modrinth · Prospector · Apr 4, 2026 · Apr 4, 2026
diff --git a/apps/frontend/nuxt.config.ts b/apps/frontend/nuxt.config.ts
@@ -208,7 +208,7 @@ export default defineNuxtConfig({
 		rateLimitKey: process.env.RATE_LIMIT_IGNORE_KEY ?? globalThis.RATE_LIMIT_IGNORE_KEY,
 		pyroBaseUrl: process.env.PYRO_BASE_URL,
 		intercomIdentitySecret:
-			process.env.INTERCOM_IDENTITY_SECRET ||
+			process.env.INTERCOM_IDENTITY_SECRET ??
 			// @ts-ignore
 			globalThis.INTERCOM_IDENTITY_SECRET,
 		public: {

diff --git a/apps/frontend/src/server/routes/api/intercom/messenger-jwt.get.ts b/apps/frontend/src/server/routes/api/intercom/messenger-jwt.get.ts
@@ -7,6 +7,17 @@ type IntercomTokenResponse = {
 	token: string
 }
 
+async function getIntercomKeyFromSecretsStore(): Promise<string | undefined> {
+	try {
+		const mod = 'cloudflare:workers'
+		const { env } = await import(/* @vite-ignore */ mod)
+		return await env.INTERCOM_IDENTITY_SECRET?.get()
+	} catch {
+		// Not running in Cloudflare Workers environment
+		return undefined
+	}
+}
+
 async function signIntercomUserJwt(
 	user: { id: string; username: string; email?: string; created: string },
 	secret: string,
@@ -51,8 +62,10 @@ export default defineEventHandler(async (event): Promise<IntercomTokenResponse>
 
 	setHeader(event, 'cache-control', 'private, no-store, max-age=0')
 
-	const config = useRuntimeConfig(event)
-	if (!config.intercomIdentitySecret) {
+	const intercomSecret =
+		useRuntimeConfig(event).intercomIdentitySecret ?? (await getIntercomKeyFromSecretsStore())
+
+	if (!intercomSecret) {
 		throw createError({
 			statusCode: 500,
 			message: 'Intercom identity secret is not configured',
@@ -91,7 +104,7 @@ export default defineEventHandler(async (event): Promise<IntercomTokenResponse>
 		})
 	}
 
-	const token = await signIntercomUserJwt(user, config.intercomIdentitySecret)
+	const token = await signIntercomUserJwt(user, intercomSecret)
 
 	return {
 		token,