diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 578090e..c922093 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -34,8 +34,8 @@ jobs:
           # Ensure group write so we can delete old files
           sudo chmod -R g+w /opt/immersive || true
 
-          # Remove old files except data directory
-          find /opt/immersive -mindepth 1 -maxdepth 1 ! -name 'data' -exec rm -rf {} +
+          # Remove old files except data directory and env file
+          find /opt/immersive -mindepth 1 -maxdepth 1 ! -name 'data' ! -name '.env.production' -exec rm -rf {} +
 
           # Copy built files to target
           cp -r . /opt/immersive/
@@ -50,6 +50,22 @@ jobs:
           # Set ownership to immersive user
           sudo chown -R immersive:immersive /opt/immersive
 
+      - name: Create Environment File
+        env:
+          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+        run: |
+          # Create .env.production with secrets (only accessible by immersive user)
+          echo "# Auto-generated by CI/CD - Do not edit manually" > /opt/immersive/.env.production
+          echo "ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}" >> /opt/immersive/.env.production
+          echo "CLOUDFLARE_ACCOUNT_ID=${CLOUDFLARE_ACCOUNT_ID}" >> /opt/immersive/.env.production
+          echo "CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}" >> /opt/immersive/.env.production
+
+          # Secure the environment file
+          sudo chown immersive:immersive /opt/immersive/.env.production
+          sudo chmod 600 /opt/immersive/.env.production
+
       - name: Start Service
         run: |
           sudo rc-service immersive start
\ No newline at end of file
diff --git a/start.sh b/start.sh
index 3a0135c..29f5715 100644
--- a/start.sh
+++ b/start.sh
@@ -12,6 +12,18 @@ cd "$APP_DIR"
 export NODE_ENV=production
 export NODE_OPTIONS="--max-old-space-size=2048"
 
+# Load secrets from environment file if it exists
+if [ -f "$APP_DIR/.env.production" ]; then
+    # Export each line as an environment variable
+    while IFS= read -r line || [ -n "$line" ]; do
+        # Skip comments and empty lines
+        case "$line" in
+            \#*|"") continue ;;
+        esac
+        export "$line"
+    done < "$APP_DIR/.env.production"
+fi
+
 # Optional: Set port (default 3001)
 # export PORT=3001