Cloudflare Workers + Doppler guide: A secure workflow for environment configs

TL;DR

In this tutorial, you'll set up a complete secrets management workflow for Cloudflare Workers using Doppler. By the end, you'll have:

• A Cloudflare Worker with secrets managed through Doppler across development, staging, and production environments
• Automated local development that pulls secrets directly from Doppler
• A one-command sync that pushes secrets to Cloudflare Workers
• A GitHub Actions workflow for automated deployments
• A rotation workflow that updates secrets across all environments in seconds

Doppler + Cloudflare Workers

Managing secrets across development, staging, and production environments is one of the most common sources of friction in serverless development. When you're working alone, a .dev.vars file and a few wrangler secret put commands might suffice. But as your team grows and your deployment frequency increases, you start running into real problems. Secrets get out of sync. Someone on the team doesn't have the latest API key. Rotating a compromised credential requires updating three different places. And there's no audit trail showing who changed what or when.

Using a centralized secrets manager is a straightforward way to address this issue. Instead of scattering secrets across .env files, CI/CD variables, and Cloudflare's dashboard, you maintain a single source of truth. Everyone on the team pulls from the same place. Rotating a secret becomes a one-step operation. And you get a complete history of every change.

Prerequisites

Before starting, make sure you have:

• A Cloudflare account with Workers enabled
• Node.js 18 or later installed
• Doppler CLI installed and authenticated(run doppler login after installation)
• Git installed
• A GitHub account(for the CI/CD section)