Environment + secrets

All secrets are set via wrangler secret put NAME (not stored in wrangler.jsonc). Local dev reads .dev.vars instead.

Bindings (in `wrangler.jsonc`)

Binding	Type	What
`DB`	D1	Main database (`stayonthesnow`)
`BEDS24_KV`	KV	Beds24 access token cache + self-write debounce
`DROPBOX_KV`	KV	Dropbox access token cache
`DAILY_FLAG_SYNC`	Workflow	`DailyFlagSyncWorkflow` binding
`BOOKING_FLAG`	Workflow	`BookingFlagWorkflow` binding

Secrets (set via `wrangler secret put`)

Secret	Used by
`BEDS24_REFRESH_TOKEN`	`getAccessToken` — long-lived refresh token
`BEDS24_WEBHOOK_SECRET`	`/webhook/beds24/` auth + `/admin/` auth
`DROPBOX_REFRESH_TOKEN`	Selfie uploads in pre-check-in form
`DROPBOX_APP_KEY`	Dropbox OAuth
`DROPBOX_APP_SECRET`	Dropbox OAuth
`MAILGUN_API_KEY`	Outbound email
`MAILGUN_DOMAIN`	`stayonthesnow.com` (the verified Mailgun domain)
`MAILGUN_FROM`	`bill@stayonthesnow.com` (sender + Bill’s inbox alias)
`MAILGUN_WEBHOOK_SIGNING_KEY`	Verify `/webhook/mailgun` signatures
`TWILIO_ACCOUNT_SID`	Twilio API auth
`TWILIO_AUTH_TOKEN`	Twilio API + webhook signature verification
`TWILIO_FROM_NUMBER`	`+19705501550` (our Twilio number)
`TWILIO_STATUS_CALLBACK_URL`	Status callback URL for outbound SMS
`STRIPE_PUBLISHABLE_KEY`	Client-side Stripe Elements (publishable)
`STRIPE_SECRET_KEY`	Server-side Stripe API

Listing current secrets

npx wrangler secret list

Rotation

If a secret is ever exposed (e.g., pasted into chat), rotate it via the provider’s dashboard and update via wrangler secret put NAME.

Local dev

.dev.vars (gitignored) mirrors the production secrets for wrangler dev and tests. Vitest pool-workers reads its own bindings from vitest.config.ts.

Source

src/env.ts — Env interface lists every binding + secret
wrangler.jsonc — actual binding declarations