Alchemy

Appearance

Secret

Alchemy provides built-in mechanisms for handling sensitive data securely. This guide explains how to manage secrets in your Alchemy resources.

What are Secrets?

Secrets in Alchemy are sensitive values that need special handling to prevent exposure in logs, state files, or source code. Examples include:

  • API keys and tokens
  • Passwords and credentials
  • Private certificates
  • Connection strings with credentials

Encryption Password

Secrets are encrypted using a password that you provide when initializing your Alchemy app:

typescript
const app = await alchemy("my-app", {
  stage: "dev",
  password: process.env.SECRET_PASSPHRASE,
});

IMPORTANT

Always store your encryption password securely and never commit it to source control.

Using the alchemy.secret() Function

The primary way to handle secrets in Alchemy is with the alchemy.secret() function:

typescript
// Create a secret from an environment variable
const apiKey = alchemy.secret(process.env.API_KEY);

When a secret is stored in state, it is automatically encrypted:

json
{
  "props": {
    "key": {
      "@secret": "Tgz3e/WAscu4U1oanm5S4YXH..."
    }
  }
}

Multiple Secret Values

You can create multiple secrets in your application:

typescript
// Create multiple secrets from environment variables
const apiKey = alchemy.secret(process.env.API_KEY);
const databaseUrl = alchemy.secret(process.env.DATABASE_URL);
const jwtSecret = alchemy.secret(process.env.JWT_SECRET);

Using Secrets in Resources

Secrets can be passed to resources like Cloudflare Workers. First, define your worker script:

typescript
// worker-script.ts
export default {
  async fetch(request, env, ctx) {
    const url = new URL(request.url);
    
    if (url.pathname.startsWith('/env/')) {
      const varName = url.pathname.split('/env/')[1];
      const value = env[varName];
      return new Response(value || 'undefined', { 
        status: 200,
        headers: { 'Content-Type': 'text/plain' }
      });
    }
    
    return new Response('Secret is safe: ' + env.API_KEY, { status: 200 });
  }
};

Then use the script and bind the secrets:

typescript
// Use the script with secrets
const worker = await Worker("multi-secret-worker", {
  name: "multi-secret-worker",
  script: workerScript,
  format: "esm",
  bindings: {
    API_KEY: alchemy.secret(process.env.API_KEY),
    DATABASE_URL: alchemy.secret(process.env.DATABASE_URL),
    JWT_SECRET: alchemy.secret(process.env.JWT_SECRET)
  }
});