Summary
On July 9, 2026 Vercel began replacing environment variables marked Sensitive (with values of 32 characters or more) with [REDACTED] in deployment build logs, and always redacts select security system variables like VERCEL_AUTOMATION_BYPASS_SECRET and VERCEL_OIDC_TOKEN regardless of length.
What changed
Vercel's July 9, 2026 change automatically masks Sensitive-marked environment variables that are 32+ characters as [REDACTED] in build logs, flags in the Build Logs view when redaction occurred, and records the variable key, project, and deployment in the Activity Log without ever logging the value. Selected system variables (VERCEL_AUTOMATION_BYPASS_SECRET, VERCEL_OIDC_TOKEN) are always redacted.
Why it matters
Build logs are a common accidental leak path for secrets, since anything echoed during a build can end up persisted and shared. Redacting sensitive values by default — while still signaling that redaction happened — closes a frequent supply-chain exposure without forcing developers to sanitize their own build output, a meaningful default-secure improvement as more automated agents trigger deployments.
Evidence excerpt
When an Environment Variable is marked Sensitive and has a value 32 characters or longer, Vercel replaces it with [REDACTED] in build logs; VERCEL_AUTOMATION_BYPASS_SECRET and VERCEL_OIDC_TOKEN are always redacted regardless of length. Announced 9 Jul 2026.