How-to

Sensitive environment variables

Environment variables that cannot be decrypted once created.
Table of Contents

Sensitive environment variables are environment variables whose values are non-readable once created. They help protect sensitive information stored in environment variables, such as API keys.

When you mark an existing environment variable as sensitive, Vercel converts it to a non-readable format. This is only possible for environment variables in the Production and Preview environments.

Both project environment variables and shared environment variables can be marked as sensitive.

You can only create a sensitive environment variables in the Preview and Production environments.

Sensitive environment variables can be create at the project or team level:

  1. Go to the Vercel dashboard and select your team from the scope selector. Click on the Settings tab and then select Environment Variables from the left navigation. To create sensitive environment variables at the project-level, select the project from your dashboard and then and click the Settings tab.
  2. At the top of the form, toggle the Sensitive switch to Enabled. If the Development environment is selected, you will be unable to enable the switch.
  3. Fill in the details to create a new environment variable.
  4. In the environment variable table, sensitive environment variables are marked with a "Sensitive" tag:
    Sensitive environment variables labeled with a 'Sensitive' tag on the dashboard.
    Sensitive environment variables labeled with a 'Sensitive' tag on the dashboard.

You can edit the environment for a sensitive environment variable. You cannot edit the key or value of a sensitive environment variable.

  1. From your dashboard, go to the team or project's Settings tab and select Environment Variables from the left navigation. Find your environment variable in the list.
  2. Click Edit from the three-dot menu in the environment variables list
  3. Select the environment(s) for the sensitive environment variable.
  4. After making the change, click the Save button.

Users with the owner role can set a team-wide environment variable policy for creating environment variables. Once enabled, all newly created environment variables in the Production and/or Preview environments will be sensitive environment variables.

  1. From the dashboard, ensure your team is selected in the scope selector and select the Settings tab.
  2. From the left navigation, click Security & Privacy.
  3. From the Environment Variable Policies section, toggle the Enforce Sensitive Environment Variables switch to Enabled:
    Set environment variable policy from your team's Security settings.
    Set environment variable policy from your team's Security settings.
Last updated on October 31, 2024