Format: {"cloudflareWorkerURL":"https://…workers.dev","apiToken":"your-token"}
Stored in localStorage. Never commit config files with real tokens.
Derives AES-256-GCM key via PBKDF2-SHA-256 (200 000 iterations).
A 16-byte random salt is stored in localStorage.
All crypto is client-side — no plaintext ever leaves the browser.
Backup includes the PBKDF2 salt + all IV-prepended AES-GCM blobs.
Only the correct password + salt pair can decrypt.
Run once after deploying the worker to create the credentials table in Turso DB.