Vercel Authentication lets you restrict access to your public and non-public deployments. It is the recommended approach to protecting your deployments, and available on all plans. When enabled, it allows only users with deployment access to view and comment on your site.
Users attempting to access the deployment will encounter a Vercel login redirect. If already logged into Vercel, Vercel will authenticate them automatically.
After login, users are redirected and a cookie is set in the browser if they have view access. If the user does not have access to view the deployment, they will be redirected to request access.
- Logged in team members with at least the viewer role
- Logged in project members with at least the project Viewer role
- Logged in Vercel users who have been granted access
- Anyone who has been given a Shareable Link to the deployment
- Tools using the protection bypass for automation header
When a Vercel user visits your protected deployment, but they do not have permission to access it, they have the option to request access for their Vercel account. This request triggers an email and Vercel notification to the branch authors.
The access request can be approved or declined in the share modal on the deployment. Additionally, granted access can be revoked for a user at any time using the share modal.
Users granted access can view the latest deployment from a specific branch when logged in with their Vercel account. They can also leave preview Comments if these are enabled on your team.
Those on the Hobby plan can only have one external user per account. If you need more, you can upgrade to a Pro plan.
You can configure Vercel Authentication for different environments, as outlined in Understanding Deployment Protection by environment. This feature works alongside other security measures like Password Protection and Trusted IPs. For specific use-cases, you can bypass Vercel Authentication with methods like Shareable Links or Protection bypass for Automation.
Note that CORS-preflight OPTIONS requests are not protected in compliance with CORS specifications. Disabling Vercel Authentication renders all existing deployments unprotected. However, re-enabling it allows previously authenticated users to maintain access without a new login provided they have already authenticated to the specific deployment and have a cookie set in their browser. The authentication token sent as a cookie is restricted to one URL and isn't transferable, even between URLs pointing to the same deployment.
Consideration | Description |
|---|---|
Environment Configuration | Can be enabled for different environments. See Understanding Deployment Protection by environment |
Compatibility | Compatible with Password Protection and Trusted IPs |
Bypass Methods | Can be bypassed using Shareable Links and Protection bypass for Automation |
CORS-preflight | OPTIONS requests are not protected as per CORS specifications |
Disabling | All existing deployments become unprotected when Vercel Authentication is disabled |
Re-enabling | Users who have logged in previously will still have access without re-authenticating |
Token Scope | Tokens are valid for a single URL and are not reusable across different URLs |
Admins and members can enable or disable Vercel Authentication for their team. Hobby teams can also enable or disable for their own projects. Vercel Authentication is managed on a per-project basis.
To manage Vercel Authentication, do the following:
From your Vercel dashboard:
- Select the project that you wish to enable Password Protection for
- Go to Settings then Deployment Protection
From the Vercel Authentication section:
- Use the toggle to enable the feature
- Select the deployment environment you want to protect
- Finally, Select Save
All your existing and future deployments will be protected with Vercel Authentication for the project. Next time when you access a deployment, you will be asked to log in with Vercel if you aren't already logged in, you will be redirected to the deployment URL and a cookie will be set in your browser for that deployment URL.
Enabling Vercel Authentication.
Was this helpful?