Vercel's OIDC issuer now supports custom audiences. Deployments can request tokens with a specific audience claim via an exchange service at oidc.vercel.com, replacing the fixed default audience of https://vercel.com/{owner} with a value scoped to a downstream provider.
The security argument is concrete: if a provider is compromised, a stolen token cannot be replayed against a different service because the mismatched aud claim will fail verification. The exchange service preserves all original claims, updates the aud and iat fields, sets the issuer to https://oidc.vercel.com/{owner}, and adds an act claim that records the original token's audience and issued-at time as an auditable delegation chain. An optional jti parameter lets you assign a unique identifier to the exchanged token for log correlation. Public keys are available at https://oidc.vercel.com/{owner}/.well-known/jwks.
The full changelog is worth reading for the precise structure of the exchanged token and how the act claim creates a traceable delegation record. The exchange endpoint is replicated across all Vercel regions, keeping latency low regardless of deployment location. This is a direct improvement for any team authenticating against AWS, GCP, or custom internal services without wanting to manage a separate token broker.
[READ ORIGINAL →]