Cloudflare Workers
Varlock provides a robust solution for managing environment variables in Cloudflare Workers, offering validation, type safety, and security features that go beyond Cloudflare’s built-in environment variable handling.
Two approaches
Section titled “Two approaches”There are two main ways to use varlock with Cloudflare Workers:
- With Vite plugin (recommended) - Use the Varlock Vite integration alongside the Cloudflare Workers Vite plugin
- Without Vite - Use Wrangler’s
varsandsecretsdirectly
Approach 1: Using the Vite plugin (recommended)
Section titled “Approach 1: Using the Vite plugin (recommended)”Using the Cloudflare Workers Vite plugin allows more flexiblity in the bundling process. We can then use the Varlock Vite plugin to bundle resolved environment variables into your built code, making it safe and straightforward to use.
Even though it may feel a bit strange to use Vite on a backend-only project, it is the recommended approach by Cloudflare when you need more flexibility in your build process.
-
Install varlock and the Vite integration package
Terminal window npm install @varlock/vite-integration varlockTerminal window yarn add @varlock/vite-integration varlockTerminal window pnpm add @varlock/vite-integration varlockTerminal window vlt install @varlock/vite-integration varlockTerminal window bun add @varlock/vite-integration varlock -
Run
varlock initto set up your.env.schemafileThis will guide you through setting up your
.env.schemafile, based on your existing.envfile(s). Make sure to review it carefully.Terminal window npm exec -- varlock initTerminal window yarn exec -- varlock initTerminal window pnpm exec -- varlock initTerminal window vlx -- varlock initTerminal window bun run varlock init -
Enable the Vite config plugin
Add the Varlock Vite plugin alongside the Cloudflare Workers Vite plugin to your
vite.config.*file:vite.config.ts import { defineConfig } from 'vite';import { varlockVitePlugin } from '@varlock/vite-integration';export default defineConfig({plugins: [varlockVitePlugin(),cloudflare(),// other plugins ...],});The varlock plugin will automatically detect Cloudflare Workers and use the
resolved-envmode, which injects the fully resolved environment data into your built code.
Update package.json scripts
Section titled “Update package.json scripts”If you were not already using the Vite plugin, you’ll also need to update your package.json scripts:
{ "scripts": { "dev": "vite dev", "build": "vite build", "preview": "npm run build && vite preview", "deploy": "npm run build && wrangler deploy" }}You can see more details in the Cloudflare’s Vite getting started guide.
Approach 2: Using Wrangler vars and secrets (without Vite)
Section titled “Approach 2: Using Wrangler vars and secrets (without Vite)”For local development, you can use Wrangler’s --var flag to pass the entire resolved env:
{ "scripts": { "dev": "wrangler dev", "dev": "wrangler dev --var \"__VARLOCK_ENV:$(varlock load --format json-full)\"", }}For deployments we can use the same method. Note that you may need to set your current env, either within the deploy command or infer it from the CI environemnt (see below).
{ "scripts": { "deploy": "wrangler deploy", "deploy": "wrangler deploy --var \"__VARLOCK_ENV:$(varlock load --format json-full)\"", }}Using Cloudflare secrets
Section titled “Using Cloudflare secrets”To attach the resolved env blob as a secret, you must use a 3-step deployment process using Wrangler’s versions commands:
- Upload new deployment version of your bundled code
- Create a second version with the secret attached
- Promote the latest version to be the active deployment
# Step 1: Create a version that's not deployed immediately# note the empty __VARLOCK_ENV so it will not reuse existing confignpx wrangler versions upload --var "__VARLOCK_ENV:{}"
# Step 2: Attach a new secret containing the resolved env as a single JSON objectecho "$(APP_ENV=prod npx varlock load --format json-full)" | npx wrangler versions secret put __VARLOCK_ENV
# Step 3: Activate the deploymentnpx wrangler versions deploy --version-id=$(npx wrangler versions list | grep -oE 'Version ID:[[:space:]]*[a-f0-9-]+' | tail -n1 | sed 's/Version ID:[[:space:]]*//') --percentage=100 --yesAccessing environment variables
Section titled “Accessing environment variables”Because we are not re-emitting all env vars into the Cloudflare’s vars/secrets, you must using varlock’s ENV object instead of Cloudflare’s built-in environment variable access:
// ❌ Do not use Cloudflare's built-in envimport { env } from "cloudflare:workers";console.log(env.API_KEY);
// ✅ Recommended - uses varlock's ENVimport { ENV } from 'varlock/env';console.log(ENV.API_KEY);Managing Multiple Environments
Section titled “Managing Multiple Environments”Varlock can load multiple environment-specific .env files (e.g., .env.development, .env.preview, .env.production) by using the @currentEnv root decorator.
If you are using Cloudflare’s CI, you can use the current branch name (WORKERS_CI_BRANCH) to determine the environment:
# @currentEnv=$APP_ENV# ---WORKERS_CI_BRANCH=# @type=enum(development, preview, production, test)APP_ENV=remap($WORKERS_CI_BRANCH, production="main", preview=regex(.*), development=undefined)For more information, see the environments guide.