Environment Variables

此内容尚不支持你的语言。

Product Factory requires environment variables configured per app and worker. In development, use .dev.vars files in each worker directory. In production, set them in the Cloudflare dashboard or via Wrangler secrets.

Gateway Worker

Variable	Required	Description
`ALLOWED_ORIGINS`	Yes (prod)	Comma-separated list of allowed CORS origins (e.g., `https://app.example.com,https://admin.example.com`). In development mode, all origins are allowed.

Service bindings (AUTH_SERVICE, BILLING_SERVICE, etc.) are configured in wrangler.toml, not as environment variables.

Auth Worker

Variable	Required	Description
`JWT_SECRET`	Yes	Secret key for Better Auth session signing
`AUTH_BASE_URL`	Yes	Public base URL for auth callbacks
`RESEND_API_KEY`	Yes	Resend API key for transactional emails
`TURNSTILE_SECRET`	No	Cloudflare Turnstile secret key for bot protection
`GOOGLE_CLIENT_ID`	No	Google OAuth client ID (enables Google login)
`GOOGLE_CLIENT_SECRET`	No	Google OAuth client secret
`GITHUB_CLIENT_ID`	No	GitHub OAuth client ID (enables GitHub login)
`GITHUB_CLIENT_SECRET`	No	GitHub OAuth client secret
`OPS_WEBHOOK_URL`	No	Discord/Feishu webhook for new user notifications

OAuth providers are automatically enabled when both client ID and secret are set. Login method toggles (email/password, Google, GitHub) are managed via the admin auth settings UI and stored in D1.

Admin Worker

Variable	Required	Description
`GOOGLE_CLIENT_ID`	Recommended for OAuth admin UI	Lets the admin auth settings page report Google as configured
`GOOGLE_CLIENT_SECRET`	Recommended for OAuth admin UI	Lets the admin auth settings page report Google as configured
`GITHUB_CLIENT_ID`	Recommended for OAuth admin UI	Lets the admin auth settings page report GitHub as configured
`GITHUB_CLIENT_SECRET`	Recommended for OAuth admin UI	Lets the admin auth settings page report GitHub as configured

Billing Worker

Variable	Required	Description
`JWT_SECRET`	Yes	Shared secret for internal token verification
`STRIPE_SECRET_KEY`	Conditional	Stripe API key (if using Stripe)
`STRIPE_WEBHOOK_SECRET`	Conditional	Stripe webhook signing secret
`CREEM_API_KEY`	Conditional	Creem API key (if using Creem)
`CREEM_WEBHOOK_SECRET`	Conditional	Creem webhook signing secret
`OPS_WEBHOOK_URL`	No	Webhook for payment notifications

AI Worker

Variable	Required	Description
`AI_GATEWAY_ACCOUNT_ID`	No	Cloudflare AI Gateway account ID
`AI_GATEWAY_ID`	No	Cloudflare AI Gateway ID
`OPS_WEBHOOK_URL`	No	Webhook for AI error notifications

AI provider API keys are stored in D1, not as environment variables. If the AI Gateway IDs are omitted, the app falls back to provider base URLs directly.

Support Worker

Variable	Required	Description
`JWT_SECRET`	Yes	Shared secret for internal token verification
`NEWSLETTER_HMAC_SECRET`	Recommended	HMAC secret for newsletter confirm/unsubscribe tokens (falls back to `JWT_SECRET`)
`TURNSTILE_SECRET`	No	Cloudflare Turnstile secret key for newsletter bot protection
`RESEND_API_KEY`	Yes	Resend API key for newsletter and support emails
`RESEND_FROM_EMAIL`	Yes	Sender email address (e.g., `noreply@example.com`)
`OPS_WEBHOOK_URL`	No	Webhook for support notifications

Frontend Apps

Variable	Required	Description
`GATEWAY_URL`	Yes	Gateway API URL for SSR middleware session verification
`PUBLIC_SUPPORT_API`	Yes (web)	Support worker URL for newsletter subscribe (web app only)
`PUBLIC_APP_KEY`	Yes (web)	Application key for API requests (web app only)
`PUBLIC_TURNSTILE_SITE_KEY`	No	Cloudflare Turnstile site key
`PUBLIC_UMAMI_WEBSITE_ID`	No	Umami analytics website ID
`PUBLIC_UMAMI_SRC`	No	Umami tracking script URL
`PUBLIC_GA4_ID`	No	Google Analytics 4 measurement ID
`PUBLIC_SITE_URL`	Recommended (web)	Public web site URL used for canonical tags, `robots.txt`, and `sitemap.xml`
`PUBLIC_DOCS_URL`	Recommended	Docs site URL used for navigation links, docs canonical tags, and docs sitemap generation

Setting Secrets

Development

Create .dev.vars in each worker directory. For example:

JWT_SECRET=dev-secret-key-at-least-32-chars!!
RESEND_API_KEY=re_test_xxxxx

# apps/worker-billing/.dev.vars
JWT_SECRET=dev-secret-key-at-least-32-chars!!
STRIPE_SECRET_KEY=sk_test_xxxxx
STRIPE_WEBHOOK_SECRET=whsec_xxxxx
# or:
# CREEM_API_KEY=creem_test_xxxxx
# CREEM_WEBHOOK_SECRET=your_creem_webhook_secret

# apps/worker-support/.dev.vars
JWT_SECRET=dev-secret-key-at-least-32-chars!!
RESEND_API_KEY=re_test_xxxxx
RESEND_FROM_EMAIL=noreply@example.com

Production

pnpm --filter worker-auth wrangler secret put JWT_SECRET
pnpm --filter worker-auth wrangler secret put RESEND_API_KEY
pnpm --filter worker-billing wrangler secret put STRIPE_SECRET_KEY
pnpm --filter worker-billing wrangler secret put STRIPE_WEBHOOK_SECRET
# or:
# pnpm --filter worker-billing wrangler secret put CREEM_API_KEY
# pnpm --filter worker-billing wrangler secret put CREEM_WEBHOOK_SECRET

Billing CLI Helpers

From the repo root:

pnpm billing:setup:stripe-cli
pnpm billing:setup:creem-cli
pnpm billing:check-env
pnpm billing:listen:stripe
pnpm billing:whoami:creem