Deployment Protection
Learn how to use the Deployment Protection feature, which makes your preview URLs private and allows access in a flexible and secure way.The Deployment Protection feature makes your preview URLs private and allows access in a flexible and secure way. Deployment Protection is a per-project feature that is enabled from your project settings. All members on Hobby, Pro, and Enterprise accounts can regulate access to a preview build using the Vercel dashboard. Any user with access to the team will be able to view protected deployments.
Vercel Authentication
Protect preview deployments for free on all plans.
Password Protection
Protect your deployments using a password of your choice.
Protection Bypass for AutomationBeta
Allow automation services to access protected deployments (for CI/CD).
Private Production Deployments
Protect Production Deployments as well as Preview Deployments.
Shareable LinksBeta
Grant access to external collaborators.
Feature | Description | Hobby | Pro | Enterprise | |
|---|---|---|---|---|---|
Vercel Authentication | Protect preview deployments for free on all plans | ||||
Password Protection | Use a password to protect deployments | ||||
Private Production Deployments | Protect your production deployments | ||||
Shareable Links | Grant access to external collaborators | One link per account | Unlimited | Unlimited | Unlimited |
Protection Bypass for Automation | To bypass deployment protection e.g. for E2E test suites |
Vercel Authentication provides a way for you to control access to your Preview Deployments. When you have enabled Vercel Authentication, only logged-in members with at least Viewer access on your team will be able to view your site.
If a user tries to access your preview deployment, they'll be redirected to log in with Vercel first. Once logged in, the user will be redirected to the deployment, and a cookie will then be set in the user's browser.
Deployment protected with Vercel Authentication authentication screen.
Admins and members can enable or disable Vercel Authentication for their team. Personal Accounts can also enable or disable for their own Hobby projects. Vercel Authentication is managed on a per-project basis.
To manage Vercel Authentication, do the following:
From the Vercel dashboard, select the project that you wish to enable Vercel Authentication for.
Enabling Vercel Authentication.
- If you disable Vercel Authentication, all existing deployments of the project will become unprotected
- If you disable the authentication and then enable it, users who previously logged into the deployment with Vercel will continue to be able to access the page without logging in again
- You can use Vercel Authentication in conjunction with Password Protection
- The token sent as a cookie is valid for one URL and cannot be reused for different URLs, even if these URLs point to the same deployment
- Vercel Authentication is available on all account types. However, Hobby accounts can have only one shareable link at a time
- Shareable Links can be used to grant access to external collaborators without logging in with Vercel
- Vercel Authentication can be bypassed using the Protection Bypass for Automation
- CORS-preflight
OPTIONSrequests are not protected per CORS specifications
With Password Protection enabled, visitors to your preview deployment must enter the pre-defined password to gain access. You can set the desired password from your project settings when enabling the feature.
Deployment protected with Password Protection authentication screen.
To password-protect your deploy URLs, turn on the toggle and enter a password of your choice. Click Save, and all your existing and future Preview Deployments are protected with a password for that project.
Next time when you access the deployment, you will be asked to log in by entering the password, which takes you to the deployment. A cookie will then be set in your browser, giving access to all Preview Deployments of the project.
Enabling Password Protection.
- If you change the password, users who have previously entered the password with a set cookie will need to enter a new password
- If you disable password protection, all existing deployments of the project will become unprotected
- If you disable the protection and then enable it without changing the password, users with a set cookie will continue to access the deployments without re-entering the password
- You can use Password Protection in conjunction with Vercel Authentication.
- The JWT token set as a cookie is valid for one URL and cannot be reused for different URLs, even if these URLs point to the same deployment
- Shareable Links can be used to grant access to external collaborators without the password
- Password Protection can be bypassed using the Protection Bypass for Automation
- CORS-preflight
OPTIONSrequests are not protected per CORS specifications
To protect Production Deployments in addition to Preview Deployments, select "All Deployments" from the protection settings dropdown and click Save. This will make all your production deployments private (including the current and previous production deployments). You can enable production protection using Password Protection and Vercel Authentication.
Shareable links provide a way to allow external users to access your branch-specific deployments through a secure parameter in the query string. Users with this link can view the latest deployment from a specific branch when logged in with their Vercel account. Sharable links include the ability to leave Comments if these are enabled on your team.
Users with the Admin, Member, and Developer roles can create or revoke Sharable Links for their team's Projects. Personal Accounts can also create or revoke sharable links for their own Hobby projects. Sharable Links are managed on a per-branch basis.
To manage Sharable Links, do the following:
From the Vercel dashboard, select the project that you wish to enable Vercel Authentication for.
Share Preview popover showing Anyone with Link option selected.
The Protection Bypass for Automation feature allows you to bypass Vercel Deployment Protection (Password Protection and Vercel Authentication) for automated tooling (e.g. E2E testing).
The generated secret can be used to bypass Deployment Protection on all deployments in a project until it is revoked.
Protection Bypass for Automation option with advanced deployment protection feature.
To use Protection Bypass for Automation, set an HTTP header (or query parameter*) named x-vercel-protection-bypass with the value of the generated secret for the project.
*Using a header is strongly recommended, however in cases where your automation tool is unable to specify a header, it is also possible to set the same name and value as a query parameter.
x-vercel-protection-bypass: your-generated-secret (required)
To bypass authorization on follow-up requests (e.g. for in-browser testing) you can set an additional header or query parameter named x-vercel-set-bypass-cookie with the value true.
This will set the authorization bypass as a cookie using a redirect with a Set-Cookie header.
x-vercel-set-bypass-cookie: true (optional)
If you are accessing the deployment through a non-direct way (e.g. in an iframe) then you may need to further configure x-vercel-set-bypass-cookie by setting the value to samesitenone.
This will set SameSite to None on the Set-Cookie header, by default SameSite is set to Lax.
x-vercel-set-bypass-cookie: samesitenone (optional)