Vercel Cuts Long-Lived Tokens, Reviews Stay Thin
Vercel shipped OIDC auth, signed URLs, and spend caps this week — all aimed at long-lived secrets. Here's what it means if you shipped with an AI builder.
Vercel shipped a run of changes this week that share one theme: get rid of long-lived secrets before someone else finds them. At the same time, over in r/vibecoding, people are admitting they review less of what their AI agent does and lose track of their own project state. Put those two things together and you get the actual risk: better security defaults exist, but fewer people are checking whether they're turned on.
TL;DR
- Vercel Blob now supports OIDC authentication, replacing the long-lived
BLOB_READ_WRITE_TOKENwith short-lived, auto-rotating tokens (source).- Signed URLs for Vercel Blob scope access to one operation, one path, and an expiry of up to 7 days, instead of handing out access to the whole store (source).
- You can now set spend caps on AI Gateway keys, because autonomous agent workflows can loop or fan out and burn cost with no one watching (source).
- On r/vibecoding, builders are describing agents they no longer fully understand, and projects where the AI's memory of the codebase has drifted from what's actually there — a gap that matters when nobody's reviewing the security config either.
Long-lived secrets are on their way out
The old pattern for AI-built apps was a single static token, copied into an environment variable, valid forever until someone remembers to rotate it. That's the BLOB_READ_WRITE_TOKEN model Vercel just moved away from. OIDC authentication for Vercel Blob issues short-lived tokens that rotate automatically, so there's nothing sitting around waiting to leak in a screenshot or a public repo (source).
Signed URLs do the same job for one-off access. Instead of exposing a token that can read or write the entire Blob store, you generate a URL scoped to a single operation — get, put, head, or delete — on a single file, with an expiry you set yourself. A URL signed for a download can't be reused to delete something (source). The same logic shows up in the new skills.sh API, which authenticates with a short-lived, team-scoped OIDC token rather than a static key you'd otherwise have to remember to rotate (source).
None of this fixes anything that was broken before. It's new plumbing. If your app still uses the old long-lived token, it still works — it's just no longer the default, and it's now the weaker option.
Agents get spending limits, not just API keys
The other change worth flagging: you can now cap how much an AI Gateway key can spend before it gets cut off. Vercel's own reasoning for shipping this is blunt — autonomous workflows can loop or fan out without supervision, demos can catch unexpected traffic if shared or shipped, and developers experimenting rarely track per-model cost until the bill arrives (source). That's a cost control, not a data-security fix, but it's the same underlying problem: agentic systems act on their own, and the guardrails are opt-in.
Vercel also updated its Terms of Service to spell out shared responsibility when actions on your account are taken by an AI tool — its own or a third party's — rather than by you directly (source). If you've connected an agent, an integration, or a coding assistant with write access to your infrastructure, that responsibility line runs through you.
The review gap is the real risk
None of the platform-level fixes matter if nobody checks that they're enabled. On r/vibecoding, one experienced engineer described seven months of using Codex and no longer fully understanding what it's doing — writing a prompt, reviewing the result, "often even don't review at all" (source). Another described the more common failure mode: fixing one thing, noticing three more, and returning to a project where the AI's own notes and context have drifted from what's actually true in the code (source).
That drift is where security config quietly rots. A signed URL expiry, a token scope, a spend cap — these are settings, not one-time fixes. If you're not reviewing what the agent shipped, you don't know if they're set at all.
FAQ
Does OIDC auth for Vercel Blob mean my old token was leaking?
No. A long-lived BLOB_READ_WRITE_TOKEN isn't a leak by itself — it's just a wider blast radius if it ever does leak. OIDC shrinks that blast radius by making the token short-lived and auto-rotating. Migrating is a hardening step, not damage control.
Do I need to change anything if I already use Vercel Blob?
Check whether your project is still on the static token. If so, update to the latest @vercel/blob package and switch to OIDC from your Blob store's project settings. It's a config change, not a rebuild.
What does Vercel's terms update actually change for me?
It clarifies that if an AI tool connected to your account — Vercel's or a third party's — takes an action, responsibility for that action runs through you as the account holder. Worth reading if you've given an agent write access to deploy, manage domains, or touch infrastructure on your behalf.
The bottom line
The direction of travel is clear: platforms are replacing long-lived, broadly-scoped credentials with short-lived, narrowly-scoped ones by default. That's good. But defaults only help if someone checks them, and the same week's vibecoding chatter shows a lot of founders reviewing less and losing track of their own project state. If you shipped with an AI builder, the fix isn't more features — it's five minutes to confirm which of these settings you actually turned on.
Find your gaps before an attacker does.
Is My Site Hackable? scans your deployed app for the exact issues in this article — exposed keys, missing RLS, open buckets — and tells you what's real and what's a false alarm.
Run a free scan →