API Gateway Deployment
When to use
- Initial deploy of the Workers (admin + public gateway)
- Deploy changes to the Workers (new routes, config, bug fixes)
- Secret rotation (service tokens)
Preconditions
wranglerinstalled (npm i -g wrangleror vianpx)CLOUDFLARE_API_TOKENwith Workers deploy permissions- Access to the Cloudflare dashboard for the eigenoid account
- Service token IDs/secrets available (output from Terraform)
Procedure
1. Obtain service token secrets
Service tokens are created by Terraform. To view the values:
cd iac-access/service
terraform output -json | jq '.admin_gateway_service_token'
terraform output -json | jq '.public_gateway_service_token'
caution
If the outputs do not exist, add output blocks in Terraform. Service token secrets are only available in the state.
2. Configure Worker secrets
cd platform-api-gateway/workers/admin-gateway
# Configure admin gateway secrets
echo "<client-id>" | npx wrangler secret put CF_SERVICE_TOKEN_ID --env dev
echo "<client-secret>" | npx wrangler secret put CF_SERVICE_TOKEN_SECRET --env dev
cd ../public-gateway
# Configure public gateway secrets
echo "<client-id>" | npx wrangler secret put CF_SERVICE_TOKEN_ID --env dev
echo "<client-secret>" | npx wrangler secret put CF_SERVICE_TOKEN_SECRET --env dev
3. Deploy Workers
# Admin gateway
cd platform-api-gateway/workers/admin-gateway
npm ci && npm run lint && npm test
npx wrangler deploy --env dev
# Public gateway
cd ../public-gateway
npm ci && npm run lint && npm test
npx wrangler deploy --env dev
4. Verify DNS
# DNS records should exist (created by Terraform)
dig api-dev.eigenoid.services +short # should return something (proxied)
dig api-dev.eigenoid.com +short # should return something (proxied)
Verification
Health checks
curl -s https://api-dev.eigenoid.services/health
# Expected: 200 OK
curl -s https://api-dev.eigenoid.com/health
# Expected: 200 OK
Route isolation
# Admin gateway should return 404 for public routes
curl -s -o /dev/null -w '%{http_code}' \
https://api-dev.eigenoid.services/v1/access/auth/magic-link
# Expected: 404
# Public gateway should return 404 for admin routes
curl -s -o /dev/null -w '%{http_code}' \
https://api-dev.eigenoid.com/v1/access/admin/clients
# Expected: 404
Auth flow (admin)
# No cookie → backend returns 401
curl -s -o /dev/null -w '%{http_code}' \
-H "Origin: https://access-dev.eigenoid.services" \
https://api-dev.eigenoid.services/v1/access/admin/clients
# Expected: 401
Rollback
Three independent layers, in any order:
Layer 1: Workers (fast)
cd platform-api-gateway/workers/admin-gateway
npx wrangler delete --env dev
cd ../public-gateway
npx wrangler delete --env dev
Layer 2: DNS (Terraform)
cd iac-access/service
terraform destroy \
-target=cloudflare_dns_record.admin_gateway \
-target=cloudflare_dns_record.public_gateway \
-var-file=tfvars/dev.tfvars
Layer 3: Backend config (Terraform)
Revert the E5 changes in tfvars/dev.tfvars and re-apply.
Escalation
If the deploy fails or the gateways do not respond:
- Verify the API token has the correct permissions (Workers Scripts: Edit)
- Verify the DNS records exist and are proxied
- Check the tunnel logs in Cloud Run (cloudflared sidecar)
- Escalate to @shoootyou
References
- API Gateway Architecture
- Terraform:
iac-access/service/cloudflare.tf - Workers:
platform-api-gateway/workers/