End-to-End Encryption for Vercel Workflow

Vercel Workflow now ships with built-in end-to-end encryption for all data transiting through the event log. This update eliminates the need for manual encryption logic when handling sensitive information like API keys, authentication tokens, or user credentials.

What's Protected

The encryption automatically covers:

• Workflow inputs and outputs
• Step function arguments and return values
• Hook payloads
• Stream data

All data is encrypted before being written to the event log. Your step functions and workflows require zero code changes—encryption and decryption happen transparently.

How It Works

Each Vercel deployment receives a unique encryption key derived through the following process:

• Key derivation: HKDF-SHA256 generates a unique key per workflow run
• Encryption: AES-256-GCM protects both confidentiality and integrity
• Dashboard display: Encrypted fields show as locked placeholders until decrypted

Accessing Encrypted Data

Web Dashboard: Click the "Decrypt" button in the run detail panel. Decryption happens entirely in the browser using the Web Crypto API, meaning encrypted plaintext never reaches Vercel's servers.

CLI: Use the --decrypt flag with the inspect command:

npx workflow inspect run <run-id> --decrypt --withData

Access Control & Auditing

Decryption permissions follow your existing environment variable access model—users without permission to view environment variables cannot decrypt workflow data. Every decryption request is recorded in your Vercel audit log for full visibility and compliance.

Custom Implementations

For custom World implementations, you can opt into encryption by providing your own getEncryptionKeyForRun() method, which the runtime uses automatically. See the Workflow DevKit documentation for details.