General commands
General Wrangler commands for authentication, telemetry, and shell completions.
Open the Cloudflare developer documentation in your default browser.
npx wrangler docs [SEARCH]pnpm wrangler docs [SEARCH]yarn wrangler docs [SEARCH]-
[SEARCH]stringEnter search terms (e.g. the wrangler command) you want to know more about
-
--yesbooleanalias: --yTakes you to the docs, even if search fails
Global flags
-
--vbooleanalias: --versionShow version number
-
--cwdstringRun as if Wrangler was started in the specified directory instead of the current working directory
-
--configstringalias: --cPath to Wrangler configuration file
-
--envstringalias: --eEnvironment to use for operations, and for selecting .env and .dev.vars files
-
--env-filestringPath to an .env file to load - can be specified multiple times - values from earlier files are overridden by values in later files
-
--experimental-provisionbooleanaliases: --x-provision default: trueExperimental: Enable automatic resource provisioning
-
--experimental-auto-createbooleanalias: --x-auto-create default: trueAutomatically provision draft bindings with new resources
-
--install-skillsbooleandefault: falseInstall Cloudflare skills for detected AI coding agents before running the command
-
--profilestringUse a specific auth profile
Authorize Wrangler with your Cloudflare account using OAuth. Wrangler will attempt to automatically open your web browser to login with your Cloudflare account.
If you prefer to use API tokens for authentication, such as in headless or continuous integration environments, refer to Running Wrangler in CI/CD.
wrangler login [OPTIONS]--scopes-liststringoptional- List all the available OAuth scopes with descriptions.
--scopesstringoptional- Allows to choose your set of OAuth scopes. The set of scopes must be entered in a whitespace-separated list,
for example,
npx wrangler login --scopes account:read user:read.
- Allows to choose your set of OAuth scopes. The set of scopes must be entered in a whitespace-separated list,
for example,
--callback-hoststringoptional- Defaults to
localhost. Sets the IP or hostname where Wrangler should listen for the OAuth callback.
- Defaults to
--callback-portstringoptional- Defaults to
8976. Sets the port where Wrangler should listen for the OAuth callback.
- Defaults to
--use-keyringbooleanoptional- Stores the OAuth credentials in your operating system keychain instead of the default plaintext TOML file. Refer to Storing OAuth credentials in the OS keychain for details. Use
--no-use-keyringto opt back out. The choice is persisted across Wrangler invocations.
- Stores the OAuth credentials in your operating system keychain instead of the default plaintext TOML file. Refer to Storing OAuth credentials in the OS keychain for details. Use
The following global flags work on every command:
--helpboolean- Show help.
--configstring(not supported by Pages)- Path to your Wrangler configuration file.
--cwdstring- Run as if Wrangler was started in the specified directory instead of the current working directory.
If Wrangler fails to open a browser, you can copy and paste the URL generated by wrangler login in your terminal into a browser and log in.
If you are using Wrangler from a remote machine, but run the login flow from your local browser, you will receive the following error message after logging in:This site can't be reached.
To finish the login flow, run wrangler login and go through the login flow in the browser:
npx wrangler login ⛅️ wrangler 2.1.6-------------------Attempting to login via OAuth...Opening a link in your default browser: https://dash.cloudflare.com/oauth2/auth?xyz...The browser login flow will redirect you to a localhost URL on your machine.
Leave the login flow active. Open a second terminal session. In that second terminal session, use curl or an equivalent request library on the remote machine to fetch this localhost URL. Copy and paste the localhost URL that was generated during the wrangler login flow and run:
curl <LOCALHOST_URL>The Cloudflare OAuth provider will always redirect to a callback server at localhost:8976. If you are running Wrangler inside a container, this server might not be accessible from your host machine's browser - even after authorizing the connection, your login command will hang.
You must configure your container to map port 8976 on your host machine to the Wrangler OAuth callback server's port (8976 by default).
For example, if you are running Wrangler in a Docker container:
docker run -p 8976:8976 <your-image>And when you run npx wrangler login inside your container, set the callback host to listen on all network interfaces:
npx wrangler login --callback-host=0.0.0.0Now when the browser redirects to localhost:8976, the request will be forwarded to Wrangler running inside the container on 0.0.0.0:8976.
