Credential Rotation

Rotate credentials across
all your Vercel projects — fast.

After a breach, finding and updating credentials across dozens of projects takes hours. Ship Safe scans every project, groups by issuer, and generates a rotation plan you can execute in one CLI command.

Env var values never leave your browserNames and IDs only25+ credential types

Discover credentials

Enter your Vercel API token. We'll scan all your projects for high-value env var names — values are never fetched.

Go to vercel.com/account/tokens and create a token with read access.

Required if your projects are under a Vercel team. Find it in Settings → General.

Your token is used only for the Vercel API request and is never stored or logged. Env var values are never fetched.

How it works

01
Scan without reading values

We call the Vercel API to list env var names and IDs across all your projects. Values are never fetched, never transmitted to our servers.

02
Group by credential issuer

Env var names are matched against 25+ patterns (GitHub, OpenAI, Stripe, Supabase, AWS…) and grouped by the service that issued them.

03
Download your rotation plan

A JSON file with project IDs, env var names, and the rotation URL for each issuer. No secrets — safe to share with your team.

04
Execute with one CLI command

npx ship-safe rotate --plan rotation-plan.json opens each issuer dashboard, prompts for the new credential, and updates every affected project via the Vercel API.