Vercel Integration
Sync E2E encrypted secrets to Vercel environment variables. Two options: browser-based OAuth or CLI.
Option 1: Browser Integration (Recommended)
One-click setup from the Vercel Marketplace. No tokens to manage.
- Install MeowPass on Vercel Marketplace →
- Authorize MeowPass to access your Vercel projects
- Configure project mappings → — map a vault to a Vercel project and environment
- Use
mp vercel syncor the dashboard to push secrets
Option 2: CLI Sync
Push secrets directly from the command line. Requires a Vercel API token.
bash
# Push production secrets to Vercel
mp vercel sync --project my-app --env production
# With explicit token
mp vercel sync --project my-app --env production --vercel-token $VERCEL_TOKEN
Prerequisites
- MeowPass CLI installed:
brew install meowrithm/tap/meowpass - Logged in:
mp login - Project initialized:
mp init - Vercel API token — get one from vercel.com/account/tokens
Environment Mapping
MeowPass environments map to Vercel targets automatically:
| MeowPass env | Vercel target |
|---|---|
| production | production |
| preview / staging | preview |
| default / local / development | development |
Override with --target production to force a specific Vercel target.
Usage
Sync production secrets
bash
mp vercel sync --project my-nextjs-app --env production
Sync to a team project
bash
mp vercel sync --project my-app --env production --vercel-team my-team
Dry run (preview changes)
bash
mp vercel sync --project my-app --env production --dry-run
Sync all environments
bash
mp vercel sync --project my-app --env default
mp vercel sync --project my-app --env preview
mp vercel sync --project my-app --env production
GitHub Actions + Vercel
Sync secrets to Vercel before every deploy:
.github/workflows/deploy.yml
name: Deploy
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install MeowPass
run: |
curl -fsSL https://github.com/meowrithm/meowpass-releases/releases/latest/download/meowpass_linux_amd64.tar.gz | tar xz
sudo mv meowpass /usr/local/bin/mp
- name: Sync secrets to Vercel
env:
MEOWPASS_TOKEN: ${{ secrets.MEOWPASS_TOKEN }}
VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }}
run: mp vercel sync --project my-app --env production
- name: Deploy
run: npx vercel --prod --token ${{ secrets.VERCEL_TOKEN }}
Flags Reference
| Flag | Description |
|---|---|
| --project | Vercel project name or ID (required) |
| --env | MeowPass environment (default, local, production, etc.) |
| --vercel-token | Vercel API token (or VERCEL_TOKEN env var) |
| --vercel-team | Vercel team slug (for team projects) |
| --target | Override Vercel target (production, preview, development) |
| --vault | Override vault ID |
| --dry-run | Preview without pushing |
How It Works
- Pulls encrypted secrets from your MeowPass vault
- Decrypts locally using your master key (zero-knowledge — server never sees plaintext)
- Pushes each secret to Vercel as an encrypted environment variable via their REST API
- Creates new vars or updates existing ones (matched by key name)
Vercel stores env vars encrypted at rest. The plaintext only exists in memory during the sync and during Vercel builds.