Configuration

Alokai CMS is configured through environment variables set in wrangler.jsonc (for local dev) or in the Cloudflare dashboard (for production).

Environment variables

Variable	Required	Default	Description
ENVIRONMENT	No	development	Runtime environment label
AUTH_JWT_SECRET	Yes	—	Secret used to sign session JWTs. Must be at least 32 characters.
AUTH_PROVIDER	No	none	Authentication provider. See Auth providers below.
OIDC_ISSUER	OIDC only	—	OIDC issuer URL (e.g. https://your-domain.okta.com)
OIDC_AUDIENCE	OIDC only	—	Expected JWT audience

Danger

Change AUTH_JWT_SECRET before deploying to production. The default dev value is public.

Auth providers

Set AUTH_PROVIDER to one of:

none (default)

Email and password login. Users are managed inside Alokai CMS’s own database. Best for development and self-hosted deployments.

cloudflare-access

Delegates authentication to Cloudflare Access. The Worker validates the Cf-Access-Jwt-Assertion header on every request using Cloudflare’s JWKS endpoint.

No additional env vars required — the Worker auto-discovers the JWKS URL from the request’s CF-Access-JWT-AUD header.

oidc

Generic OpenID Connect. Compatible with Okta, Auth0, Azure AD, Google Workspace, and any standards-compliant provider.

Requires:

• OIDC_ISSUER — The issuer URL (used to discover .well-known/openid-configuration)
• OIDC_AUDIENCE — The expected aud claim in tokens

Clients send tokens as Authorization: Bearer <token>.

Cloudflare bindings

Alokai CMS requires three Cloudflare services, configured in wrangler.jsonc:

D1 Database (SQLite)

"d1_databases": [
  {
    "binding": "DB",
    "database_name": "alokon-db",
    "database_id": "<your-database-id>"
  }
]

Stores all content, users, and configuration. See Database Schema for the full schema.

R2 Bucket (Object Storage)

"r2_buckets": [
  {
    "binding": "ASSETS",
    "bucket_name": "alokon-assets"
  }
]

Stores uploaded media files. Files are stored at path {spaceId}/{envId}/{assetId}/{filename}.

KV Namespace (Cache)

"kv_namespaces": [
  {
    "binding": "CACHE",
    "id": "<your-kv-namespace-id>"
  }
]

Caches published page data for fast delivery API responses. Cache keys follow the pattern:

• delivery:path:{spaceId}:{envId}:{path}:{locale}
• delivery:id:{spaceId}:{envId}:{pageId}:{locale}

Scheduled publishing

A cron trigger runs every 5 minutes to publish pages whose scheduled_at time has passed:

"triggers": {
  "crons": ["*/5 * * * *"]
}

This is required for the scheduled publishing feature to work.