canvas-website/backlog/tasks/task-058 - Set-FAL_API_KEY-and-RUNPOD_API_KEY-secrets-in-Cloudflare-Worker.md

id	title	status	assignee	created_date	updated_date	labels	dependencies	priority
task-058	Set FAL_API_KEY and RUNPOD_API_KEY secrets in Cloudflare Worker	Done		2025-12-25 23:30	2025-12-25 23:33	security infrastructure canvas-website		high

Description

SECURITY FIX: API keys were exposed in browser bundle. They've been removed from client code and proxy endpoints added to the worker. Need to set the secrets server-side for the proxy to work.

Run these commands:

cd /home/jeffe/Github/canvas-website
wrangler secret put FAL_API_KEY
# Paste: (REDACTED-FAL-KEY)

wrangler secret put RUNPOD_API_KEY  
# Paste: (REDACTED-RUNPOD-KEY)

wrangler deploy

Acceptance Criteria

• #1 FAL_API_KEY secret set in Cloudflare Worker
• #2 RUNPOD_API_KEY secret set in Cloudflare Worker
• #3 Worker deployed with new secrets
• #4 Browser console no longer shows 'fal credentials exposed' warning

Implementation Notes

Secrets set and deployed on 2025-12-25