Declare Required Secrets in Wrangler Configuration

Cloudflare Workers has introduced a new secrets configuration property that lets developers explicitly declare which secrets their Worker requires. This declarative approach improves the development workflow and deployment reliability.

Configuration and Validation

The secrets property is added to your wrangler.jsonc or wrangler.toml configuration file:

"secrets": {
  "required": ["API_KEY", "DB_PASSWORD"]
}

During deployment with wrangler deploy, the toolchain validates that all declared secrets are configured on the Worker before the operation proceeds. If any required secrets are missing, the deploy fails with a clear error message listing which secrets need to be set.

Local Development Improvements

When developing locally with wrangler dev or vite dev, only the secret names listed in secrets.required are loaded from .dev.vars or .env/process.env. Any additional keys in those files are excluded, reducing potential confusion. If required secrets are missing, a warning is logged indicating which ones are needed.

Type Generation Without Environment Files

The wrangler types command now generates typed bindings directly from secrets.required instead of inferring names from environment files. This enables type generation in CI environments or other contexts where .dev.vars or .env files aren't available. The generated Env type intelligently marks secrets that only appear in some environments as optional, supporting per-environment configurations.

For detailed information, refer to the secrets configuration property reference.