MastraKit Docs

Overview

MastraKit uses a centralized secrets file at scripts/env/.env.dev-secrets. This file is:

Generated during scaffolding (with empty values)
Populated during the deploy wizard (or manually)
Read by setup-dev-secrets.sh to push to Cloudflare Workers
Read by provision-github-env.sh to push to GitHub Environments
Never committed to git (included in .gitignore)

Auto-Generated Secrets

These are generated automatically by the deploy wizard. You never need to set them manually:

Secret	Purpose
`BETTER_AUTH_SECRET`	Signs JWTs and encrypts JWKS private keys (64-char hex)
`SESSION_SECRET`	Mastra Studio session encryption (64-char hex)
`METERING_SERVICE_CLIENT_ID`	Identifies Mastra when calling Metering (32-char hex)
`METERING_SERVICE_CLIENT_SECRET`	Authenticates Mastra-to-Metering calls (64-char hex)
`METERING_MASTER_API_KEY`	Bootstrap admin access to Metering (`mtr_admin_sk_*`)

If you ever need to regenerate: openssl rand -hex 32. But changing BETTER_AUTH_SECRET invalidates all existing sessions and JWKS keys — you'll need to clear the jwks table in the auth database.

See Security & Authentication for details on how these secrets are used.

Required Secrets

LLM Provider

Set one based on your scaffold selection:

Secret	Where to get it
`ANTHROPIC_API_KEY`	console.anthropic.com > API Keys
`OPENAI_API_KEY`	platform.openai.com/api-keys

Stripe

Secret	Where to get it
`STRIPE_SECRET_KEY`	Stripe Dashboard > Secret key (`sk_test_...`)
`STRIPE_PUBLISHABLE_KEY`	Same page > Publishable key (`pk_test_...`)
`STRIPE_WEBHOOK_SECRET`	Created during deploy wizard, or from Webhooks page (`whsec_...`)

The deploy wizard creates Stripe products (Pro, Enterprise plans + credit packages) automatically using your STRIPE_SECRET_KEY.

Stripe Webhook Events

When creating a webhook manually, subscribe to these events:

customer.subscription.created
customer.subscription.updated
customer.subscription.deleted
invoice.payment_failed
invoice.payment_succeeded
checkout.session.completed
customer.created
customer.updated
payment_intent.succeeded

Endpoint URL: https://<your-api-worker>/webhooks/stripe

Cloudflare

Secret	Where to get it
`CF_ACCOUNT_ID`	Cloudflare Dashboard > any domain > Overview sidebar
`CF_API_TOKEN`	API Tokens page > Create Token (see Prerequisites for permissions)
`CF_GATEWAY_ID`	Default: `ai-platform-gateway`. Create at Cloudflare Dashboard > AI > AI Gateway

Database Credentials

These are created automatically by the deploy wizard when it provisions Turso databases. If you need to get them manually:

# URL
turso db show <project>-auth --url

# Token
turso db tokens create <project>-auth

Repeat for -api, -mastra, and -metering (if using metering).

Optional Secrets

Secret	Where to get it
`GOOGLE_CLIENT_ID`	Google Cloud Console > OAuth 2.0 Client IDs
`GOOGLE_CLIENT_SECRET`	Same page

Setup steps:

Create an OAuth 2.0 Client ID (Web application)
Set Authorized redirect URI to: https://<your-auth-worker>/api/auth/callback/google
If using OAuth proxy: https://oauth.mastrakit.dev/callback/google

Both GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET must be set — if only one is provided, Google sign-in will silently fail.

Secret	Where to get it
`GITHUB_CLIENT_ID`	GitHub Developer Settings > OAuth Apps
`GITHUB_CLIENT_SECRET`	Same page

Setup steps:

Create a new OAuth App
Set Authorization callback URL to: https://<your-auth-worker>/api/auth/callback/github

Email — Resend

Secret	Where to get it
`RESEND_API_KEY`	resend.com/api-keys

Used for transactional emails (welcome, password reset, invitations).

SMS MFA — Twilio

Secret	Where to get it
`TWILIO_ACCOUNT_SID`	Twilio Console > Account Info
`TWILIO_AUTH_TOKEN`	Same page
`TWILIO_PHONE_NUMBER`	Console > Phone Numbers > Active Numbers (format: `+1234567890`)

These are only needed for SMS-based multi-factor authentication. Skip if you don't need MFA.

LLM Observability — Langfuse

Secret	Where to get it
`LANGFUSE_PUBLIC_KEY`	cloud.langfuse.com > Project Settings > API Keys
`LANGFUSE_SECRET_KEY`	Same page
`LANGFUSE_BASE_URL`	Default: `https://cloud.langfuse.com`

Address Autocomplete — Google Places

Secret	Where to get it
`GOOGLE_PLACES_API_KEY`	Google Cloud Console > API Key

Enable "Places API (New)" for the key. Used for address autocomplete on billing forms.

