Introducing Vercel Passport
internal.vercel.sh
Forge-proof verification
After a user clears the gate, Passport gives the agent a signed JWT in the x-vercel-oidc-passport-token header. Read from your data source like Snowflake or Salesforce and your permissions apply to the real person, not a shared service account.
Authenticate Once.
Control Everything.
Okta
Auth0
OIDC
MS Entra
Auth0
MS Entra
Okta
OIDC
OIDC
Auth0
MS Entra
Okta
OIDC
MS Entra
Okta
Auth0
Every deployment is gated by your identity provider. Authenticate with Okta, Auth0, or any OAuth 2.0 / OpenID Connect provider.99+
Flat-rate pricing. Put Passport in front of every internal tool, agent, and app, and let the whole company in at no additional cost.- Never write a line of auth. Define access for your whole organization in one place while all agents and applications inherit.
Frequently asked questions
What is Vercel Passport?
What problem does Vercel Passport solve?
Which identity providers can I use?
Any provider that supports OAuth 2.0 or OpenID Connect, including Okta and Auth0. You add it as a Generic OAuth application, entering your issuer and endpoints through discovery or manually, with https://connect.vercel.com/callback registered as the redirect URI.
How does Vercel Passport work?
How do I read a signed-in visitor's identity?
Read the x-vercel-oidc-passport-token header from server-side code. It is a Vercel-signed JWT, and the external_sub claim is the reliable user identifier. Vercel strips any client-supplied value and injects the verified token after validating the session, so your server can trust it. Profile fields like email or name appear only if your provider returns them.