DocsAdvanced

Advanced

Use this page when you need to create your own Microsoft Entra app, change API permissions, enable uploads, or understand which environment variables replace the old config files.

Microsoft Entra App Registration

Open Microsoft Azure App registrations, sign in with the Microsoft account or tenant that owns the OneDrive, and create a new registration.

Recommended registration values:

  1. Name: VercelDrive, or any name that helps you recognize the app.
  2. Supported account types: accounts in any organizational directory and personal Microsoft accounts.
  3. Redirect URI: Web and http://localhost.

After registration, copy the Application (client) ID. This is your CLIENT_ID.

Application client ID

Client Secret

Open Certificates & secrets, create a new client secret, and copy the secret value immediately. Microsoft only shows the value once.

Create a client secret

Copy the client secret

VercelDrive expects the client secret to be AES-obfuscated before it is stored as CLIENT_SECRET.

Obfuscate your client secret 👇
Your client secret:
Your obfuscated client secret:

The result should look similar to this:

U2FsdGVkX1830zo3/pFDqaBCVBb37iLw3WnBDWGF9GIB2f4apzv0roemp8Y+iIxI3Ih5ecyukqELQEGzZlYiWg==

API Permissions

Open API permissions, select Microsoft Graph, select Delegated permissions, and add the scopes that match your setup mode.

Read-only mode

Use read-only mode when the site should only browse, preview, share, and download files.

Required delegated permissions:

  • User.Read
  • Files.Read.All
  • offline_access

Do not set UPLOAD_PASSWORD in Vercel for this mode.

Read/write upload mode

Use read/write mode when browser uploads and folder creation should be available.

Required delegated permissions:

  • User.Read
  • Files.ReadWrite.All
  • offline_access

Set UPLOAD_PASSWORD in Vercel. You can also set UPLOAD_CONFLICT_BEHAVIOR to rename, replace, or fail.

Modify Microsoft Graph API permissions

⚠️

Changing permissions does not update already stored OAuth tokens. Clear <KV_PREFIX>access_token and <KV_PREFIX>refresh_token from Redis/KV, then authenticate again.

Environment Variables and Resources

These variables replace the old config/api.config.js and config/site.config.js setup.

VariableRequiredDescriptionResource
NEXT_PUBLIC_SITE_TITLEYesTitle shown in the UI, for example 2DriveCustom configs
USER_PRINCIPAL_NAMEYesOneDrive account email, for example example@outlook.comGetting Started
BASE_DIRECTORYYesRoot OneDrive folder exposed by the siteCustom configs
CLIENT_IDYesApplication (client) ID from Microsoft Entra App RegistrationApp Registration
CLIENT_SECRETYesAES-obfuscated client secret using the tool aboveClient Secret
REDIS_URLYesRedis connection string (Upstash auto-injects on Vercel)Cache
UPLOAD_PASSWORDUpload mode onlyServer-side password that protects uploadsPassword upload gate
NEXT_PUBLIC_PROTECTED_ROUTESOptionalComma-separated protected folder pathsPassword protected folders
KV_PREFIXOptionalRedis key prefix when multiple deployments share one RedisCache
NEXT_PUBLIC_EMAILOptionalContact email shown in the site headerCustom configs
UPLOAD_CONFLICT_BEHAVIOROptionalDuplicate-name behavior: rename, replace, or failUpload conflict behavior

Only variables intentionally used in the browser should start with NEXT_PUBLIC_.

Password Upload Gate

Uploads are protected by UPLOAD_PASSWORD. The browser submits the password to /api/upload/auth, and the server sets a short-lived, HTTP-only upload authorization cookie. Upload APIs still verify that authorization server-side on every request.

Important behavior:

  • Leaving UPLOAD_PASSWORD empty disables uploads.
  • The password is never a NEXT_PUBLIC_ variable.
  • The UI password prompt is not the security boundary; the API route checks are.
  • The upload session can be cleared by signing out, waiting for the cookie to expire, or clearing site cookies.

Upload Conflict Behavior

UPLOAD_CONFLICT_BEHAVIOR controls what happens when an uploaded file has the same name as an existing OneDrive file.

Supported values:

  • rename: keep both files and let OneDrive rename the new file.
  • replace: overwrite the existing file.
  • fail: reject the upload when a file already exists.

If the variable is missing or invalid, VercelDrive uses rename.

Token Reset For Permission Changes

When you change Microsoft Graph permissions, clear the stored tokens before authenticating again.

Redis keys:

<KV_PREFIX>access_token
<KV_PREFIX>refresh_token

If KV_PREFIX is empty, the keys are simply access_token and refresh_token.

An upload-authorized admin can also call:

POST /api/upload/reset-auth-tokens

Custom Domain

Custom domains are configured in Vercel under Project Settings > Domains. See Vercel custom domain documentation.

SecurityPassword protected folders