Skip to content
VercelVercel
Menu

TRUSTED_SOURCES_OIDC_DISCOVERY_FAILED

The TRUSTED_SOURCES_OIDC_DISCOVERY_FAILED error occurs when a request reaches a deployment protected by Trusted Sources with an OIDC token whose issuer is configured as a custom trusted source, but Vercel can't fetch a valid OpenID Connect discovery document from that issuer.

This usually means the issuer URL is unreachable, doesn't serve a valid /.well-known/openid-configuration document, or resolves to a host that can't be reached from the public internet.

403

TRUSTED_SOURCES_OIDC_DISCOVERY_FAILED:

Forbidden

Troubleshoot

AI Assistance

I'm encountering an error and reviewing the docs at https://vercel.com/docs/errors/TRUSTED_SOURCES_OIDC_DISCOVERY_FAILED.md to understand what's happening. Please help me resolve this by: 1. **Suggest the fix**: Analyze my codebase context and propose what needs to be changed to resolve this error. If you do not have access to my codebase, ask me for the codebase and try to fix the error based on the information you have. 2. **Explain the root cause**: Break down why this error occurred: - What was the code actually doing vs. what it needed to do? - What conditions triggered this specific error? - What misconception or oversight led to this? 3. **Teach the concept**: Help me understand the underlying principle: - Why does this error exist and what is it protecting me from? - What's the correct mental model for this concept? - How does this fit into the broader framework/language design? 4. **Show warning signs**: Help me recognize this pattern in the future: - What should I look out for that might cause this again? - Are there similar mistakes I might make in related scenarios? - What code smells or patterns indicate this issue? 5. **Discuss alternatives**: Explain if there are different valid approaches and their trade-offs My goal is to fix the immediate issue while building lasting understanding so I can avoid and resolve similar errors independently in the future.

To resolve this error:

  1. Confirm the issuer URL configured under the project's Trusted Sources matches the iss claim on the token exactly, including scheme and trailing path.
  2. From a public network, fetch <issuer>/.well-known/openid-configuration and verify it returns a valid JSON discovery document with jwks_uri, issuer, and supported algorithms.
  3. Check that the issuer's host resolves publicly and isn't behind a private network, VPN, or firewall that blocks inbound connections from Vercel.
  4. If the issuer was recently rotated or migrated, retry the request after DNS and any caches have settled.

If the issuer is intentionally private or unreachable from the public internet, it can't be used as a Trusted Source. Use a different bypass method, such as Protection Bypass for Automation, instead.

For more details on configuring custom issuers, see the Trusted Sources documentation.

Was this helpful?

supported.