Commands
scan
Enumerate every env var across every Vercel project your token can see, and map each to a rotate-cli adapter.
What it does
Scan hits /api/dashboard/environment-variables to get
every env var name across every project (up to ~2000 projects per
team) without pagination, then falls back to /v9/projects
if the dashboard endpoint is truncated. Each variable name is matched
against a built-in map to decide which adapter owns it.
Usage
$ rotate-cli scan [--team <slug>] [--include-public] Flags
| Flag | Meaning |
|---|---|
--team <slug> | Scan only one Vercel team (default: every team your token can see). |
--include-public | Include NEXT_PUBLIC_* vars (default: skip, public by design). |
Output
Cached at ~/.config/rotate-cli/last-scan.json. Readable by who --from-scan and apply --from-scan without re-hitting Vercel.
Pretty
Scanning 1 scope(s)...
✓ crafter-station 318 projects · 462 secrets · 5.1s
Total: 318 projects · 462 mapped · 366 unmapped
Mapped by adapter:
99 clerk
148 neon-connection
80 upstash
29 vercel-ai-gateway
24 openai
...
Next:
→ rotate-cli who --from-scan JSON (agent mode)
$ ROTATE_CLI_AGENT_MODE=1 rotate-cli scan { "command": "scan", "status": "success", "data": { "projects_scanned": 318, "total_secrets": 462, "by_adapter": {"clerk": 99, ... }, "secrets": [ ... ], "skipped": [{ "var_name": "NODE_ENV", ... }] } }
Authentication
Scan reuses the Vercel CLI's auth token from ~/Library/Application Support/com.vercel.cli/auth.json.
Override with VERCEL_TOKEN in .env.local. The token
needs All teams scope for a full sweep.
Hunter's vault, real numbers. 318 projects · 462
mapped · 366 unmapped. Of the unmapped, ~50 are config/IDs
(NODE_ENV, project refs), ~80 are providers not yet
supported by an adapter (see adapters),
the rest are one-off app vars.