How-to
2 min read

Protection Bypass for Automation

Learn how to bypass Vercel Deployment Protection for automated tooling (e.g. E2E testing).
Table of Contents

Protection Bypass for Automation is available on Enterprise plans or with the Advanced Deployment Protection add-on for Pro plans

The Protection Bypass for Automation feature lets you bypass Vercel Deployment Protection (Password Protection, Vercel Authentication, and Trusted IPs) for automated tooling (e.g. E2E testing).

The generated secret can be used to bypass deployment protection on all deployments in a project until it is revoked. This value will also be automatically added to your deployments as a system environment variable VERCEL_AUTOMATION_BYPASS_SECRET.

The environment variable value is set when a deployment is built, so regenerating the secret in the project settings will invalidate previous deployments. You will need to redeploy your app if you update the secret in order to use the new value.

Protection Bypass for Automation option with advanced deployment protection
feature.
Protection Bypass for Automation option with advanced deployment protection feature.

To use Protection Bypass for Automation, set an HTTP header (or query parameter) named x-vercel-protection-bypass with the value of the generated secret for the project.

Using a header is strongly recommended, however in cases where your automation tool is unable to specify a header, it is also possible to set the same name and value as a query parameter.

x-vercel-protection-bypass: your-generated-secret (required)

To bypass authorization on follow-up requests (e.g. for in-browser testing) you can set an additional header or query parameter named x-vercel-set-bypass-cookie with the value true.

This will set the authorization bypass as a cookie using a redirect with a Set-Cookie header.

x-vercel-set-bypass-cookie: true (optional)

If you are accessing the deployment through a non-direct way (e.g. in an iframe) then you may need to further configure x-vercel-set-bypass-cookie by setting the value to samesitenone.

This will set SameSite to None on the Set-Cookie header, by default SameSite is set to Lax.

x-vercel-set-bypass-cookie: samesitenone (optional)
Last updated on May 29, 2024