docs/documentation/guides/nextjs-vercel.mdx
This guide demonstrates how to use Infisical to manage secrets for your Next.js + Vercel stack from local development to production. It uses:
To begin, we need to set up a project in Infisical and add secrets to an environment in it.
Create a new project in Infisical.
Add a secret to the development environment of this project so we can pull it back for local development. In the Secrets Overview page, press Explore Development and add a secret with the key NEXT_PUBLIC_NAME and value YOUR_NAME.
Add a secret to the production environment of this project so we can sync it to Vercel. Switch to the Production environment and add a secret with the key NEXT_PUBLIC_NAME and value ANOTHER_NAME.
Initialize a new Node.js app.
We can use create-next-app to initialize an app called infisical-nextjs.
Next, inside pages/_app.js, lets add a console.log() to print out the environment variable in the browser console.
export default function App({ Component, pageProps }) {
console.log('Hello, ', process.env.NEXT_PUBLIC_NAME);
return <Component {...pageProps} />
}
```
</Tab>
<Tab title="TypeScript">
```tsx
import '@/styles/globals.css'
import type { AppProps } from 'next/app'
export default function App({ Component, pageProps }: AppProps) {
console.log('Hello, ', process.env.NEXT_PUBLIC_NAME);
return <Component {...pageProps} />
}
```
</Tab>
We'll now use the Infisical CLI to fetch secrets from Infisical into your Next.js app for local development.
Follow the instructions for your operating system to install the Infisical CLI.
<Tabs> <Tab title="MacOS"> Use [brew](https://brew.sh/) package manager ```console
$ brew install infisical/get-cli/infisical
```
```console
$ scoop bucket add org https://github.com/Infisical/scoop-infisical.git
```
```console
$ scoop install infisical
```
Add Infisical repository
```console
$ wget -qO- 'https://artifacts-cli.infisical.com/setup.apk.sh' | sudo sh
```
Then install CLI
```console
$ apk update && sudo apk add infisical
```
Then install CLI
```console
$ sudo yum install infisical
```
```console
$ curl -1sLf \
'https://artifacts-cli.infisical.com/setup.deb.sh' \
| sudo -E bash
```
Then install CLI
```console
$ sudo apt-get update && sudo apt-get install -y infisical
```
```console
$ yay -S infisical-bin
```
Authenticate the CLI with the Infisical platform using your email and password.
$ infisical login
Run the init command at the root of the Next.js app. This step connects your local project to the project on the Infisical platform and creates a infisical.json file containing a reference to that latter project.
$ infisical init
$ infisical run -- npm run dev
If you open your browser console, Hello, YOUR_NAME should be printed out.
Here, the CLI fetched the secret from Infisical and injected it into the Next.js app upon starting up. By default,
the CLI fetches secrets from the development environment which has the slug dev; you can inject secrets from different
environments by modifying the env flag as per the CLI documentation.
At this stage, you know how to use the Infisical CLI to inject secrets into your Next.js app for local development.
Use our Vercel Secret Syncs guide to sync secrets from Infisical to Vercel as production environment variables.
At this stage, you know how to use the Infisical-Vercel integration to sync production secrets from Infisical to Vercel.
<Warning> The following environment variable names are reserved by Vercel and cannot be synced: `AWS_SECRET_KEY`, `AWS_EXECUTION_ENV`, `AWS_LAMBDA_LOG_GROUP_NAME`, `AWS_LAMBDA_LOG_STREAM_NAME`, `AWS_LAMBDA_FUNCTION_NAME`, `AWS_LAMBDA_FUNCTION_MEMORY_SIZE`, `AWS_LAMBDA_FUNCTION_VERSION`, `NOW_REGION`, `TZ`, `LAMBDA_TASK_ROOT`, `LAMBDA_RUNTIME_DIR`, `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, and `AWS_DEFAULT_REGION`. </Warning> - Audit logs: See which team members are creating, reading, updating, and deleting environment variables across all environments.
- Versioning and point in time recovery: Rolling back secrets and an entire project state.
- Overriding secrets that should be unique amongst team members.
And much more.
</Accordion>
<Accordion title="Is opting out of end-to-end encryption for the Infisical-Vercel integration safe?">
Yes. Your secrets are still encrypted at rest. To note, most secret managers actually don't support end-to-end encryption.
Check out the [security guide](/internals/security).
</Accordion>
See also: