All Docs
FeaturesSaaS FactoryUpdated February 19, 2026

Blog: Secrets Under Control — Encrypted Env Var Management with Live Validation and Vercel Push

Secrets Under Control — Encrypted Env Var Management with Live Validation and Vercel Push

v1.0.75 | Platform Update

Managing environment variables across a fleet of autonomously deployed SaaS products is one of those problems that sounds mundane until it isn't. A stale API key silently breaks an integration. A secret stored in plaintext becomes a liability. A required variable missing from production causes a 3 a.m. incident. In v1.0.75, we've shipped a comprehensive environment variable management system that eliminates all three failure modes.

Encrypted at Rest, Always

Every value written to the store passes through src/lib/encryption.ts before it touches the database. There is no code path that stores a plaintext secret. When the platform needs a value — to push it to Vercel, for example — it decrypts in-process, uses the value, and the plaintext never leaves memory. List and read endpoints return masked values so secrets can't leak through API responses.

Real Validation, Not Just Format Checks

It's easy to write a regex that checks whether a string looks like a GitHub token. It's much more useful to actually call GitHub and find out whether that token works.

The new validation layer does exactly that:

  • validateGitHub hits github.com/user with the token.
  • validateVercel hits api.vercel.com/v2/user.
  • validateTwilio hits api.twilio.com with the account SID and auth token pair.

All three return structured results rather than throwing exceptions, so the agent pipeline can make decisions based on validation outcomes without needing try/catch scaffolding everywhere.

Platform-Managed Keys

Not every secret belongs to a specific product. Some keys — database connection strings, platform-level tokens, shared infrastructure credentials — are managed centrally and should not trigger "missing required variable" alerts for every product in the fleet.

The PLATFORM_MANAGED_KEYS set handles this cleanly. Any key listed there is skipped during per-product required-variable checks. Products only get alerted about secrets they're actually responsible for.

One Call to Ship Auth Config to Production

The headline capability in this release is deployAuthToVercel. When an AI agent finishes configuring authentication providers for a product, it calls this single function:

  1. The authConfig object is mapped to the environment variable names the Next.js auth layer expects.
  2. Those variables are pushed to the target Vercel project with decrypted values.
  3. A redeployment is triggered automatically.

From config object to live deployment in one operation, with no manual steps and no Vercel dashboard required.

What This Enables

This release is infrastructure, but the impact is felt at every layer of the platform. AI agents can now:

  • Validate external service credentials before committing to a workflow that depends on them.
  • Rotate secrets and propagate the new values to all deployment targets without human involvement.
  • Enforce required-variable contracts at deploy time, catching configuration drift before it reaches users.
  • Deploy fully configured authentication to production as a single automated step.

Secrets management is no longer a gap that requires human intervention. It's a first-class, automated part of the platform.