---
# quotesdb-625z
title: Document secrets management — Cloudflare API token, account ID, how to supply to OpenTofu and local dev
status: completed
type: task
priority: normal
created_at: 2026-03-10T23:32:08Z
updated_at: 2026-03-10T23:32:15Z
blocked_by:
    - quotesdb-zzm3
---

<context>
Infrastructure is managed with OpenTofu using the Cloudflare provider. Configuration lives in `infra/`. Resources include a Cloudflare Worker (API), Cloudflare D1 database (bound to the worker), and a Cloudflare Pages project (UI frontend).
</context>

<goal>
Write documentation in `infra/README.md` or `docs/SECRETS.md` covering:
1. What secrets/credentials are required (Cloudflare API token, account ID)
2. How to provide them for local OpenTofu runs (environment variables or `.env` file — never commit)
3. How to provide them in CI/CD (GitHub Actions secrets or equivalent)
4. What permissions the Cloudflare API token needs (Workers, D1, Pages, DNS)
</goal>

<constraints>
- Do not commit any actual secrets or tokens — document the variable names only.
- Cross-reference the `.gitignore` for infra secrets files.
</constraints>

<commit>
`docs(quotesdb): document secrets management for Cloudflare credentials`
</commit>