Deploy Helm to your Cloudflare
without a terminal.
Paste a scoped Cloudflare API token. We provision the D1 database, optionally create an Access app, and hand you a finished wrangler.toml + a single wrangler deploy to run. The token is used once and thrown away — we never see your runtime data.
Other deploy modes: → /deploy/guided terminal walkthrough · → /deploy/agent have an AI agent drive it
No account? Cloudflare's "Deploy" flow handles signup + first deploy in one shot.
Click the button — it opens deploy.workers.cloudflare.com which walks you through signup (if needed), forks the repo to your GitHub, and runs the first deploy in your fresh account. Comes back with a working Worker URL. You can come back to this page after to enable Helm Cloud's managed updates.
Open Cloudflare,
paste back here.
Click below — Cloudflare's dashboard opens with the exact scopes we need pre-filled. Click Continue to summary → Create token, copy the value, and paste it into the box.
What scopes are requested?
| Resource | Permission |
|---|---|
| Account | Workers Scripts:Edit |
| Account | Access: Apps and Policies:Edit |
| Account | Cloudflare Zero Trust:Read |
| Account | D1:Edit |
| Account | Workers R2 Storage:Edit |
| Account | Workers KV Storage:Edit |
| Account | Artifacts:Edit |
| Account | AI Gateway:Edit |
| Account | Account Settings:Read |
| User | User Details:Read |
No read access to existing resources. No DNS, no zones, no R2. You can revoke any time at dash → API Tokens.
The pre-fill URL uses Cloudflare's exact short keys for each permission group (e.g. aig:edit for AI Gateway). If any row is missing when the dash opens, click + Add more and search the permission name — the list is still correct.
Where, what,
and which knobs.
Add additional allowed emails (optional)
One per line. Each becomes an entry in the Access policy and is added to CF_ACCESS_ALLOWED_EMAILS. Useful for a co-founder, a support handoff, or a shared inbox.
Bring-your-own model keys (optional)
Paste a key for the provider matching the model you picked above. Helm's chat works zero-key with Kimi K2.6 via Workers AI — keys here just unlock the other model presets and (where supported) cheaper routing.
Deploy log
Your Worker is deployed and running. No terminal step required.
Visit it at …
What works now: chat (via Workers AI through the auto-provisioned gateway), Files (R2-backed /persist), the Access login wall, plus the full plugin stack (memory, email, helm-setup, helm-artifacts, etc.).
What still needs a local wrangler deploy
- Helm Shell (the /shell tab). Backed by Cloudflare Containers — the bash image is built from docker/shell/Dockerfile during wrangler deploy. CF Containers only supports images in their managed registry scoped to the deploying account, so a browser deploy can't push it. Fork the repo, paste the wrangler.toml from below, run npx wrangler deploy — your shell will appear at /shell.
- R2 persistence inside the shell. The container would rclone-mount /persist using R2_ACCESS_KEY_ID + R2_SECRET_ACCESS_KEY, but Cloudflare doesn't expose long-lived R2 S3 credentials via API yet. Until they do: dash → R2 → "Manage R2 API Tokens" → create one for your bucket → wrangler secret put R2_ACCESS_KEY_ID, then R2_SECRET_ACCESS_KEY.
Your Cloudflare resources (D1, Access app, secrets) are set up — but auto-deploy of the Worker bundle isn't available yet. Reason: …
Use the wrangler.toml + commands below to finish from a terminal. If you don't have wrangler, fork the repo + use Cloudflare's Deploy button instead — it'll pick up your existing D1 + Access bindings.
wrangler.toml + commands (local fallback)
wrangler.toml
Replace your fork's wrangler.toml with this exact content:
Run these commands locally
After wrangler deploy finishes, your Worker is at .
This link is the only way back to your Helm Cloud deployment dashboard. We've stored it nowhere else; if you lose it, you'll need to email support to issue a new one.
Your data never reaches us.
Your CF API token rides only the request that creates the resources. We don't log it, don't persist it, don't proxy it. The Worker we deploy runs in your account, against your bindings, billed to your Cloudflare account. Once deploy is done, revoke the token at dash → API Tokens — your Helm keeps running.
Unlike a managed agent service, we have no read path to your D1, your DOs, your secrets, or your prompts. The whole runtime is yours.