How to Lock Down Deployments on Vercel and v0

Vercel (and by extension v0) makes it easy to share deployments with your friends, colleagues and other collaborators. To secure these deployments, Vercel also offers a number of granular controls to control who can or cannot view specific deployments.

v0

v0 generations are, by default not shared with the outside world. Once a v0 chat has been deployed to Vercel, the site is accessible to the public internet. However because v0 deployments are tied to Vercel projects under the hood, all the Vercel Authentication features listed below are applicable to any v0 generation.

To easily access the relevant Vercel project for any v0 deployment, click the View on Vercel Button on the deployment.

Navigating to the Deployment Protection Tab

You can access deployment protection controls by:

Logging in to your Vercel dashboard
Selecting the v0 or Vercel project where you want to configure Deployment Protection
Clicking the Settings tab
Selecting Deployment Protection under Settings

Vercel Authentication

Vercel Authentication is a system that lets you restrict viewing and commenting on deployment only to a specific set of users.

These users include:

Logged in team members with at least the viewer role in either v0 or Vercel
Logged in project members with at least the project Viewer role in either v0 or Vercel
Logged in members of an access group that has access to the project the deployment belongs to in either v0 or Vercel
Logged in Vercel users who have been granted access in either v0 or Vercel
Anyone who has been given a Shareable Link to the deployment in either v0 or Vercel
Tools using the protection bypass for automation header in either v0 or Vercel

By default, Vercel Authentication is automatically enabled for all v0 and Vercel deployments with the exception of the most recent production deployment. There are three levels of protection with Vercel Authentication:

Standard Protection: This is the recommended way to secure all your domains, including both preview and production deployment URLs, to limit public access.
Only Preview Deployments: This option focuses on protecting your development and testing environments.
All Deployments: This is the most comprehensive protection level and secures every deployment.

Additional Deployment Security

Password Protection

You can configure a password for deployments too add an additional layer of security. You can configure password protection to trigger with the same three levels of security as Vercel Authentication.

Add a password to a v0 deployment

Like every other feature listed in this guide, v0 deployments can leverage Vercel’s password protection. To more easily add password protection to v0, you can use the project settings menu to secure your deployment.

Trusted IPs

You can restrict access to your deployment to only a specific set of whitelisted IPs. A total of 20 IPs can be configured for each deployment.

Vercel Authentication Exceptions

Vercel Authentication’s rules apply universally to any visitor. However, you may want to configure exceptions for particular users or use cases. To do so, Vercel offers a number of secure methods to bypass Vercel Authentication:

**Protection Bypass for Automation:** Enabling this method allows certain automated workflows like e2e testing or AI computer control to bypass Vercel Authentication when a predefined secret is passed as a HTTP header or query parameter.
**Sharable Links:** Enabling this method allows anyone with a specific link bypass Vercel Authentication in a similar manner to how one might share a Google Doc, Figma, etc… Consider creating a sharable link if you plan on granting access to a particular deployment for collaborators outside of your Vercel team.
OPTIONS Allowlist: Enabling this method allows certain CORS preflight OPTIONS requests to bypass Vercel Authentication
Deployment Protection Exceptions: Enabling this method will make specified pre-production domains publicly accessible and bypass Vercel Authentication.

Appendix

Deployments that are not automatically locked down that do not have a domain are created under the your-project-name.vercel.app
Because v0 and Vercel projects are deployed to the public internet by default, they can be indexed by Google and other search engines. If you don't want these projects indexed by search engines, follow any of the steps above to protect them!