Can't get an ENV's value #118
Description
After a long discussion with Vercel Support team and having no luck, I am opening an issue here so someone from the technical side can take a look at it. I have a project on Vercel that has non-sensitive environment variables set using the dashboard. I want to fetch them to do further scripting but none of the suggested approaches so far are working.
This is what I started out with:
import { Vercel } from '@vercel/sdk';
(async () => {
const vercel = new Vercel({
bearerToken: token
});
const readEnvs = await vercel.projects.filterProjectEnvs({
decrypted: true,
idOrName: <project-id>
});
})();
This gave me an array of objects that look like this:
{
target: [Array],
type: 'encrypted',
decrypted: false,
value: 'zBVLLQi9gyWcZ38Yh44FV3DVhJb6HrQLVaZBtlg6xRLe+gsFvw/+u4aCn1En4ZouwtTW/nlIhVibcqgErSQKVVTV+MkoaaOJk2M3aWX1a8nUQxF9YOtltH4F8Qv0aDzbgReaPYGKtXncTmVR26PHubIbOxSeSfDrkza1OpR+r7+RCTR5WPCf6O5OEgMmn4Liw1yrEsi50DqzO7nNtnvtGg==',
id: 'z1nqRk19Zp1o3Wjr',
key: 'NPM_RC',
configurationId: null,
createdAt: 1733464905066,
updatedAt: 1753187468607,
createdBy: 'BbfRMQ0rayldOPM5XPXAe2BC',
updatedBy: 'BbfRMQ0rayldOPM5XPXAe2BC',
comment: '',
customEnvironmentIds: []
}
Even when I had specified decrypted: true, it still returned an encrypted value. Then I contact Support and was suggested to fetch each variable individually by id and this would return a decrypted value so I added this after the filterProjectEnvs call:
for (const env of readEnvs.envs as Envs[]) {
await vercel.projects.getProjectEnv({
id: env.id,
idOrName: <project-id>
});
}
And this didn't work either. It was returning a response but it had no value like so:
{
decrypted: true,
target: Array,
type: 'encrypted',
id: 'z1nqRk19Zp1o3Wjr',
key: 'NPM_RC',
configurationId: null,
createdAt: 1733464905066,
updatedAt: 1753187468607,
createdBy: 'BbfRMQ0rayldOPM5XPXAe2BC',
updatedBy: 'BbfRMQ0rayldOPM5XPXAe2BC',
comment: '',
customEnvironmentIds: []
}
This again had a descrypted: true property but there was no value at all. I contacted Support again and they told me this:
If no value is being returned then the variable you’re requesting is stored with Encrypt enabled ("type": "encrypted"), which tells Vercel to decrypt the variable for internal use if needed, but to not send the clear text back over the API.
When you make a per-ID call, this endpoint does the following: confirms with "decrypted": true that it could decrypt the secret internally then, returns all the usual metadata but deliberately omits the value field to keep the secret from leaving the platform. You’ll only see a value field when the variable’s type is plain (or system, which Vercel injects automatically). For an encrypted vars you have two options if you need the plaintext: Turn off Encrypt in the dashboard for that key, save it as a plain variable, and call the endpoint again Use the same bulk-list request the Vercel CLI relies on (?decrypt=true&source=vercel-cli:pull), which still returns plaintext for non-Sensitive variables until that legacy path is fully retired As a further note on this, variables marked as Sensitive can never be read via any REST call.
In this particular instance the missing value field isn’t a bug, it's how Vercel ensures your encrypted secrets remain a secret.
I never created any sensitive ENVs so I don't know what's going on here.