Deployment Protection

Deployment Protection on Vercel

Last updated July 14, 2025

Deployment Protection safeguards both your preview and production URLs across various environments. Configured at the project level through your settings, Deployment Protection provides detailed access control for different deployment types.

Vercel offers the following Deployment Protection features:

  • Vercel Authentication: Restricts access to your deployments to only Vercel users with suitable access rights. Vercel Authentication is available on all plans
  • Password Protection: Restricts access to your deployments to only users with the correct password. Password Protection is available on the Enterprise plan, or as a paid add-on for Pro plans
  • Trusted IPs: Restricts access to your deployments to only users with the correct IP address. Trusted IPs is available on the Enterprise plan

Deployment protection requires authentication for all requests, including those to Middleware.

Deployment Protection is managed through your project settings. To configure Deployment Protection:

  1. From the dashboard, select the project you wish to set Deployment Protection on
  2. Once selected, navigate to the Settings tab
  3. From the list, select the Deployment Protection tab

You can configure the type of Deployment Protection for each environment in your project depending on your projects security needs. When choosing your protection method, you can select from three options:

To protect only production URLs, you can use Trusted IPs. Note that this option is only available on the Enterprise plan.

Standard Protection is available on all plans

Standard Protection is the recommended way to secure your deployments, as it protects all domains except Production Custom Domains.

Selecting Standard Protection in the Vercel Dashboard.
Selecting Standard Protection in the Vercel Dashboard.

Standard Protection can be configured with the following Deployment Protection features:

Enabling Standard Protection restricts public access to the production generated deployment URL. This affects VERCEL_URL and VERCEL_BRANCH_URL from System Environment Variables, making them unsuitable for fetch requests.

If you are using VERCEL_URL or VERCEL_BRANCH_URL to make fetch requests, you will need to update your requests to target the same domain the user has requested.

The Framework Environment Variable VERCEL_URL is prefixed with the name of the framework. For example, VERCEL_URL for Next.js is NEXT_PUBLIC_VERCEL_URL, and VERCEL_URL for Nuxt is NUXT_ENV_VERCEL_URL. See the Framework Environment Variables documentation for more information.

For client-side requests, use relative paths in the fetch call to target the current domain, automatically including the user's authentication cookie for protected URLs.

// Before
fetch(`${process.env.VERCEL_URL}/some/path`);
 
// After
fetch('/some/path');
// Note: For operations requiring fully qualified URLs, such as generating OG images,
// replace '/some/path' with the actual domain (e.g. 'https://yourdomain.com/some/path').

For server-side requests, use the origin from the incoming request and manually add request cookies to pass the user's authentication cookie.

const headers = { cookie: <incoming request header cookies> };
fetch('<incoming request origin>/some/path', { headers });

Bypassing protection using Protection Bypass for Automation is an option but not required for requests targeting the same domain.

Protecting all deployments is available on Enterprise plans or with the Advanced Deployment Protection add-on for Pro plans

Selecting All Deployments secures all deployments, both preview and production, restricting public access entirely.

With this configuration, all URLs, including your production domain example.com and generated URLs like my-project-1234.vercel.app, are protected.

Selecting All Deployments in the Vercel Dashboard.
Selecting All Deployments in the Vercel Dashboard.

Protecting all deployments can be configured with the following Deployment Protection features:

Protecting production deployments is available on Enterprise plans

Restrict access to protected deployments to a list of Trusted IPs.

Preview deployment URLs remain publicly accessible. This feature is only available on the Enterprise plan.

Selecting All Deployments in the Vercel Dashboard.
Selecting All Deployments in the Vercel Dashboard.

(Legacy) Standard Protection is a legacy feature that protects all preview URLs and deployment URLs. All up to date production URLs are unprotected.

Selecting (Legacy) Only Preview Deployments protects preview URLs, while the production environment remains publicly accessible.

For example, Vercel generates a preview URL such as my-preview-5678.vercel.app, which will be protected. In contrast, all production URLs, including any past or current generated production branch URLs like *-main.vercel.app, remain accessible.

Advanced Deployment Protection features are available to Enterprise customers by default. Customers on the Pro plan can access these features for an additional $150 per month, including:

To opt-into Advanced Deployment Protection while on a Pro plan:

  1. Navigate to your Project Settings and select the Deployment Protection tab
  2. Then choose one of the above protection features
  3. You will then be prompted to upgrade to the Advanced Deployment Protection add-on through an Enable and Pay button before you can use the feature

When you enable Advanced Deployment Protection, you will be charged $150 per month for the add-on, and will have access to all Advanced Deployment Protection features.

To opt out of Advanced Deployment Protection:

  1. Navigate to your Team Settings, then the Billing page
  2. Press Edit on the feature you want to disable and follow the instructions to disable the add-on

In order to disable Advanced Deployment Protection, you must have been using the feature for a minimum of thirty days. After this time, once cancelled, all Advanced Deployment Protection features will be disabled.


Was this helpful?

supported.