Manage Sign in with Vercel from the Dashboard
To manage any third-party apps, or create a new one yourself, you need to create an App. An App acts as an intermediary that requests and manages access to resources on behalf of the user. It communicates with the Vercel Authorization Server to get tokens which act as credentials for accessing protected resources through the Vercel REST API.
To create an App, follow these steps:
- Navigate to your teams Settings tab
- Scroll down and select Apps, and click Create
- Choose a name for your app
- Choose a slug for your app (The slug is automatically generated from the name if you don't provide one)
- Optionally add a logo for your app
- Click Save
| Field | Required | Description |
|---|---|---|
| Name | Yes | The name of your app. It must be unique across all Vercel applications. Example: My App |
| Slug | Yes | The slug of your app. A URL friendly name that uniquely identifies your app. Defaults to the name if not provided. Example: my-app |
| Logo | Optional | The logo that represents your app. |
The client authentication method determines how your app will authenticate with the Vercel Authorization Server. You can enable multiple methods to provide flexibility for your app in different deployment scenarios.
| Field | Description | Usage | Security |
|---|---|---|---|
client_secret_basic | HTTP Basic Authentication Scheme | Client credentials are sent via HTTP Basic Authentication header (Authorization: Basic <base64-encoded-credentials>) | Suitable for server-side applications that can securely store credentials |
client_secret_post | HTTP request body as a form parameter | Client credentials are included as form parameters in the request body (client_id and client_secret) | The same as client_secret_basic |
client_secret_jwt | JSON Web Token (JWT) | Client authenticates using a JWT signed with the shared client secret | Provides additional security by avoiding the transmission of the client secret in requests |
none | For public, unauthenticated, non-confidential clients | No client authentication required - suitable for public applications that cannot securely store secrets | For single page applications (SPAs), mobile apps, and CLIs that cannot securely store credentials |
Client secrets are used to authenticate your app with the Vercel Authorization Server. You can generate a client secret by clicking the Generate button.
You can have up to two active client secrets at a time. This lets you rotate secrets without downtime.
The authorization callback URL is where Vercel redirects users after they authorize your app. This URL must be registered to prevent unauthorized redirects and protect against malicious attacks.
To add a callback URL:
- Navigate to the Manage page for your app
- Scroll to Authorization Callback URLs
- Enter your callback URL
- Click Add
For local development, add http://localhost:3000/api/auth/callback. For production, add https://your-domain.com/api/auth/callback. For Apps hosted on Vercel, instead of specifying a custom domain for the callback URL, you can instead select a Vercel project from a dropdown in the UI. This will let you configure an authorization URL matching any of your App's deployment domains.
When a user authorizes your app, Vercel redirects them to this URL with a code query parameter. Your application exchanges this code for tokens using the Token Endpoint.
Permissions control what data your app can access. Configure them from the Permissions page in your app settings.
To configure permissions:
- Navigate to the Manage page for your app
- Select the Permissions tab
- Enable the scopes and permissions your app needs:
- openid: Required to issue an ID Token for user identification
- email: Access the user's email address in the ID Token
- profile: Access the user's name, username, and profile picture in the ID Token
- offline_access: Issue a Refresh Token to get new Access Tokens without re-authentication
- Click Save
When users authorize your app, they'll see these permissions on the consent page and decide whether to grant access.
Learn more about scopes and permissions in the scopes and permissions documentation.
Was this helpful?