If you need to use a different port inside the container, use --callback-port as well and adjust your port mapping accordingly, for example:
# When starting your containerdocker run -p 8976:9000 <your-image>
# Inside the containernpx wrangler login --callback-host=0.0.0.0 --callback-port=9000By default, Wrangler stores the OAuth access token and refresh token returned by wrangler login in a plaintext TOML file under the global Wrangler config directory (typically ~/.config/.wrangler/config/default.toml). Pass --use-keyring to opt in to a more secure storage path that uses your operating system keychain:
npx wrangler login --use-keyringWhen --use-keyring is enabled, Wrangler writes the credentials into an AES-256-GCM ↗-encrypted file (default.enc, alongside the legacy default.toml location) and stores the 32-byte encryption key in your OS keychain:
- macOS uses the built-in Keychain ↗ via
/usr/bin/security. - Linux uses libsecret ↗ via the
secret-toolCLI from thelibsecret-toolspackage. Wrangler will print a per-distro install hint ifsecret-toolis not available. - Windows uses Credential Manager ↗ via
@napi-rs/keyring↗, which Wrangler installs lazily the first time you opt in (≈1.9 MB one-time download). In non-interactive environments such as CI, install the binding ahead of time withnpm install -g @napi-rs/keyring@<version>or stay on the default plaintext path.
If a plaintext credentials file exists when you first opt in, Wrangler reads it, encrypts the contents into the new .enc file, and deletes the plaintext file.
The choice is persisted across Wrangler invocations. To verify where credentials are currently stored, run wrangler whoami:
npx wrangler whoami👋 You are logged in with an OAuth Token, associated with the email user@example.com.🔐 Credentials are stored in: Encrypted file (~/.config/.wrangler/config/default.enc) with key in macOS Keychain (service=wrangler, account=default)To opt back out, pass --no-use-keyring:
npx wrangler login --no-use-keyringOpt-out deletes the encrypted file and the keychain entry. Wrangler intentionally does not decrypt the existing credentials onto disk — writing plaintext during opt-out would defeat the at-rest protection you just chose to disable. The subsequent login flow writes fresh credentials into the plaintext TOML file.
The environment variable CLOUDFLARE_AUTH_USE_KEYRING overrides the persistent preference for a single invocation:
# Force the keychain backend for this command onlyCLOUDFLARE_AUTH_USE_KEYRING=true npx wrangler deploy
# Force the plaintext file backend for this command onlyCLOUDFLARE_AUTH_USE_KEYRING=false npx wrangler deployWhen the environment variable is set to true and the keychain backend is unavailable (for example, secret-tool is missing on Linux), Wrangler exits with an error rather than silently falling back to the plaintext file. With only the persistent preference set, Wrangler falls back to the plaintext file and prints a one-time warning so a broken keychain never locks you out.
The --use-keyring opt-in does not change how API tokens are resolved: CLOUDFLARE_API_TOKEN and CLOUDFLARE_API_KEY/CLOUDFLARE_EMAIL continue to take priority over any stored OAuth credentials, and the Running Wrangler in CI/CD guidance still applies for non-interactive environments.
Remove Wrangler's authorization for accessing your account. This command will invalidate your current OAuth token and delete the stored credentials. When keychain storage is active, both the encrypted credentials file and the keychain entry are removed.
wrangler logoutThe following global flags work on every command:
--helpboolean- Show help.
--configstring(not supported by Pages)- Path to your Wrangler configuration file.
--cwdstring- Run as if Wrangler was started in the specified directory instead of the current working directory.
If you are using CLOUDFLARE_API_TOKEN instead of OAuth, and you can logout by deleting your API token in the Cloudflare dashboard:
-
In the Cloudflare dashboard, go to the Account API tokens page.
Go to Account API tokens -
Select the three-dot menu on your Wrangler token.
-
Select Delete.
Manage authentication, including named authentication profiles for working across multiple accounts.
Retrieve your current authentication token or credentials for use with other tools and scripts.
wrangler auth token [OPTIONS]--jsonbooleanoptional- Return output as JSON with token type information. This also enables retrieving API key/email credentials.
The command returns whichever authentication method is currently configured, in the following order of precedence:
- API token from
CLOUDFLARE_API_TOKENenvironment variable - API key/email from
CLOUDFLARE_API_KEYandCLOUDFLARE_EMAILenvironment variables (requires--jsonflag, since this method uses two values instead of a single token) - OAuth token from
wrangler login(automatically refreshed if expired)
When using --json, the output includes the token type:
// API token{ "type": "api_token", "token": "..." }
// OAuth token{ "type": "oauth", "token": "..." }
// API key/email (only available with --json){ "type": "api_key", "key": "...", "email": "..." }An error is returned if no authentication method is available, or if API key/email is configured without --json.
