Vercel's OIDC issuer () now supports custom audiences. Deployments can request OIDC tokens with a specific audience claim, enabling secure service-to-service authentication with third-party providers.oidc.vercel.com
Vercel OIDC tokens are issued with a fixed audience (). While most cloud providers don't require a specific audience value, using a unique audience per provider is a security best practice. If a provider is compromised, an attacker cannot replay the token against a different provider - the mismatched claim will cause verification to fail. This new service makes it easy to mint provider-specific tokens without managing additional infrastructure.https://vercel.com/{owner}aud
When a Vercel deployment runs, it receives an OIDC token signed by Vercel. The new exchange service accepts this token and returns a new one signed with the same key, but with an updated audience () claim targeting your downstream service.aud
The exchanged token:
You can optionally pass a (JWT ID) to assign a unique identifier to the exchanged token. This is useful for auditing and tracing token usage across services - for example, correlating a specific token exchange with downstream API calls in your logs.jti
Downstream services verify the exchanged token using the public key available at .https://oidc.vercel.com/{owner}/.well-known/jwks
Both the signing key and the token exchange endpoint are replicated across all , ensuring low-latency token exchange regardless of where the deployment is running.Vercel regions
Why custom audiences?
How it works
Preserves all original claims (project, environment, owner, expiration)
Sets the (issuer) to , scoped to the team that owns the deployment
isshttps://oidc.vercel.com/{owner}Includes an (actor) claim with the original token's audience and issued-at time, providing an auditable delegation chain
actUpdates the to the requested downstream audience
audUpdates the (issued-at) to the current timestamp, reflecting when the new token was created
iat