Skip to content

Instantly share code, notes, and snippets.

@decagondev

decagondev/WRANGLER-MOLTWORKER-SETUP.md

Created February 12, 2026 04:02
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save decagondev/76c127afdefbc2c7ca9dc0513981d14f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save decagondev/76c127afdefbc2c7ca9dc0513981d14f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
WRANGLER-MOLTWORKER-SETUP.md

Moltworker on Cloudflare can be largely automated using Wrangler (Cloudflare's CLI tool)

step by step, based on the official Moltworker repo instructions and Cloudflare's Wrangler documentation

Key Limitations for Full Automation

  • Non-Automatable Parts via Wrangler:
    • Upgrading to Workers Paid plan or adding R2 subscription: These require dashboard UI (or Cloudflare API calls, but Wrangler doesn't support them directly).
    • Creating R2 API tokens: Done via dashboard UI (R2 > Manage R2 API Tokens). Wrangler can't create tokens, but it can use them once set as secrets.
    • Enabling Cloudflare Access/Zero Trust on the Worker: Requires dashboard UI to create an Access application, add policies (e.g., email allowlist), and copy the AUD tag/team domain. Wrangler can't enable or configure Zero Trust features.
    • Obtaining external keys (e.g., Anthropic API key): These come from third-party dashboards (manual copy-paste into Wrangler secrets).
  • Why Not 100%? Wrangler is designed for Worker-specific tasks (code, deploy, secrets, bindings), not account-level setup like plans or security features. For end-to-end automation beyond Wrangler, tools like Terraform (with Cloudflare provider) or the Cloudflare API could handle those, but that's outside "via Wrangler completely."
  • Workarounds: Use scripting to prompt for manual inputs (e.g., paste AUD after UI setup), or integrate with CI/CD where secrets are stored securely.

Step 1: One-Time Manual Prerequisites (Cannot Automate with Wrangler)

These must be done in the Cloudflare dashboard (https://dash.cloudflare.com) before running Wrangler commands:

  1. Upgrade to Workers Paid Plan: Workers & Pages > Overview > Upgrade plan ($5/month).
  2. Add R2 Subscription: R2 > Overview > Add R2 Subscription (free).
  3. Obtain Anthropic API Key: From https://console.anthropic.com/ (manual generation).
  4. Generate Gateway Token: Run openssl rand -hex 32 (or equivalent) in your terminal.
  5. Enable Zero Trust (if not already): Zero Trust dashboard (https://dash.teams.cloudflare.com) > Select Free Plan.
  6. Create R2 API Token: R2 > Overview > Manage R2 API Tokens > Create (Object Read/Write for your bucket). Copy Access Key ID and Secret Access Key.
  7. Find Cloudflare Account ID: Account Home > Copy Account ID (right sidebar).
  8. Enable Cloudflare Access on Worker (after initial deploy—see below): Workers & Pages > Your Worker > Settings > Domains & Routes > Enable Cloudflare Access > Manage > Add email to allowlist > Copy AUD tag and team domain (from Zero Trust > Settings > Custom Pages or login popup).

After these, you can automate the rest.

Step 2: Clone and Set Up the Repo Locally (Automatable)

Wrangler can init/deploy from a repo. Start by cloning:

git clone https://github.com/cloudflare/moltworker.git
cd moltworker
npm install

This sets up dependencies. The repo uses Wrangler under the hood (via npm run deploy, which calls wrangler deploy).

Step 3: Configure wrangler.toml (Automatable via Scripting)

The repo includes a wrangler.toml template. Edit it manually once, or script updates (e.g., with sed):

  • Set name, compatibility_date, etc.
  • For R2 "binding" (handled via secrets in this project, not true bindings): No need—secrets will cover it.
  • Example minimal wrangler.toml (from repo): 
    name = "moltworker-sandbox"
main = "src/index.ts"
compatibility_date = "2026-02-12"
# Add any env-specific configs if needed

You can automate this with a script:

#!/bin/bash
sed -i 's/name = "moltworker"/name = "your-worker-name"/' wrangler.toml

Step 4: Set Secrets (Fully Automatable with Wrangler)

All required secrets (API keys, tokens, etc.) can be set via npx wrangler secret put <KEY>. This deploys a new Worker version automatically.

