Skip to main content

Manage API Keys, Credentials & Configuration

Every AI website comes with a secure environment variable system so you can safely store API keys, credentials, and configuration without hardcoding them in your code.

TL;DR

Your AI website includes:
  • 5 protected system variables (AI, auth, payments - auto-configured)
  • Easy UI to add custom secrets (API keys, credentials, config)
  • Secure storage (file-based in dev, Cloudflare bindings in production)
  • Masked values (hidden by default, click to reveal or copy)
  • Export/import (download .env files for backup)
All secrets stay secure, work automatically in dev and production, and you control everything except the 5 system-critical variables.

What You Get Automatically

5 Protected System Variables (pre-configured, cannot be edited):
VariableWhat It’s For
AI_GATEWAY_API_KEYYour unique key to access 13+ AI models from your website
AI_GATEWAY_BASE_URLAI gateway endpoint (/api/gateway/v1)
BETTER_AUTH_SECRET32-byte encryption key for user authentication & sessions
VITE_BASE_URLYour website’s URL (auto-updates for dev/production)
AUTUMN_SECRET_KEYPayment processing key for Stripe integration
These are locked to prevent accidental changes that would break core features. You can view and copy them, but not edit or delete.

Add Your Own Variables

Easy UI in Website Settings:
  1. Click “Environment Variables” tab
  2. Enter KEY and VALUE in the form
  3. Click “Add” or press Enter
Bulk Import:
  • Paste entire .env file contents
  • Supports multi-line paste with automatic parsing
  • Handles KEY=value format, quoted values, comments
Common Examples: 
STRIPE_SECRET_KEY=sk_live_xxxxxxxxxxxxx
SENDGRID_API_KEY=SG.xxxxxxxxxxxxxxxxx
DATABASE_URL=postgresql://user:pass@host:5432/db
OPENAI_API_KEY=sk-xxxxxxxxxxxxxxxxxxxxxxxx
AWS_ACCESS_KEY_ID=AKIAxxxxxxxxx
AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxx
GOOGLE_ANALYTICS_ID=G-XXXXXXXXXX
Hero Light

Security Features

Masked by Default:
  • Values shown as ••••••••••••••••• (bullet points)
  • Click eye icon to reveal temporarily
  • Copy to clipboard without revealing (shows green checkmark)
Edit & Delete:
  • Edit any custom variable (inline editing)
  • Delete any custom variable
  • Protected system variables are locked (greyed out)
Export for Backup:
  • Download all variables as .env file
  • Keep backups or share with team members

How It Works

Development Mode

  • Variables stored in .env.local file in your sandbox
  • Accessible immediately during preview
  • Changes update in real-time

Production Mode

  • All variables automatically converted to Cloudflare Workers “bindings”
  • Deployed securely when you publish
  • VITE_BASE_URL auto-updates to your production domain
  • Secrets encrypted and managed by Cloudflare (never stored as plain text)

Validation Rules

Allowed:
  • Any key name (letters, numbers, underscores)
  • Any value (special characters, quotes, URLs, base64, JSON)
  • Multi-line values
  • Unicode and emoji
Prevented:
  • Empty keys
  • Duplicate keys
  • Editing/deleting protected system variables

Use Cases

API Integrations:
  • Stripe, PayPal, Braintree (payments)
  • SendGrid, Mailgun, Postmark (email)
  • Twilio, Vonage (SMS/voice)
  • AWS, Google Cloud, Azure (cloud services)
Custom Configuration:
  • Feature flags (ENABLE_BETA_FEATURES=true)
  • Environment-specific URLs (API_BASE_URL)
  • Database connections (DATABASE_URL)
  • Debug modes (LOG_LEVEL=debug)

Best Practices

  1. Never commit secrets to git – Use environment variables instead
  2. Different keys for dev/production – Use test keys during development
  3. Rotate keys regularly – Update API keys periodically for security
  4. Use descriptive namesSTRIPE_SECRET_KEY not KEY1
  5. Export backups – Download your .env file before major changes