Automatic End-to-End Encryption

Vercel Workflow now includes built-in end-to-end encryption for all data flowing through the event log. No code changes required — encryption happens automatically for workflow inputs, step arguments, return values, hook payloads, and stream data. This eliminates the risk of accidentally exposing sensitive information like API keys, tokens, or user credentials.

How It Works

Each Vercel deployment receives a unique encryption key derived through HKDF-SHA256 per workflow run. Data is encrypted using AES-256-GCM to ensure both confidentiality and integrity. In the dashboard, encrypted fields display as locked placeholders until decrypted.

Decryption and Access Control

Developers can decrypt data through two methods:

• Web dashboard: Click the Decrypt button in the run detail panel. Decryption happens entirely in the browser via the Web Crypto API, ensuring the observability server never sees plaintext data.
• CLI: Use the --decrypt flag with the inspect command: npx workflow inspect run <run-id> --decrypt --withData

Access to encrypted workflow data follows the same permissions model as project environment variables, so users cannot decrypt data if they lack permission to view environment variables. All decryption requests are recorded in your Vercel audit log for full team visibility.

Custom Implementation Support

While end-to-end encryption is built into the Vercel platform, custom World implementations can opt in by providing their own getEncryptionKeyForRun() method, which the core runtime uses automatically. See the Workflow DevKit documentation for implementation details.