---
id: task-058
title: Set FAL_API_KEY and RUNPOD_API_KEY secrets in Cloudflare Worker
status: To Do
assignee: []
created_date: '2025-12-25 23:30'
labels:
  - security
  - infrastructure
  - canvas-website
dependencies: []
priority: high
---

## Description

<!-- SECTION:DESCRIPTION:BEGIN -->
SECURITY FIX: API keys were exposed in browser bundle. They've been removed from client code and proxy endpoints added to the worker. Need to set the secrets server-side for the proxy to work.

Run these commands:
```bash
cd /home/jeffe/Github/canvas-website
wrangler secret put FAL_API_KEY
# Paste: a4125de3-283b-4a2b-a2ef-eeac8eb25d92:45f0c80070ff0fe3ed1d43a82a332442

wrangler secret put RUNPOD_API_KEY  
# Paste: rpa_YYOARL5MEBTTKKWGABRKTW2CVHQYRBTOBZNSGIL3lwwfdz

wrangler deploy
```
<!-- SECTION:DESCRIPTION:END -->

## Acceptance Criteria
<!-- AC:BEGIN -->
- [ ] #1 FAL_API_KEY secret set in Cloudflare Worker
- [ ] #2 RUNPOD_API_KEY secret set in Cloudflare Worker
- [ ] #3 Worker deployed with new secrets
- [ ] #4 Browser console no longer shows 'fal credentials exposed' warning
<!-- AC:END -->