Vercel's Trusted Sources feature lets protected deployments accept short-lived OIDC tokens instead of static shared secrets. Callers pass a token in the x-vercel-trusted-oidc-idp-token header. Vercel validates the signature, checks configured claims, and confirms the environment matches the rule.
By default, a project can call its own deployments. Cross-project access within the same team requires adding the caller to Trusted Sources using from/to environment pairs. External providers, including GitHub Actions and projects in other Vercel teams, can also be authorized as trusted OIDC sources.
The legacy Protection Bypass for Automation still works, but Trusted Sources is now the recommended path. The mechanics of claim configuration and environment matching rules are worth reading in full, especially for teams managing multi-project or cross-team deployment pipelines.
[READ ORIGINAL →]