Secure your AI stack with Alprina. Request access or email hello@alprina.com.

Alprina Blog

Secretless Edge Runtimes: Shipping Cloudflare Workers That Do Not Hoard API Keys

Cover Image for Secretless Edge Runtimes: Shipping Cloudflare Workers That Do Not Hoard API Keys
Alprina Security Team
Alprina Security Team

Hook: The Edge Worker That Logged Your Strangely Plaintext API Key

You deploy a Cloudflare Worker that signs requests to an internal API. For convenience, you inject the API key as a plain text secret using Wrangler. A colleague adds verbose logging to debug a bug and accidentally logs the entire request context, including the secret. Since Workers share console output across zones, the key now lives in your logging pipeline. Worse, the key cannot be rotated quickly because it is hard-coded in multiple environments.

Edge runtimes like Cloudflare Workers, Vercel Edge Functions, and Deno Deploy complicate traditional secret management. This article walks through secretless patterns developers can implement: token exchange services, mTLS-backed fetchers, per-request identity, and automated regression tests. We focus on Workers but include portable concepts.

The Problem Deep Dive

Challenges with edge runtimes:

  • Runtime constraints. No traditional environment variables, limited filesystem access.
  • Shared infrastructure. Logs and caches cross tenant boundaries.
  • Long-lived secrets. Rotating secrets requires redeploying every worker.
  • Origin authentication. Edge functions often act as proxies; compromise exposes backend APIs.

Typical anti-pattern:

export default {
  async fetch(request, env) {
    const res = await fetch("https://api.internal.com/data", {
      headers: { Authorization: `Bearer ${env.API_KEY}` },
    });
    return res;
  }
};

If env.API_KEY leaks via logs or tail sessions, attackers call your internal API.

Technical Solutions

Quick Patch: Short-Lived Signed Tokens

Instead of storing raw API keys, have Workers request signed tokens from a backend:

async function getToken(env) {
  const res = await fetch(env.TOKEN_SERVICE_URL, {
    method: "POST",
    headers: { "X-Worker-Id": env.WORKER_ID },
    body: JSON.stringify({ scope: "inventory.read" }),
  });
  if (!res.ok) throw new Error("token service failure");
  const data = await res.json();
  return data.token;
}

Tokens expire within minutes, reducing exposure window.

Durable Fix: Mutual TLS Service Mesh

Deploy a lightweight origin (e.g., Cloudflare Tunnel or custom gateway) that authenticates Workers via mTLS. Workers obtain client certificates at deploy time; instead of storing secrets, they use certificates stored in Workers KV with access controls.

const cert = await env.WORKER_CERT.get("client");
const key = await env.WORKER_CERT.get("key");
const tls = { clientCert: cert, clientKey: key };
const res = await fetch("https://mesh.internal/api", { tls });

Restrict KV access via Durable Objects to prevent broad read/write operations.

Token Binding with HMAC

Workers derive per-request HMAC signatures using keys stored in Durable Objects that enforce quotas and logging.

const signer = env.SIGNER.get(someId);
const signature = await signer.fetch("/sign", { body: payload });

The Durable Object holds the key, not the Worker.

Logging Hygiene

  • Override console.log to sanitize secrets.
  • Use structuredClone to strip headers before logging.
  • Disable debug logs in production via environment toggles.

Deployment Pipeline

  • Store secrets in Vault; issue scoped access tokens to Wrangler at deploy time.
  • Require pull request approvals for secret changes.
  • Run integration tests against staging token services before promoting to prod.

Alprina Policies

Check Workers code for direct usage of env.API_KEY or static secrets. Flag fetch calls missing auth wrappers.

Testing & Verification

  • Use Miniflare to simulate Workers locally with mocked token services.
  • Write tests ensuring logs never contain token values.
  • Run security chaos: revoke tokens, expire certificates, ensure Workers handle errors gracefully.
  • Pen test: attempt to call token service without worker ID; expect 401.

Common Questions & Edge Cases

What about third-party APIs requiring static keys? Wrap them with a backend proxy. Workers call the proxy with mTLS; proxy injects static key server-side.

Do we need to encrypt KV entries? Yes. KV stores secrets at rest but treat them as accessible; use application-level encryption where possible.

How to handle high-frequency token exchange? Cache tokens in memory for short TTL (seconds). Use Durable Objects per worker to coordinate and avoid stampedes.

Can we rely on IP allow lists? Edge IPs change frequently. Prefer mutual auth.

Logging restrictions on Workers? Limit wrangler tail access via RBAC. Audit log readers.

Conclusion

Edge runtimes reward speed but punish sloppy secret handling. Shift secrets to short-lived tokens, mutual TLS gateways, and server-side proxies. Harden logging and deployment pipelines, and your Workers will run fast without leaving keys in the log stream.