Manage Environment Variables in Vercel with Infisical

Every Vercel project has environment variables. And if you're like most teams, you're probably going into the Vercel dashboard and managing them there. You're typing them in by hand, project by project, environment by environment. And every time someone rotates a key, you're back in this Vercel dashboard doing it all over again. Today, we'll look at a better way of managing environment variables. I'll show you how to set up Infisical from scratch and use it to manage all of your Vercel environment variables from one central place. And this will have automatic syncing so you'll never have to copy and paste again. Let's start with what most people are doing today.

This is the environment variables page in Vercel's project settings. To add a secret, we'll click add environment variable. Set our variable. We'll check the boxes for which environments this variable applies to, and we'll click save. This works for now, but it breaks down as your setup gets a little bit more complex. Here's why. First, Vercel's shared variables work, but they're very basic. You can create shared variables at the team level and then link them to separate projects. That part's easy, but they're a flat list. There's no folder structure, no grouping by service or domain, and no way to scope a shared variable to a specific git branch. When you have a handful of shared secrets, this is fine. When you have dozens across a growing number of projects, it's difficult to find them and organize them in this flat list.

A second issue is that local dev tends to drift silently. If you're running vercel dev, it pulls environment variables into memory automatically. But if you're using any other dev setup, next dev, npm run dev, a custom script, you need to run vercel pull manually. Now there's no notification for when a variable changes. So your local dev, if you don't do this or forget to do this, can drift slowly. It can go stale without anyone knowing.

Now a third issue, audit log visibility depends on your plan. Vercel's activity log tracks environment variable changes, who changed what and when. And this is available on all plans, but this is a general purpose event log for your team. It's not a secrets specific audit trail. There's no filtering by secret name, for example. There's no diff seeing the old value versus the new value, and there's no way to see who read a secret. Full audit logs with CSV and SIEM streaming are enterprise only. And if a deployment breaks because of a bad environment variable, you'll know something changed, but piecing together what exactly happened can be more difficult than it should be.

And then fourth, there's no automated rotation. When an API key expires or gets compromised, you rotate it by hand. Generate the new credential, paste it into the dashboard, and then redeploy. Vercel doesn't automate any part of that process. For secrets that need regular rotation, like database passwords or third-party API keys, that's a recurring manual task that's easy to let slip. And here's the thing, Vercel's probably not the only place you have secrets. If your app gets deployed from GitHub, you likely have secrets in GitHub Actions, too. Maybe a database URL for running migrations in CI or API keys for integration tests. Now, you've got the same secrets in Vercel and GitHub. They're managed separately and they're updated separately. This is secret sprawl and it only gets worse as your stack and your team grows. Add a second cloud provider or a backup job service and all of a sudden you're managing secrets in four or five different dashboards. So the Vercel dashboard is fine and great for setting up your first project. But once you have multiple projects, multiple environments or secrets spread across Vercel and your CI pipeline, managing environment variables by hand doesn't scale anymore.

You need a single source of truth. That's where Infisical comes in. Infisical is an open-source secret management platform. You store all of your secrets in one place, organized by project or environment, and then Infisical pushes them out wherever they need to be, including Vercel. Here's what that looks like in practice. I've got a project with three environments, development, staging, and production. Each one holds secrets relevant to that environment. And when I update a secret here, say I rotate my Stripe key, Infisical will automatically push the new value out to Vercel. The idea is simple. Infisical becomes the source of truth. So you change your secret in Infisical and Vercel picks up that change automatically. Let me show you how to set this up from scratch.

First we'll get set up with an Infisical account. Head to app.infisical.com. Now this will be eu.infisical.com if you're in Europe. And this is Infisical's cloud platform. It's free to get started and fully managed. So there's nothing to install. If you'd rather self-host, Infisical supports that, too. But for this tutorial, we're going to use the cloud version. So you can sign up with email and password, Google, GitHub, or GitLab, whichever you prefer. I'm going to go with email. And once you submit, you will get a verification code to your inbox. We're going to grab that code and enter it here. So we land on the projects page. We're going to add a new project and we're going to choose project type secrets management. Give it a name that matches your Vercel project. I'm going to call mine my web app. Again, Infisical sets you up with three default environments, development, staging, and production. This can map nicely to Vercel's development, preview, and production. Let's add some secrets. I'm going to go to the production environment, and I'm going to click add secret. Note, if you already have a .env file, you don't have to add all of these manually. You can just drop it in. All your key value pairs will populate at once, and this is the fastest way to migrate. Now, we can do the same thing for development and production, adding the appropriate values in each environment. But that's it for the Infisical setup. We've got an account, we've got a project, and we've got secrets in each environment.

