signal insight

Vercel Blob switches new projects to short-lived OIDC authentication

Vercel Blob now supports OIDC authentication and makes it the default for newly connected projects. Vercel-issued short-lived tokens replace long-lived `BLOB_READ_WRITE_TOKEN` credentials, and the Vercel CLI can use the same project-linked environment to let agents read and write private Blob stores from the terminal.

Published Jun 1, 2026 Updated Jun 2, 2026 1 sources

VercelVercel Blobsecuritysecurity or trust relevant changemedium impact

securityenterprise-controlsdeveloper-platformsagentssecurity or trust-relevant change

Impact: medium
Confidence: 94%
Change type: security or trust relevant change
First seen: Jun 1, 2026
Last updated: Jun 2, 2026
Audience: developer-platform-teamssecurity-engineersai-agent-builders
Status: Ready

Summary

Vercel Blob now supports OIDC authentication and makes it the default for newly connected projects. Vercel-issued short-lived tokens replace long-lived BLOB_READ_WRITE_TOKEN credentials, and the Vercel CLI can use the same project-linked environment to let agents read and write private Blob stores from the terminal.

What changed

Vercel added OIDC authentication for Vercel Blob and made it the default setting for new project connections on June 1, 2026.

Why it matters

This is a practical trust-boundary upgrade for AI-assisted and agentic development workflows. Long-lived storage tokens are easy for coding agents, terminals, and CI logs to mishandle; short-lived OIDC credentials reduce secret exposure while preserving CLI and automation access.

Evidence excerpt

Vercel says Blob now supports OIDC authentication, uses short-lived rotating Vercel-issued tokens, and no longer requires a long-lived BLOB_READ_WRITE_TOKEN for new project connections.

Sources

vercel.com