Vercel Authentication

Learn how to use Vercel Authentication to restrict access to your deployments.
Table of Contents

Vercel Authentication is available on all plans

Those with the owner, member and admin roles can manage Vercel Authentication

Vercel Authentication lets you restrict access to your public and non-public deployments. It is the recommended approach to protecting your deployments, and available on all plans. When enabled, it allows only users with deployment access to view and comment on your site.

Users attempting to access the deployment will encounter a Vercel login redirect. If already logged into Vercel, Vercel will authenticate them automatically.

After login, users are redirected and a cookie is set in the browser if they have view access. If the user does not have access to view the deployment, they will be redirected to request access.

Access requests are available on all plans

Those with the owner, member, admin and developer roles can accept or reject access requests

When a Vercel user visits your protected deployment, but they do not have permission to access it, they have the option to request access for their Vercel account. This request triggers an email and Vercel notification to the branch authors.

External users can request access to protected deployments.
External users can request access to protected deployments.

The access request can be approved or declined. Additionally, granted access can be revoked for a user at any time.

Users granted access can view the latest deployment from a specific branch when logged in with their Vercel account. They can also leave preview Comments if these are enabled on your team.

Those on the Hobby plan can only have one external user per account. If you need more, you can upgrade to a Pro plan.

You can manage access requests in the following way

  1. From your dashboard go to the Settings tab
  2. Select Deployment Protection and then choose the Requests tab to see pending requests
  3. Choose Access to manage existing access
Access requests can be approved and declined on the Dashboard > Settings > Deployment Protection > Requests section.
Access requests can be approved and declined on the Dashboard > Settings > Deployment Protection > Requests section.
Granted access requests can be managed on the Dashboard > Settings > Deployment Protection > Access section.
Granted access requests can be managed on the Dashboard > Settings > Deployment Protection > Access section.

Access requests can also be managed using the share modal on the deployment page

Access requests can be approved, declined and revoked in the deployment share modal.
Access requests can be approved, declined and revoked in the deployment share modal.

You can configure Vercel Authentication for different environments, as outlined in Understanding Deployment Protection by environment. This feature works alongside other security measures like Password Protection and Trusted IPs. For specific use-cases, you can bypass Vercel Authentication with methods like Shareable Links or Protection bypass for Automation.

Note that CORS-preflight OPTIONS requests are not protected in compliance with CORS specifications. Disabling Vercel Authentication renders all existing deployments unprotected. However, re-enabling it allows previously authenticated users to maintain access without a new login provided they have already authenticated to the specific deployment and have a cookie set in their browser. The authentication token sent as a cookie is restricted to one URL and isn't transferable, even between URLs pointing to the same deployment.

ConsiderationDescription
Environment ConfigurationCan be enabled for different environments. See Understanding Deployment Protection by environment
CompatibilityCompatible with Password Protection and Trusted IPs
Bypass MethodsCan be bypassed using Shareable Links and Protection bypass for Automation
CORS-preflightOPTIONS requests are not protected as per CORS specifications
DisablingAll existing deployments become unprotected when Vercel Authentication is disabled
Re-enablingUsers who have logged in previously will still have access without re-authenticating
Token ScopeTokens are valid for a single URL and are not reusable across different URLs

Admins and members can enable or disable Vercel Authentication for their team. Hobby teams can also enable or disable for their own projects. Vercel Authentication is managed on a per-project basis.

You can manage Vercel Authentication through the dashboard, API, or Terraform:

From your Vercel dashboard:

  1. Select the project that you wish to enable Password Protection for
  2. Go to Settings then Deployment Protection

From the Vercel Authentication section:

  1. Use the toggle to enable the feature
  2. Select the deployment environment you want to protect
  3. Finally, Select Save

All your existing and future deployments will be protected with Vercel Authentication for the project. Next time when you access a deployment, you will be asked to log in with Vercel if you aren't already logged in, you will be redirected to the deployment URL and a cookie will be set in your browser for that deployment URL.

Enabling Vercel Authentication.

You can manage Vercel Authentication using the Vercel API endpoint to update an existing project with the following body

  • prod_deployment_urls_and_all_previews: Standard Protection
  • all: All Deployments
  • preview: Only Preview Deployments
// enable / update Vercel Authentication
{
  "ssoProtection": {
    "deploymentType": "prod_deployment_urls_and_all_previews" | "all" | "preview"
  }
}
 
// disable Vercel Authentication
{
  "ssoProtection": null
}

You can configure Vercel Authentication using vercel_authentication in the vercel_project data source in the Vercel Terraform Provider.

Last updated on April 13, 2024