Where to Find and Rotate Common API Keys: Stripe, AWS, Supabase, and More
Many teams know they need to “change .env” but do not know which dashboard owns which value. This article maps the env variable names you usually see in Next.js and Vercel to the exact place in Stripe, AWS, Supabase, Google, and OpenAI to generate replacements—so you are not hunting tabs when an advisory says rotate.
Key Insights
STRIPE_SECRET_KEY (and sometimes STRIPE_SECRET_KEY_LIVE) and NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY come from Stripe → Developers → API keys; STRIPE_WEBHOOK_SECRET comes from Developers → Webhooks → your endpoint → Signing secret.
NEXT_PUBLIC_SUPABASE_URL, NEXT_PUBLIC_SUPABASE_ANON_KEY, and SUPABASE_SERVICE_ROLE_KEY come from Supabase → Project Settings → API; publishable/secret keys use the newer tab if your project migrated off legacy JWT keys.
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are created in AWS IAM → Users → Security credentials → Create access key; prefer IAM roles over static keys on AWS-native hosts when you can.
OPENAI_API_KEY (or ANTHROPIC_API_KEY, etc.) are created in each vendor’s API keys or console page—copy once, paste into Vercel with the same name your code imports from process.env.
GMAIL_USER and GMAIL_APP_PASSWORD for SMTP come from Google Account → Security → App passwords; the app password is not your normal Gmail password.
Payments: Stripe variable names and menus
Search traffic often looks like “how to change STRIPE_SECRET_KEY” or “stripe webhook secret vercel.” In Stripe’s dashboard open Developers, then API keys: you will see publishable (pk_…) and secret (sk_…) keys. Your app may expect STRIPE_SECRET_KEY or STRIPE_SECRET_KEY_LIVE—grep your repo or read utils/stripe/config.ts so the Vercel name matches. Webhook signing uses a separate whsec_ value under Developers → Webhooks → select your endpoint → Reveal or roll signing secret—that maps to STRIPE_WEBHOOK_SECRET in many codebases.
After you paste new values into Vercel, redeploy and run a test payment or webhook replay from Stripe’s dashboard so you know events still verify.
Data and auth: Supabase
Typical names: NEXT_PUBLIC_SUPABASE_URL, NEXT_PUBLIC_SUPABASE_ANON_KEY (or a publishable key string), SUPABASE_SERVICE_ROLE_KEY for server-only admin clients. All live under Supabase Project Settings → API. Copy the project URL and keys from the same screen you used when you first created the project.
If you rotated JWT signing keys in Supabase, you may still need to update anon/service keys or migrate to the new secret key format—follow Supabase’s own API keys documentation for your project type so Vercel values stay valid.
Cloud: AWS access keys and common names
Apps often use AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION, and sometimes S3-specific bucket names as separate variables. Keys are minted in the IAM console; old keys should be disabled after Vercel is updated and tested. If you only use S3 from Vercel, consider scoped IAM users or, better, role-based access patterns your architecture supports.
AI and email: OpenAI, Anthropic, Gmail
LLM keys are usually OPENAI_API_KEY, ANTHROPIC_API_KEY, or vendor-specific names—create or roll keys in the vendor’s API key page, then update Vercel and local .env.local. For transactional email via Gmail, GMAIL_USER is your Google account email and GMAIL_APP_PASSWORD is generated under Google Account security; paste both into Vercel for server routes that send mail.
Why names must match exactly
process.env.STRIPE_SECRET_KEY is not the same as STRIPE_KEY. Copy names from your codebase or from a teammate’s documented list. When in doubt, search the repo for process.env. and mirror those strings in Vercel. That single habit fixes a large share of “I updated env but the app does not see it” reports.
Ready to Explore These Perspectives?
Let's discuss how these insights apply to your organization and explore strategies to implement these perspectives.
A strategic AI and digital transformation consulting firm helping enterprises modernize, build resilience, and accelerate AI adoption through AI transformation, software engineering, cloud engineering, and product management expertise.
Capabilities
© 2026 Black Aether LLC. All rights reserved.