIC_APP_KEY
Yes (web)
Application key for API requests (web app only)
PUBLIC_TURNSTILE_SITE_KEY
No
Cloudflare Turnstile site key
PUBLIC_UMAMI_WEBSITE_ID
No
Umami analytics website ID
PUBLIC_UMAMI_SRC
No
Umami tracking script URL
PUBLIC_GA4_ID
No
Google Analytics 4 measurement ID
PUBLIC_SITE_URL
Recommended (web)
Public web site URL used for canonical tags, robots.txt, and sitemap.xml
PUBLIC_DOCS_URL
Recommended
Docs site URL used for navigation links, docs canonical tags, and docs sitemap generation
Setting Secrets
Development
Create .dev.vars in each worker directory. For example: