Trusted Sources lets protected deployments accept short-lived identity tokens (OIDC) from Vercel projects and external services you authorize, so you no longer have to share a long-lived Protection Bypass for Automation secret. Trusted Sources is the recommended approach, but Protection Bypass for Automation continues to work
Callers attach an OIDC token in the x-vercel-trusted-oidc-idp-token header. Vercel then verifies the signature, checks the claims you configured, and confirms the environment matches the rule.
Link to headingAuthorize Vercel projects
By default, the Vercel OIDC token for a project can call its own deployments. To authorize another project in the same team, add it to Trusted Sources.
Self-access and cross-project rules are both customizable with from/to environment pairs. To authenticate a request from a project, forward its Vercel OIDC token:
import { getVercelOidcToken } from '@vercel/oidc';await fetch('https://protected-project.vercel.app/api/data', { headers: { 'x-vercel-trusted-oidc-idp-token': await getVercelOidcToken() },});Vercel Function example
Link to headingAuthorize external services
Any custom OIDC provider can be authorized as a trusted external service, such as GitHub Actions, or a Vercel project in another team.
- uses: actions/github-script@v7 id: token with: script: | const token = await core.getIDToken(); core.setSecret(token); core.setOutput('token', token);- run: | curl -sSf https://protected-project.vercel.app/api/data \ -H "x-vercel-trusted-oidc-idp-token: ${{ steps.token.outputs.token }}"GitHub Action example
Read the documentation to learn more.