Trusted Sources for Deployment Protection
Mirrored from Vercel — AI for archival readability. Support the source by reading on the original site.
Trusted Sources lets protected deployments accept short-lived identity tokens (OIDC) from Vercel projects and external services you authorize, so you no longer have to share a long-lived Protection Bypass for Automation secret. Trusted Sources is the recommended approach, but Protection Bypass for Automation continues to work
Callers attach an OIDC token in the x-vercel-trusted-oidc-idp-token header. Vercel then verifies the signature, checks the claims you configured, and confirms the environment matches the rule.
Authorize Vercel projects
By default, the Vercel OIDC token for a project can call its own deployments. To authorize another project in the same team, add it to Trusted Sources.
Self-access and cross-project rules are both customizable with from/to environment pairs. To authenticate a request from a project, forward its Vercel OIDC token:
Authorize external services
Any custom OIDC provider can be authorized as a trusted external service, such as GitHub Actions, or a Vercel project in another team.
Read the documentation to learn more.
Discussion (0)
Sign in to join the discussion. Free account, 30 seconds — email code or GitHub.
Sign in →No comments yet. Sign in and be the first to say something.