diff --git a/backlog/tasks/task-058 - Set-FAL_API_KEY-and-RUNPOD_API_KEY-secrets-in-Cloudflare-Worker.md b/backlog/tasks/task-058 - Set-FAL_API_KEY-and-RUNPOD_API_KEY-secrets-in-Cloudflare-Worker.md
new file mode 100644
index 0000000..cba8adb
--- /dev/null
+++ b/backlog/tasks/task-058 - Set-FAL_API_KEY-and-RUNPOD_API_KEY-secrets-in-Cloudflare-Worker.md	
@@ -0,0 +1,39 @@
+---
+id: task-058
+title: Set FAL_API_KEY and RUNPOD_API_KEY secrets in Cloudflare Worker
+status: To Do
+assignee: []
+created_date: '2025-12-25 23:30'
+labels:
+  - security
+  - infrastructure
+  - canvas-website
+dependencies: []
+priority: high
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+SECURITY FIX: API keys were exposed in browser bundle. They've been removed from client code and proxy endpoints added to the worker. Need to set the secrets server-side for the proxy to work.
+
+Run these commands:
+```bash
+cd /home/jeffe/Github/canvas-website
+wrangler secret put FAL_API_KEY
+# Paste: (REDACTED-FAL-KEY)
+
+wrangler secret put RUNPOD_API_KEY  
+# Paste: (REDACTED-RUNPOD-KEY)
+
+wrangler deploy
+```
+<!-- SECTION:DESCRIPTION:END -->
+
+## Acceptance Criteria
+<!-- AC:BEGIN -->
+- [ ] #1 FAL_API_KEY secret set in Cloudflare Worker
+- [ ] #2 RUNPOD_API_KEY secret set in Cloudflare Worker
+- [ ] #3 Worker deployed with new secrets
+- [ ] #4 Browser console no longer shows 'fal credentials exposed' warning
+<!-- AC:END -->