varsvars
Framework Guides

Vercel

One VARS_KEY, runtime decrypt on Vercel Functions and Edge.

Setup

vars gen config.vars --platform serverless

Ciphertexts for every env are embedded in the generated module. getVars(env) decrypts at runtime using Web Crypto and memoizes per-invocation isolate.

Usage

// app/api/health/route.ts
import { getVars } from '#vars'

export async function GET() {
  const vars = await getVars(process.env)
  return Response.json({
    app: vars.APP_NAME,
    db: vars.DATABASE_URL.unwrap(),
  })
}

Works identically for Edge Functions, Serverless Functions, Middleware, and Server Components.

Secrets

In the Vercel dashboard:

  1. Project → Settings → Environment Variables
  2. Add VARS_KEY (Sensitive) with the output of vars key export.
  3. Add VARS_ENV (plaintext) with the env name — e.g. prod for Production, dev for Preview/Development.

That's it. Only two entries per environment, no per-secret configuration.

Local dev

{
  "scripts": {
    "dev": "vars run --env dev -- next dev"
  }
}

vars run exports VARS_KEY + VARS_ENV into process.env for your dev server.

Cloudflare Workers

One VARS_KEY secret. Ciphertexts bundled. Runtime decrypt via Web Crypto.

Netlify

One VARS_KEY, runtime decrypt on Netlify Functions and Edge.

On this page

SetupUsageSecretsLocal dev