Vercel
Vercelcloud2 credentials
API Token
vercel / api-token
Vercel API and CLI automation use account tokens. Vercel documentation includes token management and CLI commands that operate with tokens for deployments, teams, projects, and environment variables.
Location
AuthorizationBearer token used for Vercel API requests
VERCEL_TOKENVercel CLI config, CI pipeline config, .env files, and deployment manifests
GitHub Actions secrets, CI/CD variables, cloud secret managers, and password managers
deployment scripts, tests, and accidentally committed CLI configs
CI logs, CLI traces, and API client debug output
Notes
Token blast radius depends on account/team permissions and scopes selected at token creation.
Project Environment Variable Secret
vercel / project-environment-secret
Vercel projects store environment variables and secrets used by builds, serverless functions, and deployments. Vercel CLI env commands manage project environment variables.
Location
Vercel project environment variables and encrypted deployment secrets
runtime and build-time environment variables exposed to Vercel functions/builds
.env, .env.local, vercel.json, and CI pipeline configuration
accidentally committed .env files, tests, and examples
build logs and runtime logs if applications print environment values
Notes
Vercel environment secrets often contain downstream database URLs, API tokens, OAuth secrets, and cloud credentials.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.