Runtime Configuration

During rendering, Press.js exposes dynamic data to your document through a special internal origin (https://p.press.internal). The local CLI and Press.js Cloud share the same runtime behavior:

Mechanism	Local CLI scope	Cloud scope
Payload	Selected `press.toml` entry	Per render job
Environment Variables	Selected `press.toml` entry	Per deploy
Secrets	Selected `press.toml` entry	Per deploy

Payload

Payload is per-job data you supply when creating a render job. The same deploy version can be rendered with different payloads — ideal for invoices, reports, certificates, or any document where content changes between renders. In Cloud, a payload is available only to the render job that received it and is deleted as soon as that render reaches a terminal state. In local CLI renders, payload_path serves the file contents for the selected entry.

Accessing the payload

Fetch the payload from https://p.press.internal/__payload:

const response = await fetch("https://p.press.internal/__payload");
const data = await response.json();

For binary payloads, check response.headers.get("content-type") to handle the response appropriately.

Environment variables and secrets

Environment variables and secrets are key-value data exposed only while the render is running.

Environment variables — plaintext, for non-sensitive configuration (API base URLs, public keys, feature flags).
Secrets — sensitive values (API keys, tokens, passwords). In Cloud they are write-only, encrypted at rest, and never returned by the API after being set. In local CLI renders they are read from environment variables.

Both are served together at https://p.press.internal/environment.json and accessible through pressCloud.

Accessing via pressCloud

Press.js injects a global pressCloud object into your page during both local and Cloud renders:

// Read a single value
const apiUrl = await pressCloud.env.get("API_URL");
const apiKey = await pressCloud.secrets.get("API_KEY");

// Read all values at once
const allEnv = await pressCloud.env.all();
const allSecrets = await pressCloud.secrets.all();

If a key doesn’t exist, get() returns undefined.

Accessing via direct fetch

You can also fetch the full runtime data directly:

const response = await fetch("https://p.press.internal/environment.json");
const { environment, secrets } = await response.json();
// → { environment: { API_URL: "..." }, secrets: { API_KEY: "..." } }

Local CLI configuration

For local press render, configure runtime values in press.toml:

[runtime.env]
API_URL = "http://localhost:8787"

[runtime.secrets]
API_TOKEN = "PRESS_API_TOKEN"

[pdf.report.runtime.env]
TENANT = "acme"

[pdf.report.runtime.secrets]
WEBHOOK_SECRET = "REPORT_WEBHOOK_SECRET"

[runtime.env] values are plaintext values exposed to the page. [runtime.secrets] values are source environment variable names, not secret values. The CLI reads .dev.vars from the selected entry’s workspace, overlays the process environment, and resolves each configured secret from that combined environment. Process environment variables take precedence over .dev.vars.

PRESS_API_TOKEN=dev-token
REPORT_WEBHOOK_SECRET="local webhook secret"

press render --remote does not send local runtime env/secrets or .dev.vars values to Cloud. Remote renders use the deploy environment and secrets configured in Cloud.

Setting Cloud values via the Web UI

Open your deploy in the dashboard, go to the Settings tab. Existing secret values are shown as placeholders and cannot be viewed after saving.

Revoking data access

After your template has read the values it needs, call pressCloud.revokeDataAccess() to permanently disable further data access for the remainder of the render. This is critical when your page needs to execute code you don’t fully trust — such as user-generated content, third-party analytics, or embedded widgets.

revokeDataAccess() only blocks future access to the Press.js runtime data sources. It does not clear or sanitize values you’ve already read into JavaScript variables. If you assigned const apiKey = await pressCloud.secrets.get("API_KEY") before revoking, apiKey still holds the secret value after revocation. To fully protect sensitive data, avoid storing it in long-lived variables, or explicitly nullify those variables when you’re done with them:

let apiKey = await pressCloud.secrets.get("API_KEY");
// ... use apiKey ...
await pressCloud.revokeDataAccess();
apiKey = null;  // clear the local copy

Example: render with untrusted content

Imagine your template renders user-submitted HTML alongside sensitive data. You want to read secrets, then prevent the user content from ever accessing them:

// 1. Read all sensitive data upfront
const apiKey = await pressCloud.secrets.get("API_KEY");
const webhookSecret = await pressCloud.secrets.get("WEBHOOK_SECRET");
const apiUrl = await pressCloud.env.get("API_URL");

// 2. Revoke access before rendering untrusted content
await pressCloud.revokeDataAccess();

// 3. Now it's safe to render user-submitted HTML or load third-party scripts
//    — even if they call pressCloud or fetch p.press.internal, access is denied
document.getElementById("untrusted-content").innerHTML = userProvidedHtml;

// 4. Any late attempt to read data will throw
await pressCloud.secrets.get("ANYTHING");
// Error: Press.js runtime secrets access is disabled for this render.

Scoped revocation

Pass a scope to revoke only specific data while leaving the rest accessible:

await pressCloud.revokeDataAccess("secrets");  // env still readable
await pressCloud.revokeDataAccess("env");      // env and secrets revoked
await pressCloud.revokeDataAccess("payload");  // payload revoked
await pressCloud.revokeDataAccess("all");      // everything revoked (default)

After revocation, affected pressCloud.env.* or pressCloud.secrets.* calls will throw, and subsequent requests to the corresponding p.press.internal endpoints will fail.