You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@clerk/tanstack-react-start does not work on Cloudflare Workers because environment variables (CLERK_SECRET_KEY, CLERK_PUBLISHABLE_KEY) cannot be read at runtime. The shared getEnvVariable() function in @clerk/shared lacks a cloudflare:workers module env fallback, which means any framework package that relies on it (TanStack Start, Hono, etc.) fails to resolve Clerk env vars on CF Workers.
process.env is not available (Workers are not Node.js)
import.meta.env is statically replaced at build time by Vite — runtime values set via wrangler secret are not present
globalThis[name] does not contain Worker env vars (they are passed via the fetch handler's env parameter)
The cloudflare:workers module is available and exposes env vars set via dashboard/wrangler secrets
The current getEnvVariable() in @clerk/shared checks process.env, import.meta.env, context objects, and globalThis, but does not check cloudflare:workers. This means Clerk cannot find its secret key, publishable key, or any other env var when running on CF Workers.
Impact
This affects all Clerk framework packages that use getEnvVariable from @clerk/shared when deployed to Cloudflare Workers:
@clerk/tanstack-react-start (TanStack Start on CF Workers)
Any future framework integration targeting CF Workers
Additionally, @clerk/tanstack-react-start has SSR bundling issues on CF Workers — the React components (ClerkProvider, SignIn, SignUp) import browser-only APIs that fail during SSR bundling for the Workers runtime. The workaround is to use backend-only auth (@clerk/backend + verifyToken) and redirect to Clerk hosted pages for sign-in/sign-up. But even this backend-only approach requires getEnvVariable to resolve CLERK_SECRET_KEY from the Workers environment.
Prior Art
This was already fixed for Astro on Cloudflare in two PRs:
The Astro fix adds initCloudflareEnv() and a cloudflare:workers module check to packages/astro/src/server/get-safe-env.ts. However, this fix is Astro-specific — other framework packages that import getEnvVariable from @clerk/shared don't benefit from it.
Proposed Fix
PR #8196 adds the same cloudflare:workers env fallback to the sharedgetEnvVariable() function so all framework packages benefit:
Description
@clerk/tanstack-react-startdoes not work on Cloudflare Workers because environment variables (CLERK_SECRET_KEY,CLERK_PUBLISHABLE_KEY) cannot be read at runtime. The sharedgetEnvVariable()function in@clerk/sharedlacks acloudflare:workersmodule env fallback, which means any framework package that relies on it (TanStack Start, Hono, etc.) fails to resolve Clerk env vars on CF Workers.Environment
@cloudflare/vite-plugin)@clerk/[email protected],@clerk/[email protected]@cloudflare/vite-pluginProblem
On Cloudflare Workers:
process.envis not available (Workers are not Node.js)import.meta.envis statically replaced at build time by Vite — runtime values set viawrangler secretare not presentglobalThis[name]does not contain Worker env vars (they are passed via the fetch handler'senvparameter)cloudflare:workersmodule is available and exposes env vars set via dashboard/wrangler secretsThe current
getEnvVariable()in@clerk/sharedchecksprocess.env,import.meta.env, context objects, andglobalThis, but does not checkcloudflare:workers. This means Clerk cannot find its secret key, publishable key, or any other env var when running on CF Workers.Impact
This affects all Clerk framework packages that use
getEnvVariablefrom@clerk/sharedwhen deployed to Cloudflare Workers:@clerk/tanstack-react-start(TanStack Start on CF Workers)Additionally,
@clerk/tanstack-react-starthas SSR bundling issues on CF Workers — the React components (ClerkProvider,SignIn,SignUp) import browser-only APIs that fail during SSR bundling for the Workers runtime. The workaround is to use backend-only auth (@clerk/backend+verifyToken) and redirect to Clerk hosted pages for sign-in/sign-up. But even this backend-only approach requiresgetEnvVariableto resolveCLERK_SECRET_KEYfrom the Workers environment.Prior Art
This was already fixed for Astro on Cloudflare in two PRs:
fix(astro): Fall back to process.env for runtime environment variablesfix(astro): Restore Cloudflare Pages compatibility broken by cloudflare:workers envThe Astro fix adds
initCloudflareEnv()and acloudflare:workersmodule check topackages/astro/src/server/get-safe-env.ts. However, this fix is Astro-specific — other framework packages that importgetEnvVariablefrom@clerk/shareddon't benefit from it.Proposed Fix
PR #8196 adds the same
cloudflare:workersenv fallback to the sharedgetEnvVariable()function so all framework packages benefit:#8196
Changes:
initCloudflareWorkersEnv()— dynamically importscloudflare:workersand caches the env object (identical pattern to Astro'sinitCloudflareEnv())getEnvVariable()— checkscloudflareWorkersEnv[name]before falling through to context-based checksWorkaround
Until this is fixed, the workaround for Cloudflare Workers is to:
@clerk/backenddirectly (not the framework-specific package) for server-side authcreateClerkClient({ secretKey: env.CLERK_SECRET_KEY })from the Worker's env bindingThis works but bypasses the framework integration's automatic env resolution.