Deployment Protection
Learn how to use the Deployment Protection feature, which makes your preview URLs private and allows access in a flexible and secure way.The Deployment Protection feature makes your preview URLs private and allows access in a flexible and secure way. Deployment Protection is a per-project feature that is enabled from your project settings. All members on Hobby, Pro, and Enterprise accounts can regulate access to a preview build using the Vercel dashboard. Any user with access to the team will be able to view protected deployments.
Vercel Authentication
Protect preview deployments for free on all plans.
Password Protection
Protect your deployments using a password of your choice.
Trusted IPsPrivate Beta
Restrict deployment access to a list of IP addresses and IP ranges.
Protection Bypass for AutomationBeta
Allow automation services to access protected deployments (for CI/CD).
Shareable LinksBeta
Grant access to external collaborators.
Private Production Deployments
Protect Production Deployments as well as Preview Deployments.
Feature | Description | Hobby | Pro | Enterprise | |
|---|---|---|---|---|---|
Protect preview deployments for free on all plans | |||||
Grant access to external collaborators' Vercel accounts | One external user per account | Unlimited | Unlimited | Unlimited | |
Grant access to external collaborators | One link per account | Unlimited | Unlimited | Unlimited | |
Use a password to protect deployments | |||||
To bypass deployment protection e.g. for E2E test suites | |||||
Protect your production deployments | |||||
Restrict deployment access to a list of IP addresses and IP ranges |
Vercel Authentication provides a way for you to control access to your Preview Deployments. When you have enabled Vercel Authentication, only logged-in members with at least Viewer access on your team will be able to view your site.
If a user tries to access your preview deployment, they'll be redirected to log in with Vercel first. Once logged in, the user will be redirected to the deployment, and a cookie will then be set in the user's browser.
Deployment protected with Vercel Authentication authentication screen.
When a Vercel user visits your protected deployment, but they do not have permission to access it, they have the option to request access for their Vercel account. This request triggers an email and Vercel notification to the branch authors.
External users can request access to protected deployments.
This access request can be approved or declined in the share modal on the deployment. Additionally, granted access can be revoked for a user at any time using the share modal.
Users granted access can view the latest deployment from a specific branch when logged in with their Vercel account. They can also leave preview Comments if these are enabled on your team.
Access requests can be approved, declined and revoked in the deployment share modal.
- You can use Vercel Authentication in conjunction with Password Protection and Trusted IPs
- Vercel Authentication can be bypassed using Shareable Links and Protection Bypass for Automation
- CORS-preflight
OPTIONSrequests are not protected per CORS specifications - If you disable Vercel Authentication, all existing deployments of the project will become unprotected
- If you disable the authentication and then enable it, users who previously logged into the deployment with Vercel will continue to be able to access the page without logging in again
- The token sent as a cookie is valid for one URL and cannot be reused for different URLs, even if these URLs point to the same deployment
Admins and members can enable or disable Vercel Authentication for their team. Personal Accounts can also enable or disable for their own Hobby projects. Vercel Authentication is managed on a per-project basis.
To manage Vercel Authentication, do the following:
From the Vercel dashboard, select the project that you wish to enable Password Protection for.
Once you've selected your project, go to Settings > Deployment Protection.
All your existing and future deployments will be protected with Vercel Authentication for the project. Next time when you access a deployment, you will be asked to log in with Vercel if you aren't already logged in, you will be redirected to the deployment URL and a cookie will be set in your browser for that deployment URL.
Enabling Vercel Authentication.
With Password Protection enabled, visitors to your preview deployment must enter the pre-defined password to gain access. You can set the desired password from your project settings when enabling the feature.
Deployment protected with Password Protection authentication screen.
- You can use Password Protection in conjunction with Vercel Authentication and Trusted IPs
- Password Protection can be bypassed using Shareable Links and Protection Bypass for Automation
- CORS-preflight
OPTIONSrequests are not protected per CORS specifications - If you change the password, users who have previously entered the password with a set cookie will need to enter a new password
- If you disable password protection, all existing deployments of the project will become unprotected
- If you disable the protection and then enable it without changing the password, users with a set cookie will continue to access the deployments without re-entering the password
- The JWT token set as a cookie is valid for one URL and cannot be reused for different URLs, even if these URLs point to the same deployment
From the Vercel dashboard, select the project that you wish to enable Password Protection for.
Once you've selected your project, go to Settings > Deployment Protection.
All your existing and future deployments will be protected with a password for the project. Next time when you access a deployment, you will be asked to log in by entering the password, which takes you to the deployment. A cookie will then be set in your browser for the deployment URL so you don't need to enter the password every time.
Enabling Password Protection.
