Vercel launches Trusted Sources to secure your deployments
TL;DR
Vercel introduces Trusted Sources, letting protected deployments accept short-lived OIDC tokens from authorized Vercel projects and external services instead of long-lived secrets. Callers attach tokens in the x-vercel-trusted-oidc-idp-token header for Vercel to verify signatures and claims.
What changed
Vercel added Trusted Sources for Deployment Protection. Protected deployments now accept short-lived OIDC identity tokens from Vercel projects and authorized external services via the x-vercel-trusted-oidc-idp-token header. Vercel verifies the token signature, checks configured claims, and confirms the environment, replacing the need for long-lived Protection Bypass for Automation secrets.
Why it matters
Trusted Sources offers a secure upgrade over Protection Bypass for Automation for automated deployments to protected environments. Developers avoid managing long-lived secrets prone to compromise in CI/CD workflows. GitLab CI users gain an OIDC-based option similar to their workload identity features.
What to watch for
Compare Trusted Sources against the legacy Protection Bypass for Automation method still supported by Vercel. Test it by generating an OIDC token from an authorized service and attaching it to the header on a protected deployment to verify access.
Who this matters for
- Vibe Builders: Use OIDC tokens to keep your project environments secure without managing static secrets.
- Developers: Implement OIDC-based authentication via the x-vercel-trusted-oidc-idp-token header for safer CI/CD.
Harsh’s take
Vercel is finally moving away from the security nightmare of long-lived static secrets for deployment protection. By adopting OIDC tokens, they align with modern identity standards that prioritize short-lived, verifiable credentials over hardcoded bypass keys. This shift reduces the blast radius of a potential credential leak in your CI pipeline.
Stop relying on legacy Protection Bypass secrets immediately. The implementation requires configuring specific claims and verifying signatures, but the trade-off is a significantly hardened deployment workflow. Audit your current automation scripts and migrate to this header-based authentication to ensure your protected environments remain locked down while still allowing legitimate CI/CD traffic.
by Harsh Desai
About Vercel
View the full Vercel page →All Vercel updatesMore from Vercel
- Model ReleaseVercel AI Gateway adds fast mode for Claude Opus 4.7 in preview
Vercel AI Gateway releases fast mode for Claude Opus 4.7 in research preview. It generates output tokens 2.5x faster with full model intelligence.
- FeatureVercel launches vercel-firewall CLI for firewall management and agent skills
Vercel launches vercel-firewall CLI to manage rules, IP blocks, bypasses, attack mode, and mitigations. The firewall skill enables safe rule rollouts for agents.
- FeatureVercel Sandbox firewall adds request proxying and filtering
Vercel updated Sandbox firewall to support proxying specific HTTP requests to a user-controlled server. Matchers enable scoping forwarding and credentials brokering to targeted requests.