Where API Keys Live Besides Vercel: GitHub Actions, OAuth, and Local .env
Executive Summary
People remember to update Vercel but forget the same STRIPE_SECRET_KEY or AWS_ACCESS_KEY_ID lives in GitHub Actions, a cron VM, or a founder’s .env.local. This note lists the usual hiding places and how to audit them quickly when you need to rotate everything that touched an exposed hosting account.
Key Findings
GitHub: Settings → Secrets and variables → Actions (and Dependabot, Environments) often duplicate Vercel; search workflow YAML for env: and secrets. names.
Google Workspace: Admin → Security → API controls / App access or user Account → Security → Third-party apps with account access—for OAuth tokens tied to email or Drive used in incidents.
GitLab, CircleCI, Bitrise, and similar use project-level variables; Terraform Cloud and Pulumi stacks store values per workspace.
Developers: .env.local, .env, direnv, shell profiles, and password managers—standardize on vercel env pull or an internal vault export after rotation.
Browsers do not read server secrets; NEXT_PUBLIC_* only belongs for truly public keys—never put STRIPE_SECRET_KEY or SUPABASE_SERVICE_ROLE_KEY in NEXT_PUBLIC_.
CI/CD and automation
Run a repo-wide search for STRIPE_, SUPABASE_, AWS_, OPENAI_, and DATABASE_ across .github/workflows, .gitlab-ci.yml, and infrastructure folders. Each platform has a “secrets” UI: rotate the value at the vendor first, then update the secret name in CI, then re-run a pipeline to confirm.
OAuth and “Sign in with Google”
If the incident involved workspace compromise, review which third-party apps have access to Gmail, Calendar, or Drive. Revoke apps you do not recognize; rotate passwords or app passwords for accounts used to authorize CI or cloud consoles.
Local machines and shared docs
Ask the team to delete old .env.local lines and re-import. Discourage sharing keys in Slack, Notion, or tickets—if they were used, assume those strings are compromised and rotate regardless of Vercel status.
Why this matters for searchers
Queries like “where is my stripe key” or “change .env vercel” usually need a map from variable name to dashboard to hosting UI. Completing all three stops partial fixes that leave CI or a laptop still broadcasting the old secret.
Conclusion
Vercel is one stop on a longer list. Teams that rotate hosting env vars but skip GitHub Actions, OAuth grants, and laptops often think they are done while automated jobs or old laptops still authenticate. Treat rotation as a short inventory exercise—vendor, Vercel, CI, humans—and you close the gaps searchers are trying to fix when they land on help articles like this one.
Ready to Apply These Insights?
Let's discuss how these research findings apply to your organization and explore strategies to implement these insights.
A strategic AI and digital transformation consulting firm helping enterprises modernize, build resilience, and accelerate AI adoption through AI transformation, software engineering, cloud engineering, and product management expertise.
Capabilities
© 2026 Black Aether LLC. All rights reserved.