With Trusted IPs enabled, only visitors from an allowed IP address can access your deployment. The deployment URL will return 404 No Deployment Found for all other requests. Trusted IPs is configured by specifying a list of IPv4 addresses and IPv4 CIDR ranges.
Trusted IPs is suitable for customers who access Vercel deployments through a specific IP address. For example, limiting preview deployment access to your VPN. Trusted IPs can also be enabled in production, for example, to restrict incoming access to only requests through your external proxy.
Enabling Trusted IPs.
- Trusted IPs can be enabled in preview, production, and all environments
- Trusted IPs is a required additional layer on top of Vercel Authentication & Password Protection. If you need Trusted IPs as an optional layer to bypass other protections, see Standalone Trusted IPs
- Trusted IPs can be bypassed using Shareable Links and Protection Bypass for Automation
- Trusted IPs accepts IPv4 addresses and IPv4 CIDR ranges
- Trusted IPs can only be enabled in preview or all environments when Vercel Authentication is also enabled. If you require Trusted IPs to be enabled in preview independently of Vercel Authentication, see Standalone Trusted IPs
- If you are using an external proxy, you need to configure rulesets with Vercel to avoid your proxy IP addresses being blocked from accessing Vercel, due to Vercel Firewall and DoS Protection. To learn more, please contact our Sales Team
- Vercel Firewall (including DDoS Mitigation & IP Blocking) will take precedence over Trusted IPs
- An address listed in IP Blocking will be blocked even if it's listed in Trusted IPs.
- Vercel defends your website from various types of DDoS attacks. An address listed in Trusted IPs will not bypass DDoS Mitigation unless it has been configured with Vercel, see Prerequisites
- If you change the list of Trusted IPs, this will affect all (previous and future) deployments for the project
- If you disable Trusted IPs, all existing deployments of the project will be accessible from any IP address
Standalone Trusted IPs is an optional add on to your plan, please contact our Sales Team to learn more.
- Allows Trusted IPs to be enabled in any environment independently of Vercel Authentication
- Allows Trusted IPs to be configured to be optional, so it behaves as a bypass to Vercel Authentication & Password Protection
From the Vercel dashboard, select the project that you wish to enable Password Protection for.
Once you've selected your project, go to Settings > Deployment Protection.
Ensure Vercel Authentication is enabled as this is a prerequisite of Trusted IPs. See Managing Vercel Authentication.
All your existing and future deployments will be protected with Trusted IPs for that project. Visitors to your project deployments from IP addresses not included in your list will see a No Deployment Found error page.
Enabling Trusted IPs.
Shareable links provide a way to allow external users to access your branch-specific deployments through a secure parameter in the query string. Users with this link can view the latest deployment from a specific branch when logged in with their Vercel account. Sharable links include the ability to leave Comments if these are enabled on your team.
Users with the Admin, Member, and Developer roles can create or revoke Sharable Links for their team's Projects. Personal Accounts can also create or revoke sharable links for their own Hobby projects. Sharable Links are managed on a per-branch basis.
To manage Sharable Links, do the following:
From the Vercel dashboard, select the project that you wish to enable Vercel Authentication for.
Share Preview popover showing Anyone with Link option selected.
The Protection Bypass for Automation feature allows you to bypass Vercel Deployment Protection (Password Protection and Vercel Authentication) for automated tooling (e.g. E2E testing).
The generated secret can be used to bypass Deployment Protection on all deployments in a project until it is revoked.
Protection Bypass for Automation option with advanced deployment protection feature.
To use Protection Bypass for Automation, set an HTTP header (or query parameter*) named x-vercel-protection-bypass with the value of the generated secret for the project.
*Using a header is strongly recommended, however in cases where your automation tool is unable to specify a header, it is also possible to set the same name and value as a query parameter.
x-vercel-protection-bypass: your-generated-secret (required)
To bypass authorization on follow-up requests (e.g. for in-browser testing) you can set an additional header or query parameter named x-vercel-set-bypass-cookie with the value true.
This will set the authorization bypass as a cookie using a redirect with a Set-Cookie header.
x-vercel-set-bypass-cookie: true (optional)
If you are accessing the deployment through a non-direct way (e.g. in an iframe) then you may need to further configure x-vercel-set-bypass-cookie by setting the value to samesitenone.
This will set SameSite to None on the Set-Cookie header, by default SameSite is set to Lax.
x-vercel-set-bypass-cookie: samesitenone (optional)
To protect Production Deployments in addition to Preview Deployments, select "All Deployments" from the protection settings dropdown and click Save. This will make all your production deployments private (including the current and previous production deployments). You can enable production protection using Password Protection and Vercel Authentication.
Was this helpful?