Vercel Release Notes

Trusted Sources lets protected deployments accept short-lived identity tokens (OIDC) from Vercel projects and external services you authorize, so you no longer have to share a long-lived Protection Bypass for Automation secret. Trusted Sources is the recommended approach, but Protection Bypass for Automation continues to work

Callers attach an OIDC token in the x-vercel-trusted-oidc-idp-token header. Vercel then verifies the signature, checks the claims you configured, and confirms the environment matches the rule.

Authorize Vercel projects

By default, the Vercel OIDC token for a project can call its own deployments. To authorize another project in the same team, add it to Trusted Sources.

Self-access and cross-project rules are both customizable with from/to environment pairs. To authenticate a request from a project, forward its Vercel OIDC token:

function.ts
import { getVercelOidcToken } from '@vercel/oidc';
await fetch ('https://protected-project.vercel.app/api/data', {
headers: {
'x-vercel-trusted-oidc-idp-token': await getVercelOidcToken()
},
})
Vercel Function example

Authorize external services

Any custom OIDC provider can be authorized as a trusted external service, such as GitHub Actions, or a Vercel project in another team.

workflow.yaml
- uses: actions/github-script@v7
  id: token
  with:
    script: |
      const token = await core.getIDToken();
      core.setSecret(token);
      core.setOutput('token', token);
- run: |
  curl -sSf https://protected-project.vercel.app/api/data \ 
  -H "x-vercel-trusted-oidc-idp-token: ${{ steps.token.outputs.token }}"
GitHub Action example

Read the documentation to learn more.

Kit Foster, Marc Greenstock, Tim White

Vercel Firewall now lets you create WAF custom rules using natural language. Describe the behavior you need and the dashboard will generate the rule.

Visit the firewall custom rules page to try creating a rate-limiting rule:

Create a WAF custom rule that rate limits all API requests to 50 per minute per IP. If a single IP exceeds the limit, block subsequent requests for 5 minutes.

WAF custom rules let you control traffic to your site by logging, blocking, challenging, rate limiting, or redirecting requests based on conditions like IP address, path, country, user agent, and more.

For example, you can:

• Log all requests to /api/webhook with a missing authorization header
• Block all requests to /wp-admin
• Challenge all traffic to /checkout that doesn't come from the US

Generate your first rule or learn more in the documentation.

Yash Kothari

Fast mode for Claude Opus 4.7 is now available on AI Gateway in research preview.

Fast mode delivers ~2.5x faster output token generation with full Opus 4.7 intelligence. This is an early, experimental feature.

To enable fast mode, pass speed: 'fast' in the anthropic provider options with anthropic/claude-opus-4.7.

import { streamText } from "ai";

const { text } = await streamText({
  model: "anthropic/claude-opus-4.7",
  prompt: "Analyze this codebase structure and create a plan to add user auth.",
  providerOptions: {
    anthropic: {
      speed: "fast",
    },
  },
});

You can use fast mode with Claude Code via AI Gateway by setting the CLAUDE_CODE_SKIP_FAST_MODE_ORG_CHECK and CLAUDE_CODE_ENABLE_OPUS_4_7_FAST_MODE variables in your shell configuration file or in ~/.claude/settings.json.

export CLAUDE_CODE_ENABLE_OPUS_4_7_FAST_MODE=1
export CLAUDE_CODE_SKIP_FAST_MODE_ORG_CHECK=1

{
  "env": {
    "CLAUDE_CODE_SKIP_FAST_MODE_ORG_CHECK": "1",
    "CLAUDE_CODE_ENABLE_OPUS_4_7_FAST_MODE": "1"
  }
}

Fast mode is priced at 6x standard Opus rates.

All standard pricing multipliers (e.g., prompt caching) apply on top of these rates.

AI Gateway: Track top AI models by usage

The AI Gateway model leaderboard ranks the most used models over time by total token volume across all traffic through the Gateway. Updates regularly. View the leaderboard

Walter K, Rohan T, Jeremy P, Jerilyn Z

You can now manage the Vercel Firewall directly from the CLI.

Using the vercel firewall command, you can configure custom rules, IP blocks, system bypasses, attack mode, and system mitigations.

vercel firewall rules add --ai "Rate limit /api to 100 requests per minute by IP"
vercel firewall ip-blocks block 1.2.3.4
vercel firewall system-bypass add 10.0.0.1
vercel firewall attack-mode enable --duration 1h
vercel firewall system-mitigations pause

Manage Vercel Firewall functionality from the CLI

Building on the new CLI commands, the Vercel Firewall skill lets agents interact with the Firewall and includes best practices for rolling out new Firewall rules safely.

npx skills add vercel/vercel-plugin --skill vercel-firewall

Update to the latest CLI version and run vercel firewall to get started. Learn more about the Vercel Firewall CLI commands.

Yash Kothari

Vercel Sandbox now supports Node.js version 26.

To run a Sandbox with Node.js 26, upgrade @vercel/sandbox to 1.10.2 or later, or to 2.0.0-beta.19 or later if you're using v2 and set the runtime property to node26 :

import { Sandbox } from "@vercel/sandbox";

const sandbox = await Sandbox.create({ runtime: "node26" });
const version = await sandbox.runCommand("node", ["-v"]);
console.log(`Node.js version: ${await version.stdout()}`);

Get started today and learn more in the documentation.

Andy Waller