signal insight

Vercel replaces long-lived deployment bypass secrets with OIDC-based Trusted Sources

Vercel launched Trusted Sources for Deployment Protection, letting protected deployments accept short-lived OIDC identity tokens from Vercel projects and external services instead of relying on a long-lived Protection Bypass for Automation secret. The system supports both same-team and external callers such as GitHub Actions.

Published May 13, 2026 Updated May 15, 2026 1 sources

VercelDeployment Protectionsecuritysecurity updatehigh impact

securityenterprise-controlsoidcdeployment-securitysecurity-update

Impact: high
Confidence: 98%
Change type: security update
First seen: May 13, 2026
Last updated: May 15, 2026
Audience: platform teamssecurity teamsdevelopers
Status: Published

Summary

What changed

Vercel added Trusted Sources, an OIDC-based control plane for authenticated access to protected deployments.

Why it matters

This is a concrete shift from static shared secrets toward federated workload identity in developer infrastructure. For teams automating deploy previews, internal APIs, or protected environments, that reduces secret-sprawl and makes policy enforcement more granular and auditable.

Evidence excerpt

Vercel says Trusted Sources accepts short-lived OIDC tokens from Vercel projects and authorized external services so teams no longer need to share a long-lived automation bypass secret.

Sources

vercel.com