Vercel launches Trusted Sources to secure your deployments
TL;DR
Vercel introduces Trusted Sources, letting protected deployments accept short-lived OIDC tokens from authorized Vercel projects and external services instead of long-lived secrets. Callers attach tokens in the x-vercel-trusted-oidc-idp-token header for Vercel to verify signatures and claims.
What changed
Vercel added Trusted Sources for Deployment Protection. Protected deployments now accept short-lived OIDC identity tokens from Vercel projects and authorized external services via the x-vercel-trusted-oidc-idp-token header. Vercel verifies the token signature, checks configured claims, and confirms the environment, replacing the need for long-lived Protection Bypass for Automation secrets.
Why it matters
Trusted Sources offers a secure upgrade over Protection Bypass for Automation for automated deployments to protected environments. Developers avoid managing long-lived secrets prone to compromise in CI/CD workflows. GitLab CI users gain an OIDC-based option similar to their workload identity features.
What to watch for
Compare Trusted Sources against the legacy Protection Bypass for Automation method still supported by Vercel. Test it by generating an OIDC token from an authorized service and attaching it to the header on a protected deployment to verify access.
Who this matters for
- Vibe Builders: Use OIDC tokens to keep your project environments secure without managing static secrets.
- Developers: Implement OIDC-based authentication via the x-vercel-trusted-oidc-idp-token header for safer CI/CD.
Harsh’s take
Vercel is finally moving away from the security nightmare of long-lived static secrets for deployment protection. By adopting OIDC tokens, they align with modern identity standards that prioritize short-lived, verifiable credentials over hardcoded bypass keys. This shift reduces the blast radius of a potential credential leak in your CI pipeline.
Stop relying on legacy Protection Bypass secrets immediately. The implementation requires configuring specific claims and verifying signatures, but the trade-off is a significantly hardened deployment workflow. Audit your current automation scripts and migrate to this header-based authentication to ensure your protected environments remain locked down while still allowing legitimate CI/CD traffic.
by Harsh Desai
About Vercel
View the full Vercel page →All Vercel updatesGo deeper
More AI news
- LaunchAsian AI startups launch Mythos-like models as Anthropic export ban continues
Asian AI startups launched models with Mythos-like capabilities. The releases follow Anthropic's ongoing export restrictions.
- Daily RoundupGemini jetlag aid, OpenAI Jalapeño chip, and Vercel agent tools (daily focus hooks)
Google, Vercel, and OpenAI shipped practical AI updates while new models and benchmarks highlighted shifting hardware and capability limits.
- Model ReleaseOpenAI limits GPT-5.6 rollout after government request, says restrictions shouldn’t be the norm
OpenAI limited GPT-5.6 rollout after a government request. The company stated that such restrictions should not become the long-term default.