Monitoring
Health Check
Worker Logs
Real-time logs and error traces are available in the Cloudflare dashboard:- Go to Workers & Pages → select your
keyflareWorker - Open the Logs tab
- Filter by status, outcome, or time range
D1 Metrics
Available in the Cloudflare dashboard under Storage → D1:- Query count
- Rows read/written
- Database size
- Error rate
Backup & Recovery
D1 Backup
Cloudflare automatically backs up D1. To export your database manually, run:keyflare with your Worker name (e.g., keyflare-prod).
Store the resulting backup.sql file in a secure location outside of Cloudflare.
Master Key Backup
Recommended storage:- Password manager (1Password, Bitwarden)
- Printed in a physical safe
- HSM for enterprise setups
- Git repositories
- Plain text files
- CI environment variables
- The D1 database itself
Disaster Recovery
| Scenario | Recovery |
|---|---|
| Worker deleted | Run kfl init (or kfl init --name <name> for custom instances). Your D1 data remains intact. |
| D1 data corrupted | Restore from Cloudflare’s automatic backups via the dashboard. |
| D1 deleted | Restore backup.sql into a new D1 database, then run kfl init --d1id <new-db-uuid>. |
| MASTER_KEY lost | Unrecoverable. Create a new instance with kfl init, then re-upload all secrets. |
| MASTER_KEY compromised | Revoke all API keys. Create a new instance with kfl init. Re-upload all secrets. |
| API key compromised | kfl keys revoke <prefix> — takes effect immediately. |
Security Checklist
- Master key backed up securely
- First User Key stored in password manager
- System keys created for CI/CD with minimal scopes
- Custom domain with TLS enabled
- Regular key rotation schedule established
Next Steps
Security Model
Understand the threat model and encryption boundaries.
API Keys
Create and manage scoped keys for CI/CD and services.