Vercel Authentication

Learn how to use Vercel Authentication to restrict access to your deployments.
Table of Contents

Vercel Authentication is available on all plans

Vercel Authentication lets you restrict access to your public and non-public deployments. It is the recommended approach to protecting your deployments, and available on all plans. When enabled, it allows only users with deployment access to view and comment on your site.

Users attempting to access the deployment will encounter a Vercel login redirect. If already logged into Vercel, Vercel will authenticate them automatically.

After login, users are redirected and a cookie is set in the browser if they have view access. If the user does not have access to view the deployment, they will be redirected to request access.

Access Requests are available on all plans

When a Vercel user visits your protected deployment, but they do not have permission to access it, they have the option to request access for their Vercel account. This request triggers an email and Vercel notification to the branch authors.

External users can request access to protected deployments.
External users can request access to protected deployments.

The access request can be approved or declined in the share modal on the deployment. Additionally, granted access can be revoked for a user at any time using the share modal.

Users granted access can view the latest deployment from a specific branch when logged in with their Vercel account. They can also leave preview Comments if these are enabled on your team.

Access requests can be approved, declined and revoked in the deployment share modal.
Access requests can be approved, declined and revoked in the deployment share modal.

Those on the Hobby plan can only have one external user per account. If you need more, you can upgrade to a Pro plan.

You can configure Vercel Authentication for different environments, as outlined in Understanding Deployment Protection by environment. This feature works alongside other security measures like Password Protection and Trusted IPs. For specific use-cases, you can bypass Vercel Authentication with methods like Shareable Links or Protection bypass for Automation.

Note that CORS-preflight OPTIONS requests are not protected in compliance with CORS specifications. Disabling Vercel Authentication renders all existing deployments unprotected. However, re-enabling it allows previously authenticated users to maintain access without a new login provided they have already authenticated to the specific deployment and have a cookie set in their browser. The authentication token sent as a cookie is restricted to one URL and isn't transferable, even between URLs pointing to the same deployment.

ConsiderationDescription
Environment ConfigurationCan be enabled for different environments. See Understanding Deployment Protection by environment
CompatibilityCompatible with Password Protection and Trusted IPs
Bypass MethodsCan be bypassed using Shareable Links and Protection bypass for Automation
CORS-preflightOPTIONS requests are not protected as per CORS specifications
DisablingAll existing deployments become unprotected when Vercel Authentication is disabled
Re-enablingUsers who have logged in previously will still have access without re-authenticating
Token ScopeTokens are valid for a single URL and are not reusable across different URLs

Admins and members can enable or disable Vercel Authentication for their team. Hobby teams can also enable or disable for their own projects. Vercel Authentication is managed on a per-project basis.

To manage Vercel Authentication, do the following:

From your Vercel dashboard:

  1. Select the project that you wish to enable Password Protection for
  2. Go to Settings then Deployment Protection

From the Vercel Authentication section:

  1. Use the toggle to enable the feature
  2. Select the deployment environment you want to protect
  3. Finally, Select Save

All your existing and future deployments will be protected with Vercel Authentication for the project. Next time when you access a deployment, you will be asked to log in with Vercel if you aren't already logged in, you will be redirected to the deployment URL and a cookie will be set in your browser for that deployment URL.

Enabling Vercel Authentication.

Last updated on February 28, 2024