Vercel rolls out trusted sources with oidc for deployment access

Vercel has launched Trusted Sources, a feature that lets protected deployments accept requests from authorized Vercel projects and external services like GitHub Actions using short-lived OIDC tokens instead of long-lived secrets [Vercel Changelog].

Callers attach an OIDC token in the request header, which Vercel verifies by checking the token's claims and confirming the environment matches the configured rule [Vercel Changelog]. By default, a project can access its own deployments, but teams can authorize cross-project access by adding another project in the same team to Trusted Sources. Users can also authorize custom OIDC providers, such as GitHub Actions, to act as trusted external services.

The shift from static secrets to ephemeral OIDC tokens cuts the risk of credential leakage. Since tokens expire quickly and are tied to verified identity sources, compromised tokens have a narrow window for abuse. Rules are configurable per environment pair—such as staging-to-production—giving teams granular control over access flows.

Trusted Sources also simplifies CI/CD integrations. Instead of storing and rotating secrets for deployment scripts, teams can now authenticate GitHub Actions directly via OIDC, aligning with zero-trust principles and reducing operational overhead.