Vercel Edge Config Streamlines Sanity Secret Rotation

With traditional environment variables, a leaked Sanity secret requires a full app redeploy—taking up to 90 seconds. Vercel Edge Config offers a faster alternative: update secrets in real time without rebuilding or waiting.

The recurring problem with environment variables

Next.js’s official documentation recommends using an environment variable like SANITY_PREVIEW_SECRET to enable draft mode via a route handler. While this works for solo use, it becomes problematic in team settings. First, a leaked secret can only be fixed by redeploying the app, introducing a 60–90 second delay—even with Turbopack. During that window, the old secret remains valid on production instances. Second, tracing the source of a leak is impossible: all users share the same secret, with no audit trail.

Edge Config: a distributed and instant solution

Vercel Edge Config stores secrets as key-value pairs and distributes them across its edge network. Requests add just 1–2 ms of latency since data is preloaded on servers close to users. Updating a secret takes under a second and applies immediately across the network—no redeploy needed. To activate it, create a new Edge Config in the Vercel dashboard, add the SANITY_PREVIEW_SECRET key, and connect the project via integration settings. Vercel automatically injects the connection string into the environment as the EDGE_CONFIG variable.

The route handler remains functionally similar to the classic approach but replaces process.env access with a call to get('SANITY_PREVIEW_SECRET') from the Edge Config SDK. The rest of the flow—secret validation and draft mode activation—stays unchanged, while benefiting from stronger security and simplified secret management.

---

Source: DEV Community. Editorial synthesis assisted by AI — TechnoExpress.