Environment variables marked as Sensitive cause authentication failures for my application at runtime. When the same variable is created without the Sensitive flag (identical value), it works correctly. Confirmed across two different services: a Supabase Postgres connection string (Prisma P1000 auth error) and a Resend API key (emails not sending). Both variables work when non-Sensitive, both fail when Sensitive. Tested on https://scottwoodart-8cmhje9l7-scottjwoods-projects.vercel.app/. This appears to affect the feature recommended in the recent security incident bulletin.
Hi @scottjwood, welcome to the Vercel Community!
Thanks for reporting it. Let me share with our team.
Hi @scottjwood, I couldnât recreate the issue as of now. Here are the steps I tried:
- Created a new project and added both secret/non-secret vars. Both were readable at runtime.
- Edited the variables later on, new values were readable after a redeploy (as expected).
- Edited the variables again, this time added notes, new values were readable after a redeploy (as expected).
Please let me know if youâre still able to recreate this issue.
Weâre seeing this same exact issue. For the production environment it works correctly and it loads the sensitive environment variables, but for our preview and custom staging environment it doesnât load them properly. Only once we change that they are not sensitive are they loaded correctly during build time.
Weâre use Infisical for managing all of our secrets so they are set via the Infisical sync connections, but itâs strange that for production it works and on staging then fails.
Hi @anshumanb ,
Thanks for the response. After recreating the issue multiple times last night, I tried it again this morning and it seems to be working now.
Hi @miljantekic, could you confirm if this is still an issue?