Skip to content
Dashboard

Introducing Vercel Passport

Secure every internal agent, app, and deployment with your existing identity provider.

internal.vercel.sh

Forge-proof verification

After a user clears the gate, Passport gives the agent a signed JWT in the x-vercel-oidc-passport-token header. Read from your data source like Snowflake or Salesforce and your permissions apply to the real person, not a shared service account.

Authenticate Once.
Control Everything.

  • Okta

    Auth0

    VercelVercel

    OIDC

    MS Entra

    Auth0

    MS Entra

    Okta

    VercelVercel

    OIDC

    VercelVercel

    OIDC

    Auth0

    MS Entra

    Okta

    VercelVercel

    OIDC

    MS Entra

    Okta

    Auth0

    Every deployment is gated by your identity provider. Authenticate with Okta, Auth0, or any OAuth 2.0 / OpenID Connect provider.
  • 99+

    Flat-rate pricing. Put Passport in front of every internal tool, agent, and app, and let the whole company in at no additional cost.
  • Never write a line of auth. Define access for your whole organization in one place while all agents and applications inherit.

Frequently asked questions

What is Vercel Passport?
Vercel Passport gates every app and agent you deploy behind your own identity provider. Each deployment is private by default, and once a user signs in, the app receives a signed identity it can trust, so your IdP controls what that person can reach downstream.
What problem does Vercel Passport solve?
It takes staying internal off the shoulders of individual builders and ends per-app login. Instead of every app rolling its own auth and its own idea of who the user is, deployments are private behind your IdP, and the app receives a verified identity that reaches all the way to connected systems like Snowflake and Salesforce.
Which identity providers can I use?

Any provider that supports OAuth 2.0 or OpenID Connect, including Okta and Auth0. You add it as a Generic OAuth application, entering your issuer and endpoints through discovery or manually, with https://connect.vercel.com/callback registered as the redirect URI.

How does Vercel Passport work?
When a visitor opens a protected deployment, Vercel redirects them to your identity provider. After your provider authenticates them, Vercel validates the response, sets a session cookie for that deployment, and forwards a signed identity token to your server. A visitor with a valid session can view the deployment until the session expires.
How do I read a signed-in visitor's identity?

Read the x-vercel-oidc-passport-token header from server-side code. It is a Vercel-signed JWT, and the external_sub claim is the reliable user identifier. Vercel strips any client-supplied value and injects the verified token after validating the session, so your server can trust it. Profile fields like email or name appear only if your provider returns them.

Does Vercel Passport work with Vercel Connect?
Yes, they work together. Passport carries a verified identity in at the door. Connect carries it downstream when the app mints scoped tokens for third-party services. Who the user is, what they can open, and what their tokens can reach are the same person, end to end.
Does Vercel Passport work for agents too?
Yes. Agents you deploy sit behind the same gate and inherit the same policy, so the identity that governs your apps governs your agents.
What does Passport cost?
Pricing is available on vercel.com/pricing.