Vercel's OIDC issuer at oidc.vercel.com now supports custom token audiences, giving developers fine-grained control over service-to-service authentication and closing a critical security gap for multi-provider deployments. The announcement was made on Vercel's changelog.
What Changed
Previously, Vercel issued OIDC tokens with a fixed audience claim (https://vercel.com/{owner}). This meant every third-party provider—from cloud AI platforms to database services—received the same audience value. Under the new update, developers can specify a custom audience per deployment, tailoring the token to each provider's requirements.
According to Vercel, the change addresses a key security best practice: using a unique audience per provider. If a provider is compromised, an attacker cannot reuse the stolen token against other services because the audience claim won't match.
Why This Matters for AI Developers
For developers building AI workflows on Vercel—such as serverless inference pipelines, model hosting, or AI agents—OIDC tokens are the backbone of secure credential exchange. Without custom audiences, a token used to authenticate with an AI inference API could theoretically be replayed against a vector database or a secret manager. Custom audiences lock each token to its intended destination.
Consider a typical AI stack on Vercel: an application fetching embeddings from OpenAI, storing results in Pinecone, and managing secrets with HashiCorp Vault. With a single audience, a compromised downstream provider (e.g., a compromised vector database endpoint) could reuse the token to access the other services. Custom audiences eliminate this cross-service attack vector.
Technical Implementation
To enable custom audiences, developers configure the token request with a specific aud claim. Vercel's OIDC issuer validates the request and issues a signed JWT that includes the custom audience. The token expires after a short TTL, typically minutes, further limiting replay risk.
Vercel's documentation recommends setting the audience to the exact identifier required by the target service, such as https://api.openai.com or aws:iam::123456789012:role/MyRole. Services then verify the audience claim as part of their authentication flow.
This aligns with the OAuth 2.0 and OIDC specifications, where the audience field explicitly names the intended recipient. By adopting this practice, developers reduce the attack surface without adding complexity to their codebase.
Implications for Security Conscious Teams
AI teams handling sensitive data—such as customer PII, proprietary models, or financial logs—should treat this as a mandatory upgrade. The fix is backward compatible: existing deployments without custom audiences continue to work with the default audience. However, Vercel encourages all teams to adopt custom audiences for any integration involving production data.
From a compliance standpoint, custom audiences help satisfy security frameworks like SOC 2, ISO 27001, and FedRAMP, which require strict access controls and token binding. Auditors increasingly look for audience verification in OIDC flows as a sign of mature credential management.
What Developers Need to Do
- Update deployment scripts to include an
audclaim matching each external provider. - Verify that downstream services validate the audience claim in incoming tokens.
- Audit existing tokens to ensure no single token has access to multiple providers.
Vercel provides environment variables and CLI flags to configure the audience without code changes. For example, setting VERCEL_OIDC_AUDIENCE in vercel.json applies the custom audience to all tokens generated during that deployment.
Broader Context: The Shift to Zero Trust
Custom audiences represent a broader industry trend toward zero-trust architectures, where no implicit trust is granted between services. As AI workloads move from monolithic apps to distributed microservices—each calling multiple cloud APIs—the risk of token misuse grows. Vercel's move mirrors similar changes by AWS, Google Cloud, and GitHub Actions, all of which now support customizable OIDC claims.
For AI developers specifically, the update removes a friction point in federated identity workflows. Previously, teams had to create intermediary proxies to rewrite audiences or use separate Vercel projects per provider. Now, a single project can securely talk to OpenAI, Pinecone, and any other OIDC-aware service.
Looking Ahead
Vercel is rolling out the feature to all projects on the Pro and Enterprise plans, with free-tier access expected later this year. The company hints at future enhancements, including dynamic audience templates and policy-based token generation, which would allow even finer-grained control based on environment, branch, or user.
For now, AI developers should experiment with custom audiences in staging environments before promoting to production. The security gains are immediate, and the implementation cost is minimal—a small investment for a significant reduction in risk across your entire AI infrastructure.
Source: Vercel Blog. This article was produced with AI assistance and reviewed for accuracy. Editorial standards.
