Skip to content
VercelVercel
Menu

TRUSTED_SOURCES_ENVIRONMENT_MISMATCH

The TRUSTED_SOURCES_ENVIRONMENT_MISMATCH error occurs when a request from one Vercel project to another (or to itself) reaches a deployment protected by Trusted Sources with a valid OIDC token, but the caller's environment is not allowed to reach the target deployment's environment under the project's current rules.

For example, a token issued for a preview deployment trying to reach a production deployment will be rejected unless a rule on the target project explicitly allows it.

403

TRUSTED_SOURCES_ENVIRONMENT_MISMATCH:

Forbidden

Troubleshoot

AI Assistance

I'm encountering an error and reviewing the docs at https://vercel.com/docs/errors/TRUSTED_SOURCES_ENVIRONMENT_MISMATCH.md to understand what's happening. Please help me resolve this by: 1. **Suggest the fix**: Analyze my codebase context and propose what needs to be changed to resolve this error. If you do not have access to my codebase, ask me for the codebase and try to fix the error based on the information you have. 2. **Explain the root cause**: Break down why this error occurred: - What was the code actually doing vs. what it needed to do? - What conditions triggered this specific error? - What misconception or oversight led to this? 3. **Teach the concept**: Help me understand the underlying principle: - Why does this error exist and what is it protecting me from? - What's the correct mental model for this concept? - How does this fit into the broader framework/language design? 4. **Show warning signs**: Help me recognize this pattern in the future: - What should I look out for that might cause this again? - Are there similar mistakes I might make in related scenarios? - What code smells or patterns indicate this issue? 5. **Discuss alternatives**: Explain if there are different valid approaches and their trade-offs My goal is to fix the immediate issue while building lasting understanding so I can avoid and resolve similar errors independently in the future.

To resolve this error, add a custom access rule to the target project's Trusted Sources so the caller's environment is permitted to reach the target environment:

  1. Open the target project's Settings, then go to Deployment Protection, and find the Trusted Sources section.
  2. Locate the entry for the calling project under Vercel Projects. If the caller is the same project, use the entry pinned at the top of the list and labeled (this project).
  3. Edit the entry's rules so the caller's from environment is allowed to reach the target's to environment. For example, allow from: preview to to: production if a preview deployment needs to call production.
  4. Save the rule and retry the request.

If you didn't expect this caller to reach the deployment, no change is required: the request was correctly blocked.

For more details on how rules are matched and which claims are checked, see the Trusted Sources documentation.

Was this helpful?

supported.