Cloudflare Auth

There are three supported ways of authorizing Alchemy with Cloudflare:

1. OAuth (recommended) - short-lived access and refresh tokens
2. API Token - a token you create once with limited scopes
3. Global API Key (legacy) - the global, highly permissive API key

Tip

We recommend using Profiles to manage your credentials.

While API Tokens and Global API Keys can be set as environment variables, all three methods can be configured using Profiles and the alchemy configure CLI command.

OAuth

To use OAuth with Cloudflare, create a Profile with alchemy configure and select OAuth for Cloudflare.

Once setup, you can refresh your OAuth tokens with Cloudflare using the alchemy login command:

bun

bun alchemy login [--profile <profile>]

npm

npx alchemy login [--profile <profile>]

pnpm

pnpm alchemy login [--profile <profile>]

yarn

yarn alchemy login [--profile <profile>]

Then, deploy your app with alchemy deploy (or run another CLI command):

bun

bun alchemy deploy

npm

npx alchemy deploy

pnpm

pnpm alchemy deploy

yarn

yarn alchemy deploy

To select a specific profile, use the --profile flag:

bun

bun alchemy deploy --profile <profile>

npm

npx alchemy deploy --profile <profile>

pnpm

pnpm alchemy deploy --profile <profile>

yarn

yarn alchemy deploy

API Token

First, create an API Token and then use it in your Alchemy app.

Tip

The Alchemy CLI exposes a utility for creating Cloudflare tokens from your Alchemy Profile or “god” tokens with full access to all services.

See util create-cloudflare-token for more details.

By default, Alchemy will use the CLOUDFLARE_API_TOKEN environment variable if set.

You can store the token in your .env file

CLOUDFLARE_API_TOKEN=<token>

Or set when deploying your app:

bun

CLOUDFLARE_API_TOKEN=<token> bun alchemy deploy

npm

CLOUDFLARE_API_TOKEN=<token> npx alchemy deploy

pnpm

CLOUDFLARE_API_TOKEN=<token> pnpm alchemy deploy

yarn

CLOUDFLARE_API_TOKEN=<token> yarn alchemy deploy

You can explciitly set an apiToken when creating a Cloudflare Resource, such as a Worker:

await Worker("my-worker", {
  apiToken: alchemy.secret(process.env.MY_TOKEN)
});

Caution

To use alchemy.secret, you must set a password when initializing your alchemy app. See Encryption Password.

Global API Key

After you verify your Cloudflare Account’s Email, you will be given a Global API Key.

Caution

These keys have several limitations that make them less secure than API tokens. Whenever possible, use API tokens to interact with the Cloudflare API.

See Cloudflare’s API Docs.

By default, Alchemy will use the CLOUDFLARE_API_KEY environment variable if set.

You can store the token in your .env file

CLOUDFLARE_API_KEY=<token>

Or set when deploying your app:

bun

CLOUDFLARE_API_KEY=<token> bun alchemy deploy

npm

CLOUDFLARE_API_KEY=<token> npx alchemy deploy

pnpm

CLOUDFLARE_API_KEY=<token> pnpm alchemy deploy

yarn

CLOUDFLARE_API_KEY=<token> yarn alchemy deploy

You can explciitly set an apiKey when creating a Cloudflare Resource, such as a Worker:

await Worker("my-worker", {
  apiKey: alchemy.secret(process.env.MY_GLOBAL_KEY)
});

Caution

To use alchemy.secret, you must set a password when initializing your alchemy app. See Encryption Password.

Email

When using Global API Keys, Alchemy must be configured with the API Key’s email.

By default, Alchemy will use the CLOUDFLARE_EMAIL if set

bun

CLOUDFLARE_EMAIL=me@example.com CLOUDFLARE_API_KEY=<token> bun alchemy deploy

npm

CLOUDFLARE_EMAIL=me@example.com CLOUDFLARE_API_KEY=<token> npx alchemy deploy

pnpm

CLOUDFLARE_EMAIL=me@example.com CLOUDFLARE_API_KEY=<token> pnpm alchemy deploy

yarn

CLOUDFLARE_EMAIL=me@example.com CLOUDFLARE_API_KEY=<token> yarn alchemy deploy

You can explicitly set email when creating a Cloudlfare Resource:

await Worker("my-worker", {
  apiKey: alchemy.secret(process.env.MY_GLOBAL_KEY),
  email: "me@example.com"
});

Caution

To use alchemy.secret, you must set a password when initializing your alchemy app. See Encryption Password.

Account ID

By default, Alchemy will resolve the account ID from the Profile or look it up using your API Key or Token.

bun

# will use wrangler login and resolve the first account you have acces to (ideal for personal accounts)
bun alchemy deploy

npm

# will use wrangler login and resolve the first account you have acces to (ideal for personal accounts)
npx alchemy deploy

pnpm

# will use wrangler login and resolve the first account you have acces to (ideal for personal accounts)
pnpm alchemy deploy

yarn

# will use wrangler login and resolve the first account you have acces to (ideal for personal accounts)
yarn alchemy deploy

Caution

If your token has access to more than one account, Alchemy chooses the first one arbitrarily.

You can override the default account ID with the CLOUDFLARE_ACCOUNT_ID environment variable:

bun

CLOUDFLARE_ACCOUNT_ID=<account-id> bun alchemy deploy

npm

CLOUDFLARE_ACCOUNT_ID=<account-id> npx alchemy deploy

pnpm

CLOUDFLARE_ACCOUNT_ID=<account-id> pnpm alchemy deploy

yarn

CLOUDFLARE_ACCOUNT_ID=<account-id> yarn alchemy deploy

Or by setting accountId when creating a Cloudflare Resource:

await Worker("my-worker", {
  accountId: "my-account-id",
});