Run these interactively (prompt for values), or script them with echoes/pipes:

# Interactive (prompts for value)
npx wrangler secret put ANTHROPIC_API_KEY
npx wrangler secret put MOLTBOT_GATEWAY_TOKEN
npx wrangler secret put CF_ACCESS_TEAM_DOMAIN  # Paste from manual step
npx wrangler secret put CF_ACCESS_AUD  # Paste from manual step
npx wrangler secret put R2_ACCESS_KEY_ID  # From R2 token
npx wrangler secret put R2_SECRET_ACCESS_KEY  # From R2 token
npx wrangler secret put CF_ACCOUNT_ID  # From dashboard

# Automated script example (assuming vars are set or from env)
echo "$ANTHROPIC_API_KEY" | npx wrangler secret put ANTHROPIC_API_KEY
# Repeat for others

For bulk: Create a .env or JSON file, then use npx wrangler secret bulk secrets.json (format: {"KEY": "value"}).

Wrangler auto-provisions some resources (e.g., if R2 bucket isn't specified, it can create one on deploy if configured in toml—but Moltworker uses secrets for R2 access, so create the bucket manually or via npx wrangler r2 bucket create <name>).

Step 5: Deploy the Worker (Fully Automatable)

The repo's package.json has npm run deploy, which runs wrangler deploy.

npm run deploy
# Or directly: npx wrangler deploy

This builds, uploads, and deploys. Add flags like --env production for environments.

For routes/domains: Use npx wrangler deploy --route yourdomain.com/* (but Moltworker uses workers.dev by default).

Step 6: Full Automation Script Example

Combine into a bash script (after manual prerequisites):

#!/bin/bash

# Set variables (securely source from env or vault)
ANTHROPIC_API_KEY="sk-ant-..."
MOLTBOT_GATEWAY_TOKEN=$(openssl rand -hex 32)  # Auto-generate
CF_ACCESS_TEAM_DOMAIN="https://your-team.cloudflareaccess.com"
CF_ACCESS_AUD="abc123..."
R2_ACCESS_KEY_ID="..."
R2_SECRET_ACCESS_KEY="..."
CF_ACCOUNT_ID="..."

# Clone and setup (idempotent)
if [ ! -d "moltworker" ]; then
  git clone https://github.com/cloudflare/moltworker.git
fi
cd moltworker
npm install

# Set secrets
echo "$ANTHROPIC_API_KEY" | npx wrangler secret put ANTHROPIC_API_KEY
echo "$MOLTBOT_GATEWAY_TOKEN" | npx wrangler secret put MOLTBOT_GATEWAY_TOKEN
# Repeat for all

# Deploy
npm run deploy

echo "Deployed to $(npx wrangler whoami | grep 'Worker URL')"

Step 7: CI/CD Integration (e.g., GitHub Actions)

For true automation (e.g., on git push), use GitHub Actions with the official wrangler-action:

  • Store secrets in GitHub repo settings (Settings > Secrets and variables > Actions).
  • Workflow example (.github/workflows/deploy.yml): 
    name: Deploy Moltworker
on: [push]
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Deploy
        uses: cloudflare/wrangler-action@v3
        with:
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
          secrets: |
            ANTHROPIC_API_KEY
            MOLTBOT_GATEWAY_TOKEN
            # etc.
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
          # etc.

This automates deploy + secrets on every push.

Testing and Post-Deploy

  • Access UI: https://<your-worker>.workers.dev/?token=<gateway-token>
  • Pair devices: Manual in admin UI (behind Access login).
  • If changes needed: Re-run secrets/deploy—Wrangler handles updates.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment