Vercel Connect is now in public beta. It eliminates long-lived provider tokens from your application environment by replacing them with runtime credential exchange. Every time your agent needs to act, your app proves its identity via its built-in Vercel OIDC identity, receives a short-lived scoped token, uses it, and discards it. No bot token. No signing secret. No OAuth refresh token stored in a database.
The architecture has concrete consequences. Tokens can be scoped per-request to specific repositories and permissions, not just per-connector. Each environment gets its own connector, so a credential leaked in development cannot be replayed against production. Revocation is a single operation against the connector, not a hunt across a dozen environment variable panels. Webhook verification for Slack, GitHub, and Linear moves server-side to Vercel Connect, which re-signs forwarded requests so your app holds nothing to steal. The SDK surfaces one call, getToken, with adapters for Better Auth, Auth.js, AI SDK tools, and MCP clients.
The article is worth reading in full for the details on per-request least-privilege scoping, the honest accounting of revocation limits on providers without a revocation API, and the eve framework integration that makes the entire token lifecycle, consent, refresh, and error handling, disappear into a single declarative file. A Nuxt starter ships with GitHub and Linear connected and no provider secrets anywhere in the codebase.
[READ ORIGINAL →]