Adding Secrets Later

You can always add or update secrets after the initial deploy:

# Push to a specific Cloudflare Worker
npx wrangler secret put GOOGLE_CLIENT_ID --name auth-<slug>
npx wrangler secret put GOOGLE_CLIENT_SECRET --name auth-<slug>

# Or update .env.dev-secrets and re-push all
scripts/env/setup-dev-secrets.sh <developer-name>

Overview

MastraKit uses a centralized secrets file at scripts/env/.env.dev-secrets. This file is:

Generated during scaffolding (with empty values)
Populated during the deploy wizard (or manually)
Read by setup-dev-secrets.sh to push to Cloudflare Workers
Read by provision-github-env.sh to push to GitHub Environments
Never committed to git (included in .gitignore)

Auto-Generated Secrets

These are generated automatically by the deploy wizard. You never need to set them manually:

Secret	Purpose
`BETTER_AUTH_SECRET`	Signs JWTs and encrypts JWKS private keys (64-char hex)
`SESSION_SECRET`	Mastra Studio session encryption (64-char hex)
`METERING_SERVICE_CLIENT_ID`	Identifies Mastra when calling Metering (32-char hex)
`METERING_SERVICE_CLIENT_SECRET`	Authenticates Mastra-to-Metering calls (64-char hex)
`METERING_MASTER_API_KEY`	Bootstrap admin access to Metering (`mtr_admin_sk_*`)

See Security & Authentication for details on how these secrets are used.

Required Secrets

LLM Provider

Set one based on your scaffold selection:

Secret	Where to get it
`ANTHROPIC_API_KEY`	console.anthropic.com > API Keys
`OPENAI_API_KEY`	platform.openai.com/api-keys

Stripe

Secret	Where to get it
`STRIPE_SECRET_KEY`	Stripe Dashboard > Secret key (`sk_test_...`)
`STRIPE_PUBLISHABLE_KEY`	Same page > Publishable key (`pk_test_...`)
`STRIPE_WEBHOOK_SECRET`	Created during deploy wizard, or from Webhooks page (`whsec_...`)

The deploy wizard creates Stripe products (Pro, Enterprise plans + credit packages) automatically using your STRIPE_SECRET_KEY.

Stripe Webhook Events

When creating a webhook manually, subscribe to these events:

customer.subscription.created
customer.subscription.updated
customer.subscription.deleted
invoice.payment_failed
invoice.payment_succeeded
checkout.session.completed
customer.created
customer.updated
payment_intent.succeeded

Endpoint URL: https://<your-api-worker>/webhooks/stripe

Cloudflare

Secret	Where to get it
`CF_ACCOUNT_ID`	Cloudflare Dashboard > any domain > Overview sidebar
`CF_API_TOKEN`	API Tokens page > Create Token (see Prerequisites for permissions)
`CF_GATEWAY_ID`	Default: `ai-platform-gateway`. Create at Cloudflare Dashboard > AI > AI Gateway

Database Credentials

These are created automatically by the deploy wizard when it provisions Turso databases. If you need to get them manually:

# URL
turso db show <project>-auth --url

# Token
turso db tokens create <project>-auth

Repeat for -api, -mastra, and -metering (if using metering).

Optional Secrets

Secret	Where to get it
`GOOGLE_CLIENT_ID`	Google Cloud Console > OAuth 2.0 Client IDs
`GOOGLE_CLIENT_SECRET`	Same page

Setup steps:

Create an OAuth 2.0 Client ID (Web application)
Set Authorized redirect URI to: https://<your-auth-worker>/api/auth/callback/google
If using OAuth proxy: https://oauth.mastrakit.dev/callback/google

Both GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET must be set — if only one is provided, Google sign-in will silently fail.

Secret	Where to get it
`GITHUB_CLIENT_ID`	GitHub Developer Settings > OAuth Apps
`GITHUB_CLIENT_SECRET`	Same page

Setup steps:

Create a new OAuth App
Set Authorization callback URL to: https://<your-auth-worker>/api/auth/callback/github

Email — Resend

Secret	Where to get it
`RESEND_API_KEY`	resend.com/api-keys

Used for transactional emails (welcome, password reset, invitations).

SMS MFA — Twilio

Secret	Where to get it
`TWILIO_ACCOUNT_SID`	Twilio Console > Account Info
`TWILIO_AUTH_TOKEN`	Same page
`TWILIO_PHONE_NUMBER`	Console > Phone Numbers > Active Numbers (format: `+1234567890`)

These are only needed for SMS-based multi-factor authentication. Skip if you don't need MFA.

LLM Observability — Langfuse

Secret	Where to get it
`LANGFUSE_PUBLIC_KEY`	cloud.langfuse.com > Project Settings > API Keys
`LANGFUSE_SECRET_KEY`	Same page
`LANGFUSE_BASE_URL`	Default: `https://cloud.langfuse.com`

Address Autocomplete — Google Places

Secret	Where to get it
`GOOGLE_PLACES_API_KEY`	Google Cloud Console > API Key

Enable "Places API (New)" for the key. Used for address autocomplete on billing forms.

Adding Secrets Later

You can always add or update secrets after the initial deploy:

# Push to a specific Cloudflare Worker
npx wrangler secret put GOOGLE_CLIENT_ID --name auth-<slug>
npx wrangler secret put GOOGLE_CLIENT_SECRET --name auth-<slug>

# Or update .env.dev-secrets and re-push all
scripts/env/setup-dev-secrets.sh <developer-name>

Configure Secrets

Overview

Auto-Generated Secrets

Required Secrets

LLM Provider

Stripe

Stripe Webhook Events

Cloudflare

Database Credentials

Optional Secrets

Email — Resend

SMS MFA — Twilio

LLM Observability — Langfuse

Address Autocomplete — Google Places

Adding Secrets Later

On this page

Configure Secrets

Overview

Auto-Generated Secrets

Required Secrets

LLM Provider

Stripe

Stripe Webhook Events

Cloudflare

Database Credentials

Optional Secrets

Email — Resend

SMS MFA — Twilio

LLM Observability — Langfuse

Address Autocomplete — Google Places

Adding Secrets Later

On this page