Vercel Blob Integrates OIDC Authentication to Eliminate Long Lived Read Write Tokens
Vercel has introduced OpenID Connect authentication for Vercel Blob, enhancing the security posture of file storage operations. For new projects, OIDC is now the default authentication method, allowing systems to use short-lived tokens issued by Vercel. These tokens rotate automatically, significantly reducing the risks associated with static, long-lived credentials that were previously used for read and write access. Existing projects can migrate to this new standard by updating their dependencies and adjusting store settings in the dashboard. Functions running on the Vercel platform will automatically receive and use these OIDC tokens to authenticate requests without requiring manual environment variable management. This shift simplifies secret management by removing the operational burden of manually rotating sensitive access keys for blob storage. Developers are encouraged to transition existing stores to OIDC to ensure they are using the most secure communication path between their compute functions and storage layer.
Related tools
Recommended tools for this topic
These picks prioritize high-intent tools relevant to this topic. Some links may include partner or affiliate tracking.
Strong for identity, OIDC, and B2B auth readers evaluating implementation tradeoffs.
View Auth0A strong security and edge platform match across CDN, Zero Trust, and app protection.
View CloudflareA high-relevance security pick for identity, secret management, and team access control.
View 1PasswordComparison
| Aspect | Before / Alternative | After / This |
|---|---|---|
| Credential Type | Static BLOB_READ_WRITE_TOKEN | Short-lived OIDC tokens |
| Token Management | Manual rotation and storage | Automatic rotation by Vercel |
| Security Risk | High risk of permanent credential leak | Lower risk due to transient identity |
| Default Setup | Manual environment variable configuration | Enabled by default for new projects |
Action Checklist
- Update @vercel/blob package Ensure you are using the latest version of the SDK in your project
- Navigate to the Blob store settings Locate the specific store within the Vercel dashboard
- Select the Projects tab Open the context menu for the project you wish to upgrade
- Execute Upgrade to OIDC This will transition the project from static tokens to OIDC authentication
- Verify function connectivity Confirm that file uploads and reads still function correctly without static secrets
Source: Vercel Changelog
This page summarizes the original source. Check the source for full details.
