Vercel Blob now supports time-bound signed URLs, available starting with @vercel/blob version 2.4.0. Each URL is scoped to a single operation, put, get, head, or delete, a single pathname, and an expiry of up to 7 days. A URL signed for a GET cannot be reused as a PUT. The signature enforces this at the cryptographic level.
Two capabilities stand out. Upload URLs support multipart transfers, meaning browsers can stream large files directly to Blob storage without routing through your server. Delete URLs accept an ifMatch option, so a delete only executes if the object has not been overwritten since the URL was signed. These are not convenience features. They close real attack surface.
The full documentation explains how signed URLs integrate with OIDC authentication. The pattern keeps your long-lived BLOB_READ_WRITE_TOKEN server-side, uses OIDC to authenticate, and issues narrowly scoped tokens to the browser. If you are building any client-facing file workflow on Vercel, that architecture section is worth reading in detail.
[READ ORIGINAL →]