Deploy
Deploy your project to Cloudflare Workers
Two Ways to Deploy
The deploy wizard can run in two modes:
- Interactive — step through prompts; good for first deploys and exploration
- Config file — provide a
deploy.jsonand run non-interactively; good for CI, re-deploys, and repeatable setups
Both modes use the same underlying steps.
Interactive Mode
The wizard handles everything: database provisioning, secret configuration, Stripe product setup, worker deployment, and GitHub environment provisioning.
npx mastrakit deployYou'll be prompted for:
- Project slug — used for worker names (e.g.
my-app→auth-my-app) - Steps to run — multi-select; toggle with space, confirm with enter
- Secrets — API keys for Anthropic/OpenAI, Stripe, Cloudflare, Resend, etc.
The wizard auto-generates BETTER_AUTH_SECRET, SESSION_SECRET, and metering service credentials so you don't need to supply them.
What It Does
- Checks prerequisites — verifies Node.js, pnpm, Wrangler, Turso CLI, Stripe CLI, GitHub CLI
- Detects domain — if your domain is a Cloudflare zone, uses custom domains; otherwise falls back to
*.workers.dev - Provisions databases — creates 3-4 Turso databases (auth, api, mastra, metering)
- Collects secrets — prompts for API keys (auto-generates
BETTER_AUTH_SECRETandSESSION_SECRET) - Creates Stripe products — Pro plan, Enterprise plan (monthly + yearly), credit packages (100/500/1000)
- Deploys workers — auth, api, metering, mastra, web (in dependency order)
- Pushes database schemas — runs Drizzle migrations
- Sets up GitHub — creates environments, pushes secrets and variables
Deploy Steps
You can select which steps to run:
| Step | Description |
|---|---|
databases | Provision Turso databases |
secrets | Configure API keys and credentials |
stripe | Create Stripe products and webhook |
deploy-auth | Deploy auth worker |
deploy-api | Deploy API worker |
deploy-metering | Deploy metering worker |
deploy-mastra | Deploy Mastra worker |
schema-push | Push database schemas |
deploy-web | Deploy web worker |
github-setup | Create GitHub environments and push secrets |
Config File Mode (deploy.json)
For automated or repeatable deployments, provide all inputs in a JSON file:
npx mastrakit deploy --config deploy.jsonIn this mode the wizard does not prompt — every value comes from the file. Missing required fields cause the wizard to exit with an error.
Full Example deploy.json
{
"slug": "my-project",
"domain": "mydomain.com",
"currency": "eur",
"llm": "anthropic",
"secrets": {
"ANTHROPIC_API_KEY": "sk-ant-...",
"OPENAI_API_KEY": "sk-...",
"STRIPE_SECRET_KEY": "sk_test_...",
"STRIPE_PUBLISHABLE_KEY": "pk_test_...",
"CF_ACCOUNT_ID": "abc123...",
"CF_API_TOKEN": "cf_...",
"GOOGLE_CLIENT_ID": "...apps.googleusercontent.com",
"GOOGLE_CLIENT_SECRET": "GOCSPX-...",
"GITHUB_CLIENT_ID": "Iv1...",
"GITHUB_CLIENT_SECRET": "...",
"RESEND_API_KEY": "re_...",
"TWILIO_ACCOUNT_SID": "AC...",
"TWILIO_AUTH_TOKEN": "...",
"TWILIO_PHONE_NUMBER": "+1..."
},
"steps": [
"databases",
"secrets",
"stripe",
"oauth-proxy",
"deploy-auth",
"deploy-api",
"deploy-metering",
"deploy-mastra",
"schema-push",
"deploy-web",
"deploy-docs",
"github-setup"
]
}The oauth-proxy step deploys a per-project OAuth proxy worker at oauth-{slug}.{domain}. It's the single redirect URI you register in the Google/GitHub consoles — every environment (prod, preview, dev, Conductor branches) routes OAuth through it, so you only register one callback per project.
Minimal deploy.json
If you only need to redeploy workers (databases and secrets already configured):
{
"slug": "my-project",
"domain": "mydomain.com",
"steps": [
"deploy-auth",
"deploy-api",
"deploy-mastra",
"deploy-web"
]
}Configure-Only (No Deploy)
To provision databases and write .dev.vars without deploying workers — useful for bootstrapping local development:
{
"slug": "my-project",
"currency": "eur",
"llm": "anthropic",
"secrets": { "ANTHROPIC_API_KEY": "sk-ant-..." },
"steps": ["databases", "secrets"],
"skipDeploy": true
}Auto-Generated Secrets
These are always generated if missing — you don't need to include them:
BETTER_AUTH_SECRETSESSION_SECRETMETERING_SERVICE_CLIENT_IDMETERING_SERVICE_CLIENT_SECRETMETERING_MASTER_API_KEY
Config Fields
| Field | Type | Description |
|---|---|---|
slug | string | Required. Project slug (used for worker names and database names) |
domain | string | Custom domain (falls back to *.workers.dev if not a CF zone) |
currency | "eur" or "usd" | Currency for Stripe products (default: eur) |
llm | "anthropic" or "openai" | LLM provider (default: inherits from .mastrakit/config.json) |
secrets | object | Pre-filled secrets — skips interactive prompts |
steps | string[] | Which deploy steps to run (see below) |
skipDeploy | boolean | If true, configure only (no worker deployments) |
secrets Keys
Provide only the keys relevant to the components you scaffolded.
| Key | Required for |
|---|---|
ANTHROPIC_API_KEY | llm: "anthropic" |
OPENAI_API_KEY | llm: "openai" |
STRIPE_SECRET_KEY, STRIPE_PUBLISHABLE_KEY | Stripe payments |
CF_ACCOUNT_ID, CF_API_TOKEN | Cloudflare Workers deploy, Stripe webhook auto-setup |
GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET | Google OAuth sign-in (optional) |
GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET | GitHub OAuth sign-in (optional) |
RESEND_API_KEY | Transactional email (optional) |
TWILIO_* | SMS notifications (optional) |
Custom Domain vs Workers.dev
The deploy wizard checks if your domain is a Cloudflare zone:
- Custom domain detected: Workers get routes like
auth-myproject.mydomain.com - No custom domain: Workers get routes like
auth-myproject.workers.dev
To use custom domains, add your domain to Cloudflare first (DNS management).
Post-Deploy
Cloudflare AI Gateway
Create an AI Gateway for LLM request routing and observability:
- Go to Cloudflare Dashboard > AI > AI Gateway
- Create a gateway named
ai-platform-gateway(or your customCF_GATEWAY_ID)
Verify Deployment
curl https://<auth-worker>/api/auth/ok
curl https://<api-worker>/health
curl https://<mastra-worker>/api/healthRedeploying
To redeploy specific services:
npx mastrakit deploy --config deploy.json
# Select only the steps you needOr deploy individual workers directly:
cd apps/auth && pnpm deploy
cd apps/api && pnpm deploy
cd apps/mastra && mastra build && pnpm deploy
cd apps/web && pnpm deploy