Trusted Sources lets protected deployments accept short-lived identity tokens (OIDC) from Vercel projects and external services you authorize, so you no longer have to share a long-lived Protection Bypass for Automation secret. Trusted Sources is the recommended approach, but Protection Bypass for Automation continues to work
Callers attach an OIDC token in the
By default, the Vercel OIDC token for a project can call its own deployments. To authorize another project in the same team, add it to Trusted Sources.
Self-access and cross-project rules are both customizable with
Any custom OIDC provider can be authorized as a trusted external service, such as GitHub Actions, or a Vercel project in another team.
Read the documentation to learn more.
Read more
Continue reading...
Callers attach an OIDC token in the
x-vercel-trusted-oidc-idp-token header. Vercel then verifies the signature, checks the claims you configured, and confirms the environment matches the rule.Authorize Vercel projects
By default, the Vercel OIDC token for a project can call its own deployments. To authorize another project in the same team, add it to Trusted Sources.
Self-access and cross-project rules are both customizable with
from/to environment pairs. To authenticate a request from a project, forward its Vercel OIDC token:Authorize external services
Any custom OIDC provider can be authorized as a trusted external service, such as GitHub Actions, or a Vercel project in another team.
Read the documentation to learn more.
Read more
Continue reading...