# Cloudflare Auth import { Tabs, TabItem } from '@astrojs/starlight/components'; There are three supported ways of authorizing Alchemy with Cloudflare: 1. **OAuth (recommended**) - short-lived access and refresh tokens 2. **API Token** - a token you create once with limited scopes 3. **Global API Key** (legacy) - the global, highly permissive API key :::tip We recommend using [Profiles](/concepts/profiles) to manage your credentials. While API Tokens and Global API Keys can be set as environment variables, all three methods can be configured using Profiles and the `alchemy configure` CLI command. ::: ## OAuth To use OAuth with Cloudflare, create a [Profile](/concepts/profiles) with `alchemy configure` and select OAuth for Cloudflare. Once setup, you can refresh your OAuth tokens with Cloudflare using the `alchemy login` command: ```sh bun alchemy login [--profile ] ``` ```sh npx alchemy login [--profile ] ``` ```sh pnpm alchemy login [--profile ] ``` ```sh yarn alchemy login [--profile ] ``` Then, deploy your app with `alchemy deploy` (or run another [CLI command](/concepts/cli)): ```sh bun alchemy deploy ``` ```sh npx alchemy deploy ``` ```sh pnpm alchemy deploy ``` ```sh yarn alchemy deploy ``` To select a specific profile, use the `--profile` flag: ```sh bun alchemy deploy --profile ``` ```sh npx alchemy deploy --profile ``` ```sh pnpm alchemy deploy --profile ``` ```sh yarn alchemy deploy ``` ## API Token First, [create an API Token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) and then use it in your Alchemy app. :::tip The Alchemy CLI exposes a utility for creating Cloudflare tokens from your [Alchemy Profile](/concepts/profiles) or "god" tokens with full access to all services. See [util create-cloudflare-token](/concepts/cli#util-create-cloudflare-token) for more details. ::: By default, Alchemy will use the `CLOUDFLARE_API_TOKEN` environment variable if set. You can store the token in your `.env` file ```sh CLOUDFLARE_API_TOKEN= ``` Or set when deploying your app: ```sh CLOUDFLARE_API_TOKEN= bun alchemy deploy ``` ```sh CLOUDFLARE_API_TOKEN= npx alchemy deploy ``` ```sh CLOUDFLARE_API_TOKEN= pnpm alchemy deploy ``` ```sh CLOUDFLARE_API_TOKEN= yarn alchemy deploy ``` You can explciitly set an `apiToken` when creating a Cloudflare Resource, such as a `Worker`: ```ts await Worker("my-worker", { apiToken: alchemy.secret(process.env.MY_TOKEN) }); ``` :::caution To use `alchemy.secret`, you must set a `password` when initializing your alchemy app. See [Encryption Password](/concepts/secret#encryption-password). ::: ## Global API Key After you verify your Cloudflare Account's Email, you will be given a [Global API Key](https://developers.cloudflare.com/fundamentals/api/get-started/keys/). :::caution These keys have several limitations that make them less secure than API tokens. Whenever possible, use API tokens to interact with the Cloudflare API. See [Cloudflare's API Docs](https://developers.cloudflare.com/api/). ::: By default, Alchemy will use the `CLOUDFLARE_API_KEY` environment variable if set. You can store the token in your `.env` file ```sh CLOUDFLARE_API_KEY= ``` Or set when deploying your app: ```sh CLOUDFLARE_API_KEY= bun alchemy deploy ``` ```sh CLOUDFLARE_API_KEY= npx alchemy deploy ``` ```sh CLOUDFLARE_API_KEY= pnpm alchemy deploy ``` ```sh CLOUDFLARE_API_KEY= yarn alchemy deploy ``` You can explciitly set an `apiKey` when creating a Cloudflare Resource, such as a `Worker`: ```ts await Worker("my-worker", { apiKey: alchemy.secret(process.env.MY_GLOBAL_KEY) }); ``` :::caution To use `alchemy.secret`, you must set a `password` when initializing your alchemy app. See [Encryption Password](/concepts/secret#encryption-password). ::: ## Email When using [Global API Keys](#global-api-key), Alchemy must be configured with the API Key's email. By default, Alchemy will use the `CLOUDFLARE_EMAIL` if set ```sh CLOUDFLARE_EMAIL=me@example.com CLOUDFLARE_API_KEY= bun alchemy deploy ``` ```sh CLOUDFLARE_EMAIL=me@example.com CLOUDFLARE_API_KEY= npx alchemy deploy ``` ```sh CLOUDFLARE_EMAIL=me@example.com CLOUDFLARE_API_KEY= pnpm alchemy deploy ``` ```sh CLOUDFLARE_EMAIL=me@example.com CLOUDFLARE_API_KEY= yarn alchemy deploy ``` You can explicitly set `email` when creating a Cloudlfare Resource: ```ts await Worker("my-worker", { apiKey: alchemy.secret(process.env.MY_GLOBAL_KEY), email: "me@example.com" }); ``` :::caution To use `alchemy.secret`, you must set a `password` when initializing your alchemy app. See [Encryption Password](/concepts/secret#encryption-password). ::: ## Account ID By default, Alchemy will resolve the account ID from the Profile or look it up using your API Key or Token. ```sh # will use wrangler login and resolve the first account you have acces to (ideal for personal accounts) bun alchemy deploy ``` ```sh # will use wrangler login and resolve the first account you have acces to (ideal for personal accounts) npx alchemy deploy ``` ```sh # will use wrangler login and resolve the first account you have acces to (ideal for personal accounts) pnpm alchemy deploy ``` ```sh # will use wrangler login and resolve the first account you have acces to (ideal for personal accounts) yarn alchemy deploy ``` :::caution If your token has access to more than one account, Alchemy chooses the first one arbitrarily. ::: You can override the default account ID with the `CLOUDFLARE_ACCOUNT_ID` environment variable: ```sh CLOUDFLARE_ACCOUNT_ID= bun alchemy deploy ``` ```sh CLOUDFLARE_ACCOUNT_ID= npx alchemy deploy ``` ```sh CLOUDFLARE_ACCOUNT_ID= pnpm alchemy deploy ``` ```sh CLOUDFLARE_ACCOUNT_ID= yarn alchemy deploy ``` Or by setting `accountId` when creating a Cloudflare Resource: ```ts await Worker("my-worker", { accountId: "my-account-id", }); ```