Vercel Releases skills.sh API Providing Access to Over 600,000 Open Source Skill Datasets Via OIDC
Vercel has introduced the skills.sh API, establishing a centralized hub for querying over 600,000 software skill profiles and security audit results aggregated from open-source projects. To access this repository, developers utilize project-level OpenID Connect tokens directly from their Vercel environments. This architectural shift from static API keys to temporary, automatically rotated OIDC tokens drastically reduces the risk of secret leaks and removes manual management overhead.
Related tools
Recommended tools for this topic
These picks prioritize high-intent tools relevant to this topic. Some links may include partner or affiliate tracking.
High-value hosting and deployment path for frontend and cloud readers.
View VercelStrong fit for AI, backend, and frontend readers looking for an AI-first coding workflow.
View CursorA high-relevance security pick for identity, secret management, and team access control.
View 1PasswordComparison
| Aspect | Before / Alternative | After / This |
|---|---|---|
| Authentication method | Static, long-lived API keys requiring manual rotation | Short-lived, project-level OIDC tokens rotated automatically |
| Data retrieval | Manual queries across multiple scattered open-source platforms | Centralized programmatic queries via a unified API endpoint |
| Security integration | Ad-hoc manual validation of dependency security records | Automated ingestion of standardized security audit logs |
| Request throughput | Low rate limits on third-party public scrapers | Dedicated allocation of 600 requests per minute per project |
Action Checklist
- Configure the OIDC issuer trust relationship in your Vercel project settings Ensure your project has the appropriate environment variables and permissions set up to request trust.
- Generate a short-lived OIDC token programmatically during runtime Avoid hardcoding any tokens or saving them to disk.
- Send HTTP requests containing the bearer token to the skills.sh API endpoints Confirm that your rate-limiting logic accounts for the limit of 600 requests per minute.
- Review the specific JSON schema for each endpoint to handle variations in audit data coverage Different skill types may expose varying levels of historical auditing depth.
Source: Vercel Changelog
This page summarizes the original source. Check the source for full details.
