Configuration
Orphnet Logging runs as a Cloudflare Worker. All configuration is through environment variables and Cloudflare bindings defined in wrangler.json.
Environment Variables
Required Secrets
Set these with wrangler secret put <NAME>:
| Variable | Description |
|---|---|
JWT_SECRET | Secret key for signing and verifying JWT access tokens |
RESEND_API_KEY | API key for Resend email service (verification, magic link, invitation emails) |
Required Config
Set these in wrangler.json under vars or as secrets:
| Variable | Description |
|---|---|
EMAIL_FROM | Sender email address for transactional emails (e.g., noreply@orph.dev) |
BASE_URL | Public base URL of the API (e.g., https://logging.orph.dev). Used for email links and OAuth callbacks. |
Optional Config
| Variable | Default | Description |
|---|---|---|
CORS_ALLOWED_ORIGINS | (blocked) | Comma-separated list of allowed origins. If unset, all cross-origin requests are blocked (fail-closed). |
GITHUB_CLIENT_ID | -- | GitHub OAuth app client ID |
GITHUB_CLIENT_SECRET | -- | GitHub OAuth app client secret |
GOOGLE_CLIENT_ID | -- | Google OAuth client ID |
GOOGLE_CLIENT_SECRET | -- | Google OAuth client secret |
OAuth Setup
To enable GitHub OAuth:
- Create a GitHub OAuth App at
https://github.com/settings/developers - Set callback URL to
{BASE_URL}/auth/oauth/github/callback - Set
GITHUB_CLIENT_IDandGITHUB_CLIENT_SECRET
To enable Google OAuth:
- Create credentials in Google Cloud Console
- Set callback URL to
{BASE_URL}/auth/oauth/google/callback - Set
GOOGLE_CLIENT_IDandGOOGLE_CLIENT_SECRET
Cloudflare Bindings
| Binding | Type | Purpose |
|---|---|---|
D1_LOGGING | D1Database | Primary structured query store, user/workspace/project/key records |
KV_LOGGING | KVNamespace | 24h hot log cache, API key edge cache, OAuth/magic-link state |
R2_LOGGING | R2Bucket | Long-term NDJSON archive |
QUEUE_LOGGING | Queue | Log ingestion queue (producer + consumer) |
Queue Configuration
"queues": {
"producers": [{
"binding": "QUEUE_LOGGING",
"queue": "log-processing-queue",
"delivery_delay": 60
}],
"consumers": [{
"queue": "log-processing-queue",
"max_batch_size": 10,
"max_batch_timeout": 30,
"max_retries": 10,
"max_concurrency": 5,
"retry_delay": 120
}]
}| Setting | Value | Description |
|---|---|---|
delivery_delay | 60s | Messages held before delivery (batching window) |
max_batch_size | 10 | Logs processed per consumer invocation |
max_retries | 10 | Failed messages retry up to 10 times |
retry_delay | 120s | Backoff between retry attempts |
max_concurrency | 5 | Parallel consumer invocations |
Scheduled Tasks
Orphnet Logging uses a Cloudflare cron trigger for sandbox maintenance:
"triggers": {
"crons": ["0 */6 * * *"]
}The scheduled handler resets the playground sandbox every 6 hours, re-seeding demo data and recreating the demo API key (sk_demo_playground).
Local Development
Create .dev.vars at the project root (gitignored):
JWT_SECRET=dev-secret-change-me
RESEND_API_KEY=re_test_key
EMAIL_FROM=dev@localhost
BASE_URL=http://localhost:8787
CORS_ALLOWED_ORIGINS=http://localhost:3000,http://localhost:5173Start local development:
bun run devThis starts wrangler dev with local D1, KV, R2, and Queue bindings.
Deployment
# Set secrets
wrangler secret put JWT_SECRET
wrangler secret put RESEND_API_KEY
# Deploy
bun run deployThe Worker is deployed with static assets for the documentation site. The run_worker_first configuration routes API paths to the Worker and static paths to the VitePress dist.
Next Steps
- Architecture -- How the system is structured
- Backends -- Deep dive into D1, KV, and R2
- Rate Limits -- Rate limit configuration