What versions & operating system are you using?
- OS: macOS / Linux
- Wrangler version:
^4.107.0 (or matching latest)
- @cloudflare/vite-plugin version:
^1.13.8 (or matching latest)
Please provide a link to a minimal reproduction
https://github.com/daviddecorso/wrangler-auth-vite-bug-repro
Describe the Bug
When using @cloudflare/vite-plugin for local development (vite dev), the plugin does not respect the active authentication profile set via wrangler auth. Instead, it defaults to the OAuth credentials stored in default.toml (e.g. at ~/Library/Preferences/.wrangler/config/default.toml on macOS).
In contrast, running wrangler dev in the same directory correctly respects the directory-activated profile (configured via wrangler auth activate <profile>).
Reproduction Steps
- Create a custom Wrangler authentication profile:
wrangler auth create my-custom-profile
- Activate the profile in your project directory:
wrangler auth activate my-custom-profile
- Run
wrangler dev and verify that it correctly uses the credentials and account associated with my-custom-profile.
- Configure
@cloudflare/vite-plugin in your vite.config.ts:
import { cloudflare } from '@cloudflare/vite-plugin';
import { defineConfig } from 'vite';
export default defineConfig({
plugins: [
cloudflare({ viteEnvironment: { name: 'ssr' } })
]
});
- Run your dev server via Vite:
- Observe that any calls to remote bindings (such as D1, KV, or Workers AI) authenticate using the global default profile token from
~/.wrangler/config/default.toml (or macOS equivalent ~/Library/Preferences/.wrangler/config/default.toml) instead of my-custom-profile.
Expected Behavior
vite dev (running @cloudflare/vite-plugin) should resolve the active Wrangler authentication profile in the same order as the Wrangler CLI:
- Environment variables (
CLOUDFLARE_API_TOKEN etc.)
--profile flag (if configurable)
- The directory-activated profile (using the nearest ancestor directory activated via
wrangler auth activate)
- Global default profile (
default.toml)
Actual Behavior
The plugin seems to bypass directory-activated auth profiles entirely and directly reads/uses the OAuth token from the global default configuration file (default.toml).
Additional Information / Possible Cause
Because @cloudflare/vite-plugin runs inside Vite's Node process and programmatically spawns Miniflare/workerd or imports wrangler modules, it likely does not pass the current working directory (CWD) or context required by the wrangler auth module to resolve directory-activated profiles. As a result, Wrangler's internal auth resolver defaults to default.toml.
Confirmed via Local Reproduction
This has been reproduced in this minimal repo.
Verification method
A surface-level check (e.g. "does the AI binding call succeed?") is not sufficient to detect this bug if the default-profile account also happens to have access to the same resource since the call can succeed while silently using the wrong account. The reliable way to confirm which credentials are actually used is to diff the Cloudflare API account ID hit by each command:
# Terminal 1 — CLI, for comparison
WRANGLER_LOG=debug wrangler dev
# Terminal 2 — via the Vite plugin
WRANGLER_LOG=debug pnpm dev
Then grep each command's output for outbound Cloudflare API calls:
grep "accounts/" <log file>
# e.g. -- START CF API REQUEST: GET https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/workers/subdomain
Result
With two profiles configured (a directory-activated non-default profile, and the global default profile, each associated with a different Cloudflare account):
| Command |
Profile used |
Account hit |
wrangler dev |
directory-activated profile (correct) |
account tied to the activated profile |
vite dev via @cloudflare/vite-plugin |
default profile (incorrect) |
account tied to default.toml, regardless of directory activation |
Please provide any relevant error logs
No response
What versions & operating system are you using?
^4.107.0(or matching latest)^1.13.8(or matching latest)Please provide a link to a minimal reproduction
https://github.com/daviddecorso/wrangler-auth-vite-bug-repro
Describe the Bug
When using
@cloudflare/vite-pluginfor local development (vite dev), the plugin does not respect the active authentication profile set viawrangler auth. Instead, it defaults to the OAuth credentials stored indefault.toml(e.g. at~/Library/Preferences/.wrangler/config/default.tomlon macOS).In contrast, running
wrangler devin the same directory correctly respects the directory-activated profile (configured viawrangler auth activate <profile>).Reproduction Steps
wrangler devand verify that it correctly uses the credentials and account associated withmy-custom-profile.@cloudflare/vite-pluginin yourvite.config.ts:~/.wrangler/config/default.toml(or macOS equivalent~/Library/Preferences/.wrangler/config/default.toml) instead ofmy-custom-profile.Expected Behavior
vite dev(running@cloudflare/vite-plugin) should resolve the active Wrangler authentication profile in the same order as the Wrangler CLI:CLOUDFLARE_API_TOKENetc.)--profileflag (if configurable)wrangler auth activate)default.toml)Actual Behavior
The plugin seems to bypass directory-activated auth profiles entirely and directly reads/uses the OAuth token from the global default configuration file (
default.toml).Additional Information / Possible Cause
Because
@cloudflare/vite-pluginruns inside Vite's Node process and programmatically spawns Miniflare/workerd or imports wrangler modules, it likely does not pass the current working directory (CWD) or context required by thewrangler authmodule to resolve directory-activated profiles. As a result, Wrangler's internal auth resolver defaults todefault.toml.Confirmed via Local Reproduction
This has been reproduced in this minimal repo.
Verification method
A surface-level check (e.g. "does the AI binding call succeed?") is not sufficient to detect this bug if the default-profile account also happens to have access to the same resource since the call can succeed while silently using the wrong account. The reliable way to confirm which credentials are actually used is to diff the Cloudflare API account ID hit by each command:
Then grep each command's output for outbound Cloudflare API calls:
Result
With two profiles configured (a directory-activated non-default profile, and the global
defaultprofile, each associated with a different Cloudflare account):wrangler devvite devvia@cloudflare/vite-plugindefaultprofile (incorrect)default.toml, regardless of directory activationPlease provide any relevant error logs
No response