Vercel Community

[▲ Vercel Community](/) · [Categories](/categories) · [Latest](/latest) · [Top](/top) · [Live](/live)

[Feedback](/c/feedback/8)

# Project-level scope for API tokens

282 views · 7 likes · 10 posts


Paul Berg (@prberg) · 2025-03-03 · ♥ 1

At the moment, the Vercel API token can only be scoped to the user or the team level.

From a security standpoint, it would be super helpful if the token could also be scoped at the **project-level**.

We would like to have bespoke API tokens for each of our projects on Vercel.


Amy Egan (@amyegan) · 2025-03-04

Thanks for the suggestion! I'll pass it along to the team. :smile: 

I also want to make sure you're aware that it's currently possible to create multiple [access tokens scoped to **teams**](https://vercel.com/changelog/access-tokens-can-now-be-scoped-to-teams). You can set them up with expiration dates or manually delete anytime. So you could create separate tokens for each project with team-level scope to use with individual projects.


Paul Berg (@prberg) · 2025-03-04 · ♥ 1

Thanks, @amyegan!

[quote="Amy Egan, post:2, topic:6568, username:amyegan"]
So you could create separate tokens for each project with team-level scope to use with individual projects.
[/quote]

Unfortunately, this doesn't help, since our goal is to restrict access to specific projects and hence lower the attack surface by allowing only a few people from our team to deploy to all Vercel projects.


Paul Berg (@prberg) · 2025-03-06

The more I think about this feature, the more I realize how important it is for protecting your customers from hacker attacks.

Recently, the crypto industry suffered a [major hack](https://x.com/safe/status/1894768522720350673)—$1.5 billion was lost because a developer's AWS session key was stolen. The atacker was a state-sponsored hacking group.

If a similar attacker were to obtain a large organization's `VERCEL_TOKEN`, they could easily inject a malicious version of its website.

Given this risk, I think that project-scoped tokens should be a high-priority addition to your roadmap.


Amy Egan (@amyegan) · 2025-03-07 · ♥ 4

I just confirmed with the engineering team that this is on the roadmap. I don't have an estimated release date yet, but we're already working on it.

Keep an eye on the [changelog](https://vercel.com/changelog) for an announcement when it becomes available.


jthomps (@jasonthompson-7072) · 2025-07-24 · ♥ 1

I was just searching for this feature today... and according to AI Overview the feature exists... but this seems to be incorrect. Looks like you can do this on a personal account?

Anyway, this would be an amazing improvement! thx


Amy Egan (@amyegan) · 2025-07-28

This is still in development :smiley:


Alessio Micali (@alemic) · 2026-02-07

It would be very useful, i was searching too. Any update on the implementation? Thanks!


Lintile (@lintile-actual) · 2026-03-08 · ♥ 2

Hello, could we please consider bumping the priority here? This is a self contained feature that would simultaneously reduce the attack vector elegantly laid out above, but also allow for reducing deployment friction for experiments and other projects to be safely conducted.


Paul Berg (@prberg) · 2026-03-09

I agree with @lintile-actual. It’s been a year already and this hasn’t been implemented.