Keys before the gate

Environment lock

Final verification of Vercel Environment Variables, public URLs, webhook secrets, admin tokens, and variables that must never enter the client bundle.

A secret that once entered chat, a screenshot, or a ZIP is no longer secret.

Vercel Final launch QA

Split public and server secrets

NEXT_PUBLIC_* can be seen in the browser. Service role, Stripe secret, webhook secret, Resend key, and admin token must stay server-only.

No server secret starts with NEXT_PUBLIC_.
.env.example contains no real values.
Vercel Production/Preview are separated.

Check domains and callbacks

Site URL, Supabase redirect URLs, Stripe success/cancel URLs, and email links must point to the production domain.

NEXT_PUBLIC_SITE_URL production.
Auth redirects production.
Checkout returns production.

Record rotation log

Record the date, rotated keys, recreated webhooks, and who has dashboard access.

Stripe keys rotated if exposed.
Supabase service role protected.
Admin token not shared broadly.

checklist

What to check

Production env filled.
Preview env does not use live money keys.
No secrets in Git/ZIP/report files.
Webhook secrets match endpoints.
Admin status API exposes no values.

red flags

When to stop

Service role visible in client code.
Live Stripe key used in preview tests.
Old leaked key still works.
Support screenshots show secrets.

done when

Definition of done

All required env values configured in Vercel.
Exposed keys rotated.
Admin status route returns only statuses, not values.