Skip to content

Vercel Token

Service Name: Vercel

Service Description: Vercel is a cloud platform for static sites and serverless functions that enables developers to host websites and web applications with ease. It provides seamless integration with popular frameworks like Next.js, React, Vue, and Angular.

Service Address: https://vercel.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the team level in Vercel's security settings.

Secret Access Scope: Vercel tokens grant programmatic access to Vercel's API, allowing deployment management, project configuration, and team administration depending on the token's permissions.

Secret Revokement URL: https://vercel.com/account/tokens

Secret Example: vercel_token_1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0t

Suspicious Activity Investigation Instructions:

  • Review the Vercel dashboard for unauthorized deployments or project changes.
  • Check the activity logs in your Vercel account for suspicious actions.
  • Verify if there are any unexpected team members or collaborators added to your projects.
  • Examine deployment history for unauthorized or unexpected deployments.
  • Check for changes in environment variables or project settings.

Mitigation Instructions:

  • Log in to your Vercel account and navigate to

https://vercel.com/account/tokens.

  • Identify the compromised token in the list.
  • Click the "Revoke" button next to the token to immediately invalidate it.
  • Create a new token with appropriate scopes if needed.
  • Review and update your project's security settings.
  • Consider enabling two-factor authentication for your Vercel account.
  • Audit your codebase and CI/CD pipelines to ensure tokens are not exposed.