Now, let's connect this to Vercel. Over in Vercel, we need to create an API token so that Infisical can talk to your Vercel account. I'm going to click find here in the top left and search for tokens. I'm going to create a token. For this one, I'll call it Infisical. Give it a scope. Now, you could choose full account or you could scope it to a specific team. And then for expiration, pick something that fits your security policy. I'll do one day for this demo. For production, you might want something different with an expiry reminder. We'll click create and we'll copy the token immediately. Now, we'll switch back to Infisical. We'll go to integrations on the left side and then click add app connection. App connections are how Infisical authenticates with external platforms. You set it up once and then any sync in your organization can use it. So we're going to set up Vercel. We'll copy in that API token we just received. For the name, we'll give it something descriptive like Vercel team production and we can click connect. Now we can see successfully added Vercel connection. Infisical validates that the token has access to your projects and then the handshake is done.

Now we will create a secret sync which is the core of this whole setup. This is a one-way sync from Infisical, your central source of truth, to your Vercel project environment. So whenever you change that secret in Infisical, it gets pushed out to Vercel. So we've clicked secret syncs. We're going to click add sync. Once again, we select Vercel. Now we configure the source. This is where secrets are going to come from. We'll set the environment to production and the secret path to root. Root is just a forward slash. Now if you're working in a monorepo and you've organized secrets by folders, you might just point this to a specific subfolder. So forward slash web or slash ai, but root is going to work for most setups. Next we'll configure the destination. This is where the secrets are going and we're going to choose our Vercel connection that we just set up. Now we can also scope it to project or team. And if we scope it to project, we can see the projects that Infisical picks up from Vercel. I will choose my web app and I'll set Vercel project environment to production.

Now the sync options. This part really matters especially the first time you're setting this up. Initial sync behavior controls what happens when the secret already exists in Vercel. We've got three choices. We can overwrite destination secrets. This is going to replace everything in Vercel with what's in Infisical. It's like a clean slate. So use this only if you've already migrated all of your variables from Vercel into Infisical and you're sure that nothing's missing. Import secrets and prioritize Infisical values. This is what I'd recommend for most teams migrating from Vercel. This pulls your existing Vercel variables into Infisical first and then it syncs. And if the key lives in both places, Infisical's value wins. This way you don't lose anything during the transition. Import secrets prioritize Vercel values does the same thing except of course Vercel's value wins on conflicts. I'll go with import secrets prioritize Infisical. Now we can also set up a key schema. So when the secret is synced it can be injected into that schema before it reaches the destination. This is useful for teams who organize their keys maybe with some prefix. And you can see we can set this up with secret key and environment. Now we can also disable secret deletion. We can see when this is enabled, Infisical will not delete the Vercel secrets even when they're deleted in Infisical. This is useful if you have environment variables that you're going to manage in Vercel outside of Infisical. But I'm going to disable this because I think it defeats the point of our centralized secrets manager in this case. And for auto sync, we're going to make sure that it's enabled. This is what makes secrets sync automatically whenever you change them in Infisical. And again, if we disable this, then we have to manually trigger a sync every time a secret value changes, which in my opinion defeats the point. So, we'll give the sync a name. I'm going to call this prod to vercel prod. And once we have everything correct, we can click create sync.

Now, one other thing to know before we move on. Vercel has this concept of sensitive environment variables. Once you mark a variable sensitive, Vercel doesn't expose its value through its API. This means that Infisical can't import those values during that initial sync. So if you have sensitive variables in Vercel, you'll have to add those into Infisical manually. And you'll want to set up syncs for your other environments as well. You can map Vercel environments to Infisical environments however you want. But a common starting place is again to use Infisical's development and then we'll map that to Vercel's development. Infisical staging will be Vercel's preview. But you can adjust this to match however your team uses environments.

Okay, so our setup is done. If I go to my projects environment variables, I can see that all of those variables that were in Infisical have been added in Vercel. Now my Stripe secret key's value is this ABC123. I'm going to go back to Infisical and create a new value. Let's go here to the production environment and let's call it new sk123. Save this. Now if I go back over to my Vercel project, refresh the page. As we can see here, it's been updated just now. If I change it once in Infisical and Vercel picks it up automatically. If I go back to Infisical and I check the status of my secret syncs, I can see status synced and it'll show when it's synced as well. And then another thing, if I ever wanted to see who changed that secret value, I could see it over here in the audit logs and that would look something like this.

So we now have a single source of truth for all of our environment variables. Change a secret in Infisical and it automatically propagates to Vercel in the appropriate environment, production, preview or development. We no longer have these manual updates or these broken deployments not knowing which environment variable changed. And this is just Vercel — Infisical syncs to over 60 other platforms. AWS Parameter Store, GitHub Actions, Kubernetes, Terraform, Netlify and more. So the same workflow scales to your entire stack. If you haven't seen it yet, we have another useful video on the Infisical CLI and how to use it to replace .env files in local development. I'll drop that link in the description. If you combine that with a Vercel integration, you can have one source of truth for everywhere. Again, Infisical is open source and it's free to get started. I'll drop a link in the description. Thank you guys so much for watching and be on the lookout for the CI/CD with OIDC videos coming out next. Appreciate you. Have a good day. We'll see you in the next one.