The following global flags work on every command:
--helpboolean- Show help.
--configstring(not supported by Pages)- Path to your Wrangler configuration file.
--cwdstring- Run as if Wrangler was started in the specified directory instead of the current working directory.
Experimental
Create or re-authenticate a named auth profile
npx wrangler auth create [NAME]pnpm wrangler auth create [NAME]yarn wrangler auth create [NAME]-
[NAME]stringrequiredName for the auth profile
-
--browserbooleandefault: trueAutomatically open the OAuth link in a browser
-
--scopesstringPick the set of applicable OAuth scopes when logging in
-
--callback-hoststringdefault: localhostUse the ip or host address for the temporary login callback server.
-
--callback-portnumberdefault: 8976Use the port for the temporary login callback server.
Global flags
-
--vbooleanalias: --versionShow version number
-
--cwdstringRun as if Wrangler was started in the specified directory instead of the current working directory
-
--configstringalias: --cPath to Wrangler configuration file
-
--envstringalias: --eEnvironment to use for operations, and for selecting .env and .dev.vars files
-
--env-filestringPath to an .env file to load - can be specified multiple times - values from earlier files are overridden by values in later files
-
--experimental-provisionbooleanaliases: --x-provision default: trueExperimental: Enable automatic resource provisioning
-
--experimental-auto-createbooleanalias: --x-auto-create default: trueAutomatically provision draft bindings with new resources
-
--install-skillsbooleandefault: falseInstall Cloudflare skills for detected AI coding agents before running the command
-
--profilestringUse a specific auth profile
Experimental
Bind a named auth profile to a directory
npx wrangler auth activate [NAME] [DIR]pnpm wrangler auth activate [NAME] [DIR]yarn wrangler auth activate [NAME] [DIR]-
[NAME]stringrequiredName of the auth profile to activate
-
[DIR]stringDirectory to bind the profile to (defaults to current directory)
Global flags
-
--vbooleanalias: --versionShow version number
-
--cwdstringRun as if Wrangler was started in the specified directory instead of the current working directory
-
--configstringalias: --cPath to Wrangler configuration file
-
--envstringalias: --eEnvironment to use for operations, and for selecting .env and .dev.vars files
-
--env-filestringPath to an .env file to load - can be specified multiple times - values from earlier files are overridden by values in later files
-
--experimental-provisionbooleanaliases: --x-provision default: trueExperimental: Enable automatic resource provisioning
-
--experimental-auto-createbooleanalias: --x-auto-create default: trueAutomatically provision draft bindings with new resources
-
--install-skillsbooleandefault: falseInstall Cloudflare skills for detected AI coding agents before running the command
-
--profilestringUse a specific auth profile
Experimental
Remove the auth profile binding from a directory
npx wrangler auth deactivate [DIR]pnpm wrangler auth deactivate [DIR]yarn wrangler auth deactivate [DIR]-
[DIR]stringDirectory to unbind (defaults to current directory). Must be the exact directory the profile was bound to.
Global flags
-
--vbooleanalias: --versionShow version number
-
--cwdstringRun as if Wrangler was started in the specified directory instead of the current working directory
-
--configstringalias: --cPath to Wrangler configuration file
-
--envstringalias: --eEnvironment to use for operations, and for selecting .env and .dev.vars files
-
--env-filestringPath to an .env file to load - can be specified multiple times - values from earlier files are overridden by values in later files
-
--experimental-provisionbooleanaliases: --x-provision default: trueExperimental: Enable automatic resource provisioning
-
--experimental-auto-createbooleanalias: --x-auto-create default: trueAutomatically provision draft bindings with new resources
-
--install-skillsbooleandefault: falseInstall Cloudflare skills for detected AI coding agents before running the command
-
--profilestringUse a specific auth profile
Experimental
List all auth profiles
npx wrangler auth listpnpm wrangler auth listyarn wrangler auth listGlobal flags
-
--vbooleanalias: --versionShow version number
-
--cwdstringRun as if Wrangler was started in the specified directory instead of the current working directory
-
--configstringalias: --cPath to Wrangler configuration file
-
--envstringalias: --eEnvironment to use for operations, and for selecting .env and .dev.vars files
-
--env-filestringPath to an .env file to load - can be specified multiple times - values from earlier files are overridden by values in later files
-
--experimental-provisionbooleanaliases: --x-provision default: trueExperimental: Enable automatic resource provisioning
