#vercel env breach

Given the vercel non-sensitive env key breach, do we need to rotate any of these:
NEXT_PUBLIC_CONVEX_SITE_URL
CONVEX_DEPLOYMENT
NEXT_PUBLIC_CONVEX_URL

Hi @charred vapor. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:

Based on the knowledge sources available, here's what these variables contain:

• NEXT_PUBLIC_CONVEX_URL – The URL of your Convex deployment (e.g., <https://guiltless-dog-960.convex.cloud>). This is a public-facing URL intentionally exposed to the browser. [Configuring Deployment URL]

• NEXT_PUBLIC_CONVEX_SITE_URL – Your deployment's site URL (e.g., <https://dusty-nightingale-847.convex.site>), used for HTTP Actions. Also public-facing. [Environment Variables]

• CONVEX_DEPLOYMENT – Identifies which Convex deployment you're connected to (e.g., dev:pleasant-cat-602). Used locally by the Convex CLI.

None of these three variables are secrets. They are all non-sensitive, public identifiers — they don't grant any access to your Convex backend or data on their own. Rotating them is not necessary from a security standpoint.

What you should rotate if exposed are the actual secret/sensitive variables, such as:

• CONVEX_DEPLOY_KEY – grants the ability to deploy functions to your Convex project [Deploying to Vercel]
• JWT_PRIVATE_KEY – used by Convex Auth to sign tokens [ConvexAuth Env Error]
• CONVEX_AUTH_ADAPTER_SECRET – shared secret for Auth.js adapter [NextAuth Adapter]
• Any API keys or secrets stored as Convex environment variables

If your CONVEX_DEPLOY_KEY was among the breached variables, you should regenerate it immediately from the Convex Dashboard under your project's Settings page.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: