--- title: "Configure Secrets" description: "All the API keys and credentials your project needs" source: /docs/secrets --- Overview [#overview] MastraKit uses a centralized secrets file at `scripts/env/.env.dev-secrets`. This file is: * Generated during scaffolding (with empty values) * Populated during the deploy wizard (or manually) * Read by `setup-dev-secrets.sh` to push to Cloudflare Workers * Read by `provision-github-env.sh` to push to GitHub Environments * **Never committed to git** (included in `.gitignore`) Auto-Generated Secrets [#auto-generated-secrets] These are generated automatically by the deploy wizard. You never need to set them manually: | Secret | Purpose | | -------------------------------- | ------------------------------------------------------- | | `BETTER_AUTH_SECRET` | Signs JWTs and encrypts JWKS private keys (64-char hex) | | `SESSION_SECRET` | Mastra Studio session encryption (64-char hex) | | `METERING_SERVICE_CLIENT_ID` | Identifies Mastra when calling Metering (32-char hex) | | `METERING_SERVICE_CLIENT_SECRET` | Authenticates Mastra-to-Metering calls (64-char hex) | | `METERING_MASTER_API_KEY` | Bootstrap admin access to Metering (`mtr_admin_sk_*`) | If you ever need to regenerate: `openssl rand -hex 32`. But changing `BETTER_AUTH_SECRET` invalidates all existing sessions and JWKS keys — you'll need to clear the `jwks` table in the auth database. See [Security & Authentication](/docs/security) for details on how these secrets are used. Required Secrets [#required-secrets] LLM Provider [#llm-provider] Set one based on your scaffold selection: | Secret | Where to get it | | ------------------- | -------------------------------------------------------------------- | | `ANTHROPIC_API_KEY` | [console.anthropic.com](https://console.anthropic.com) > API Keys | | `OPENAI_API_KEY` | [platform.openai.com/api-keys](https://platform.openai.com/api-keys) | Stripe [#stripe] | Secret | Where to get it | | ------------------------ | ---------------------------------------------------------------------------------------------------------- | | `STRIPE_SECRET_KEY` | [Stripe Dashboard](https://dashboard.stripe.com/apikeys) > Secret key (`sk_test_...`) | | `STRIPE_PUBLISHABLE_KEY` | Same page > Publishable key (`pk_test_...`) | | `STRIPE_WEBHOOK_SECRET` | Created during deploy wizard, or from [Webhooks page](https://dashboard.stripe.com/webhooks) (`whsec_...`) | The deploy wizard creates Stripe products (Pro, Enterprise plans + credit packages) automatically using your `STRIPE_SECRET_KEY`. Stripe Webhook Events [#stripe-webhook-events] When creating a webhook manually, subscribe to these events: ``` customer.subscription.created customer.subscription.updated customer.subscription.deleted invoice.payment_failed invoice.payment_succeeded checkout.session.completed customer.created customer.updated payment_intent.succeeded ``` Endpoint URL: `https:///webhooks/stripe` Cloudflare [#cloudflare] | Secret | Where to get it | | --------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | | `CF_ACCOUNT_ID` | [Cloudflare Dashboard](https://dash.cloudflare.com) > any domain > Overview sidebar | | `CF_API_TOKEN` | [API Tokens page](https://dash.cloudflare.com/profile/api-tokens) > Create Token (see [Prerequisites](/docs/prerequisites) for permissions) | | `CF_GATEWAY_ID` | Default: `ai-platform-gateway`. Create at Cloudflare Dashboard > AI > AI Gateway | Database Credentials [#database-credentials] These are created automatically by the deploy wizard when it provisions Turso databases. If you need to get them manually: ```bash # URL turso db show -auth --url # Token turso db tokens create -auth ``` Repeat for `-api`, `-mastra`, and `-metering` (if using metering). Optional Secrets [#optional-secrets] Social Login — Google OAuth [#social-login--google-oauth] | Secret | Where to get it | | ---------------------- | ------------------------------------------------------------------------------------------------ | | `GOOGLE_CLIENT_ID` | [Google Cloud Console](https://console.cloud.google.com/apis/credentials) > OAuth 2.0 Client IDs | | `GOOGLE_CLIENT_SECRET` | Same page | Setup steps: 1. Create an OAuth 2.0 Client ID (Web application) 2. Set Authorized redirect URI to: `https:///api/auth/callback/google` 3. If using OAuth proxy: `https://oauth.mastrakit.dev/callback/google` Both `GOOGLE_CLIENT_ID` and `GOOGLE_CLIENT_SECRET` must be set — if only one is provided, Google sign-in will silently fail. Social Login — GitHub OAuth [#social-login--github-oauth] | Secret | Where to get it | | ---------------------- | -------------------------------------------------------------------------------- | | `GITHUB_CLIENT_ID` | [GitHub Developer Settings](https://github.com/settings/developers) > OAuth Apps | | `GITHUB_CLIENT_SECRET` | Same page | Setup steps: 1. Create a new OAuth App 2. Set Authorization callback URL to: `https:///api/auth/callback/github` Email — Resend [#email--resend] | Secret | Where to get it | | ---------------- | -------------------------------------------------- | | `RESEND_API_KEY` | [resend.com/api-keys](https://resend.com/api-keys) | Used for transactional emails (welcome, password reset, invitations). SMS MFA — Twilio [#sms-mfa--twilio] | Secret | Where to get it | | --------------------- | ---------------------------------------------------------------- | | `TWILIO_ACCOUNT_SID` | [Twilio Console](https://console.twilio.com) > Account Info | | `TWILIO_AUTH_TOKEN` | Same page | | `TWILIO_PHONE_NUMBER` | Console > Phone Numbers > Active Numbers (format: `+1234567890`) | These are only needed for SMS-based multi-factor authentication. Skip if you don't need MFA. LLM Observability — Langfuse [#llm-observability--langfuse] | Secret | Where to get it | | --------------------- | ------------------------------------------------------------------------------ | | `LANGFUSE_PUBLIC_KEY` | [cloud.langfuse.com](https://cloud.langfuse.com) > Project Settings > API Keys | | `LANGFUSE_SECRET_KEY` | Same page | | `LANGFUSE_BASE_URL` | Default: `https://cloud.langfuse.com` | Address Autocomplete — Google Places [#address-autocomplete--google-places] | Secret | Where to get it | | ----------------------- | ----------------------------------------------------------------------------------- | | `GOOGLE_PLACES_API_KEY` | [Google Cloud Console](https://console.cloud.google.com/apis/credentials) > API Key | Enable "Places API (New)" for the key. Used for address autocomplete on billing forms. Adding Secrets Later [#adding-secrets-later] You can always add or update secrets after the initial deploy: ```bash # Push to a specific Cloudflare Worker npx wrangler secret put GOOGLE_CLIENT_ID --name auth- npx wrangler secret put GOOGLE_CLIENT_SECRET --name auth- # Or update .env.dev-secrets and re-push all scripts/env/setup-dev-secrets.sh ```