Introducing new token formats and secret scanning

When Vercel API credentials are accidentally committed to public GitHub repositories, gists and npm packages, Vercel now automatically revokes them to protect your account from unauthorized access.

When the exposed credentials are detected, you'll receive notifications and can review any discovered tokens and API keys in your dashboard. This detection is powered by GitHub secret scanning and brings an extra layer of security to all Vercel and v0 users.

As part of this change, we've also updated token and API key formats to make them visually identifiable. Each credential type now includes a prefix:

• vcp for Vercel personal access tokens

• vci for Vercel integration tokens

• vca for Vercel app access tokens

• vcr for Vercel app refresh tokens

• vck for Vercel API keys

We recommend reviewing your tokens and API keys regularly, rotating long-lived credentials, and revoking unused ones.

Learn more about account security.