Vercel makes it easy to share deployments with your friends, team members, and other collaborators. To secure deployments, Vercel also offers a number of granular controls to restrict who can or cannot view specific deployments.
You can access Deployment Protection controls by:
- Navigate to Deployment Protection settings for your project
- Enable the protections you'd like for your project
Vercel Authentication is a system that lets you restrict viewing and commenting on deployments only to a specific set of users. These users include:
- Logged in team members with at least the viewer role
- Logged in project members with at least the project Viewer role
- Logged in members of an access group that has access to the project the deployment belongs to
- Logged in Vercel users who have been granted access
- Anyone who has been given a Shareable Link to the deployment
- Tools using the protection bypass for automation header
By default, Vercel Authentication is automatically enabled for all deployments with the exception of the most recent production deployment. There are three levels of protection with Vercel Authentication:
- Standard Protection: The recommended way to secure all your domains, including both preview and production deployment URLs, to limit public access
- Only Preview Deployments: Protects your development and testing environments
- All Deployments: The most comprehensive protection level and secures every deployment
You can configure a password for your deployments for an additional layer of security. It can be configured to trigger with the same three levels of security as Vercel Authentication.
Enterprise customers can restrict access to your deployment to only a specific set of whitelisted IPs.
Vercel Authentication’s rules apply universally to any visitor. However, you may want to configure exceptions for particular users or use cases. To do so, Vercel offers a number of secure methods to bypass Vercel Authentication:
- Protection Bypass for Automation: Allows certain automated workflows like e2e testing or AI computer control to bypass Vercel Authentication when a predefined secret is passed as a HTTP header or query parameter
- Sharable Links: Allows anyone with a specific link bypass Vercel Authentication in a similar manner to how one might share a Google Doc, Figma, etc… Consider creating a sharable link if you plan on granting access to a particular deployment for collaborators outside of your Vercel team
- OPTIONS Allowlist: Allows certain CORS preflight
OPTIONSrequests to bypass Vercel Authentication - Deployment Protection Exceptions: Makes specified pre-production domains publicly accessible and bypass Vercel Authentication
- No chats are ever deployed without actively sharing them
- v0 chats deployed to Vercel can use the deployment protection features described above
Deployments that are not automatically locked down and that do not have a custom domain (like your-project-name.vercel.app) are public and indexable by Google and other search engines.
If you do not want to have these indexed, follow any of the steps above to protect them from being discovered by search engines and visitors.