-
--experimental-auto-createbooleanalias: --x-auto-create default: trueAutomatically provision draft bindings with new resources
-
--install-skillsbooleandefault: falseInstall Cloudflare skills for detected AI coding agents before running the command
-
--profilestringUse a specific auth profile
Experimental
Delete a named auth profile
npx wrangler auth delete [NAME]pnpm wrangler auth delete [NAME]yarn wrangler auth delete [NAME]-
[NAME]stringrequiredName of the auth profile to delete
Global flags
-
--vbooleanalias: --versionShow version number
-
--cwdstringRun as if Wrangler was started in the specified directory instead of the current working directory
-
--configstringalias: --cPath to Wrangler configuration file
-
--envstringalias: --eEnvironment to use for operations, and for selecting .env and .dev.vars files
-
--env-filestringPath to an .env file to load - can be specified multiple times - values from earlier files are overridden by values in later files
-
--experimental-provisionbooleanaliases: --x-provision default: trueExperimental: Enable automatic resource provisioning
-
--experimental-auto-createbooleanalias: --x-auto-create default: trueAutomatically provision draft bindings with new resources
-
--install-skillsbooleandefault: falseInstall Cloudflare skills for detected AI coding agents before running the command
-
--profilestringUse a specific auth profile
🕵️ Retrieve your user information
npx wrangler whoamipnpm wrangler whoamiyarn wrangler whoami-
--accountstringShow membership information for the given account (id or name).
-
--jsonbooleandefault: falseReturn user information as JSON. Exits with a non-zero status if not authenticated.
Global flags
-
--vbooleanalias: --versionShow version number
-
--cwdstringRun as if Wrangler was started in the specified directory instead of the current working directory
-
--configstringalias: --cPath to Wrangler configuration file
-
--envstringalias: --eEnvironment to use for operations, and for selecting .env and .dev.vars files
-
--env-filestringPath to an .env file to load - can be specified multiple times - values from earlier files are overridden by values in later files
-
--experimental-provisionbooleanaliases: --x-provision default: trueExperimental: Enable automatic resource provisioning
-
--experimental-auto-createbooleanalias: --x-auto-create default: trueAutomatically provision draft bindings with new resources
-
--install-skillsbooleandefault: falseInstall Cloudflare skills for detected AI coding agents before running the command
-
--profilestringUse a specific auth profile
Cloudflare collects anonymous usage data to improve Wrangler. You can learn more about this in our data policy ↗.
You can manage sharing of usage data at any time using these commands.
Disable telemetry collection for Wrangler.
wrangler telemetry disableEnable telemetry collection for Wrangler.
wrangler telemetry enableCheck whether telemetry collection is currently enabled. The return result is specific to the directory where you have run the command.
This will resolve the global status set by wrangler telemetry disable / enable, the environment variable WRANGLER_SEND_METRICS, and the send_metrics key in the Wrangler configuration file.
wrangler telemetry statusThe following global flags work on every command:
--helpboolean- Show help.
--configstring(not supported by Pages)- Path to your Wrangler configuration file.
--cwdstring- Run as if Wrangler was started in the specified directory instead of the current working directory.
Generate shell completion scripts for Wrangler commands. Shell completions allow you to autocomplete commands, subcommands, and flags by pressing Tab as you type.
wrangler complete <SHELL>SHELLstringrequired- The shell to generate completions for. Supported values:
bash,zsh,fish,powershell.
- The shell to generate completions for. Supported values:
Generate and add the completion script to your shell configuration file:
wrangler complete bash >> ~/.bashrcThen restart your terminal or run source ~/.bashrc.
wrangler complete zsh >> ~/.zshrcThen restart your terminal or run source ~/.zshrc.
wrangler complete fish >> ~/.config/fish/config.fishThen restart your terminal or run source ~/.config/fish/config.fish.
wrangler complete powershell >> $PROFILEThen restart PowerShell or run . $PROFILE.
After setup, press Tab to autocomplete commands, subcommands, and flags:
wrangler d<TAB> # completes to 'deploy', 'dev', 'd1', etc.wrangler kv <TAB> # shows subcommands: namespace, key, bulkThe following global flags work on every command:
--helpboolean- Show help.
--configstring(not supported by Pages)- Path to your Wrangler configuration file.
--cwdstring- Run as if Wrangler was started in the specified directory instead of the current working directory.