Use dotenvx with Cloudflare Workers & Pages
Use dotenvx with Cloudflare Workers & Pages
Initial setup
Select Build System v3 (bun) and install dependencies:
# Install dotenvx and wrangler
bun install @dotenvx/dotenvx wrangler --save
Cloudflare Workers
Add dotenvx to your Worker entrypoint to load environment variables at startup:
// Load .env variables automatically
import '@dotenvx/dotenvx/config'
export default {
async fetch(request) {
return new Response(`Hello ${process.env.HELLO}`)
}
}
Create wrangler.toml:
name = "dotenvx-worker"
main = "index.js"
compatibility_date = "2025-08-21"
Add your .env file and encrypt it:
# .env
HELLO="World"
bunx dotenvx encrypt
Set the private key as a Worker secret:
wrangler secret put DOTENV_PRIVATE_KEY <your_private_key>
Deploy:
wrangler publish
Cloudflare Pages
For Pages builds, run dotenvx during the build and dev scripts. Update package.json:
{
"scripts": {
"dev": "dotenvx run -- bun run dev",
"build": "dotenvx run -- bun run build"
}
}
In your framework config (e.g., Next.js), expose env vars:
export default {
env: {
HELLO: process.env.HELLO,
},
}
Encrypt production .env:
# .env.production
HELLO="Production"
bunx dotenvx encrypt -f .env.production
In the Pages dashboard:
- Go to your project’s Settings → Environment Variables
- Add
DOTENV_PRIVATE_KEYwith the private key from.env.keys
Now Pages will inject the encrypted values during build.
You succesfully add encryption to your .env files. This is safer than scattering your secrets across third-party platforms and tools. When you need to update a secret, run dotenvx set KEY value and redeploy.