ArgoBox
ArgoBox AI + Infrastructure + Labs
Ctrl+K
Integrations

Environment Variables and Secrets

Every environment variable needed for production, organized by service, with dev vs prod differences

February 23, 2026

Environment Variables and Secrets

Arcturus-Prime runs on Cloudflare Pages with environment variables configured in the Cloudflare dashboard. In development, variables come from .dev.vars (Wrangler’s local env file). This doc catalogs every env var the system uses.

How getEnv() Works

Arcturus-Prime uses a custom getEnv() utility from src/lib/runtime-env.ts that abstracts Cloudflare’s runtime environment:

  • Production: Reads from Cloudflare Workers runtime bindings (env.VAR_NAME)
  • Development: Reads from process.env (populated by .dev.vars)
  • Accepts an optional default value: getEnv('VAR_NAME', 'fallback')

Similarly, getKV() returns the Cloudflare KV namespace binding for caching and data storage.

Cloudflare Access Variables

VariableRequiredPurpose
CF_ACCESS_TEAM_NAMEYesCloudflare Access team domain (e.g., Arcturus-Prime)
CF_ACCESS_AUDYesApplication Audience (AUD) tag for JWT verification

These are used by the middleware to verify Cloudflare Access JWTs. Without them, admin auth cannot function.

Cloudflare API Variables

VariableRequiredPurpose
CF_API_TOKENFor CF dashboardCloudflare API token for the /api/admin/cloudflare-status endpoint
CF_ACCOUNT_IDFor CF dashboardCloudflare account ID for analytics and deployment queries

Infrastructure Proxy URLs

These control where proxy routes forward requests. In production, tunnel hostnames are used. In dev, direct LAN IPs.

VariableProduction DefaultDev DefaultUsed By
GATEWAY_API_URLhttps://gateway.Arcturus-Prime.comhttp://10.42.0.194:8100/api/gateway, /api/command
COMMAND_CENTER_URLhttps://status.Arcturus-Prime.comhttp://10.42.0.199:8093/api/services, /api/proxy
SWARM_API_URLhttps://swarm.Arcturus-Prime.comhttp://10.42.0.100:8100/api/swarm
SWARM_ADMIN_URLhttps://swarm-admin.Arcturus-Prime.comhttp://10.42.0.100:8093/api/swarm-admin
MM_ARGOBOX_URLhttps://mm-admin.Arcturus-Prime.comhttp://192.168.20.50:8888/api/mm-Arcturus-Prime
TITAN_ADMINBOX_URLhttps://Tarn-Host-admin.Arcturus-Prime.comTailscale only/api/Tarn-Host-adminbox
JOBS_API_URLhttps://jobs-api.Arcturus-Prime.comhttp://10.42.0.100:8585/api/jobs
LAB_ENGINE_URLhttps://labs.Arcturus-Prime.comDirect/api/labs/*, /api/playground/*
PLAYGROUND_SWITCH_URLhttps://playground-switch.Arcturus-Prime.comDirect/api/playground/*
OPENCLAW_API_URLhttps://oc.Arcturus-Prime.comDirect/api/admin/openclaw*
OLLAMA_API_URLhttp://localhost:11434Same/api/status/ai-services

Backend Auth Tokens

These are injected server-side by proxy routes. The browser never sees them.

VariablePurposeInjected As
MM_ARGOBOX_TOKENMeridian-Host admin API authAuthorization: Bearer {token}
TITAN_ADMINBOX_TOKENProxmox Tarn-Host admin API authAuthorization: Bearer {token}
SWARM_ADMIN_KEYBuild swarm admin operationsX-Admin-Key: {key}
SWARM_CONTROL_KEYBuild swarm mutation controlX-Control-Key: {key}
AUTOAPPLY_API_KEYJob auto-apply engine authX-API-Key: {key}
OPENCLAW_API_TOKENOpenClaw AI gateway authAuthorization: Bearer {token}
OPENCLAW_SERVICE_TOKEN_IDCF Access bypass for OpenClaw proxyCF-Access-Client-Id: {id}
OPENCLAW_SERVICE_TOKEN_SECRETCF Access bypass for OpenClaw proxyCF-Access-Client-Secret: {secret}
PLAYGROUND_ADMIN_SECRETPlayground admin operationsX-Admin-Secret: {secret}

AI Service Keys

VariablePurpose
OPENROUTER_API_KEYOpenRouter for multi-model AI chat
RESEND_API_KEYResend email service for contact form

Git Integration

VariablePurpose
GITEA_TOKENGitea API access for content CRUD, flag fetching, PR creation
GITHUB_TOKENGitHub API for mirror sync (/api/admin/github-sync)

Cache and KV

VariablePurpose
CACHE_WARMUP_SECRETBearer token for /api/cache/warmup cron trigger
KV namespace bindingUsed via getKV() for caching, user roles, dashboard profiles

Pentest Configuration

VariablePurpose
PENTEST_IO_URLPentest daemon URL on Izar-Host node
PENTEST_TITAN_URLPentest daemon URL on Tarn-Host node

Dev vs. Prod Differences

AspectDevelopmentProduction
Env source.dev.vars fileCF dashboard
Backend URLsDirect LAN IPsTunnel hostnames
AuthAuto-bypassed or uses local CF AccessFull CF Access chain
KVWrangler local KVCloudflare KV
CachingDisabled or in-memoryKV-backed with TTLs

Adding a New Variable

  1. Add to Cloudflare Pages dashboard under Settings → Environment Variables
  2. Add to .dev.vars for local development
  3. Access via getEnv('VAR_NAME') in SSR routes
  4. Document in this file
envsecretsconfigurationcloudflareruntime