Security Notes
API key safety
Section titled “API key safety”- Keys are shown once at creation. Copy and store them immediately in a secure location.
- Never commit keys to version control. Use environment variables or a secrets manager.
- Never include keys in client-side code, browser bundles, or frontend JavaScript.
- Rotate a key immediately if it appears in logs, screenshots, chat, or any unsecured location.
Use the placeholder sk-bve-YOUR_KEY in documentation and examples — never a real key.
Admin key safety
Section titled “Admin key safety”The admin key (ADMIN_API_KEY) grants full control over all API keys and usage data.
-
Set it as a Cloudflare Worker secret, not a plain environment variable:
Terminal window bunx wrangler secret put ADMIN_API_KEY -
Grant access only to trusted operators.
-
Rotate via
bunx wrangler secret put ADMIN_API_KEY— this redeploys the Worker with the new value.
Use the placeholder admin_bve_YOUR_ADMIN_KEY in documentation and examples.
How keys are stored
Section titled “How keys are stored”BVE Gateway never stores API keys in plain text. Only sha256(key + pepper) is stored in Cloudflare D1. The pepper is a separate API_KEY_PEPPER Worker secret.
This means:
- A database breach does not expose raw keys.
- A lost key cannot be recovered — revoke it and create a new one.
BVE Gateway allows cross-origin requests from any origin (*). Allowed request headers:
AuthorizationContent-TypeX-Request-Id
The X-Request-Id response header is exposed to browsers. Preflight responses are cached for 24 hours.
If your use case requires origin restrictions, this must be changed at the Worker level.
Response header filtering
Section titled “Response header filtering”Only a safe subset of upstream headers from Fuelix is forwarded to clients. All other headers are stripped. Forwarded headers:
| Header | Source |
|---|---|
content-type | Fuelix upstream |
cache-control | Fuelix upstream |
x-request-id | Fuelix upstream |
x-quota-allowed | Fuelix upstream |
x-quota-available | Fuelix upstream |
x-quota-reset | Fuelix upstream |
X-Request-Id | Added by gateway (UUID) |
X-BVE-Latency | Added by gateway (ms) |
Worker secrets
Section titled “Worker secrets”All sensitive values must be set as Cloudflare Worker secrets (not plain vars):
| Secret | Purpose | Set with |
|---|---|---|
FUELIX_API_KEY | Upstream Fuelix API key | bunx wrangler secret put FUELIX_API_KEY |
ADMIN_API_KEY | Admin API authentication | bunx wrangler secret put ADMIN_API_KEY |
API_KEY_PEPPER | Key hash pepper | bunx wrangler secret put API_KEY_PEPPER |
Rotate all three if the Worker is compromised. Secrets are not visible in Wrangler config or logs after being set.
Key revocation
Section titled “Key revocation”Revocation is permanent and immediate. A revoked key:
- Returns
403 api_key_revokedon all subsequent requests. - Cannot be restored — create a new key if access is needed again.
To revoke:
curl -X POST https://api.bve.me/admin/api-keys/KEY_UUID/revoke \ -H "Authorization: Bearer admin_bve_YOUR_ADMIN_KEY"See also
Section titled “See also”- Authentication — key format and auth error codes
- Admin API Keys — create, list, and revoke keys