SvelteKit issues on the Vercel platform

Help
1

Hi there. I’m a SvelteKit maintainer and there are currently two issues with the Vercel Platform that are causing SvelteKit to not work correctly:

  1. Preview deployments with deployment protection

When deployment protection is enabled, an edge deployed function can’t fetch public assets that have also been deployed. In SvelteKit, we have a read function that is used to read the contents of a file no matter the platform. On Vercel’s edge functions, it tries to fetch the file but gets a 401 Unauthorized error because the domain requires authorization. This happens despite the fetch happening from the edge function itself. Here’s what a fetch from a local instance of Node to the protected public assets looks like and I can imagine it’s the same in the edge function:

Welcome to Node.js v22.17.1.
Type ".help" for more information.
> await fetch('https://vercel-read-50al2qbyf-tee-ming-chews-projects.vercel.app/_app/immutable/assets/example.D3f9Q3df.txt')
Response {
  status: 401,
  statusText: 'Unauthorized',
  headers: Headers {
    'cache-control': 'no-store, max-age=0',
    'content-length': '13542',
    'content-type': 'text/html; charset=utf-8',
    date: 'Thu, 31 Jul 2025 02:58:26 GMT',
    server: 'Vercel',
    'set-cookie': '_vercel_sso_nonce=qSmaq2sZvTXYoFDzyTEUhGxU; Max-Age=3600; Path=/; Secure; HttpOnly; SameSite=Lax',
    'strict-transport-security': 'max-age=63072000; includeSubDomains; preload',
    'x-frame-options': 'DENY',
    'x-robots-tag': 'noindex',
    'x-vercel-id': 'sin1::9sfjs-1753930706654-d8b9b850c4b6'
  },
  body: ReadableStream { locked: false, state: 'readable', supportsBYOB: true },
  bodyUsed: false,
  ok: false,
  redirected: false,
  type: 'basic',
  url: 'https://vercel-read-50al2qbyf-tee-ming-chews-projects.vercel.app/_app/immutable/assets/example.D3f9Q3df.txt'
}

A good solution would be fetches from an edge function to itself just work. Otherwise, some documentation on how to work around this would be appreciated (probably by attaching some token in a header provided by a system environment variable?)

  1. x-middleware-rewrite header discards URL search paramters

This was filed in the Vercel GitHub repo but I don’t think that’s the right place for it anymore x-middleware-rewrite discards URL search params with no value · Issue #12902 · vercel/vercel · GitHub

1 Like
4

Hi @eltigerchino, welcome to the Vercel Community!

Thanks for raising this issue here. Let me share this internally with our team and get some help here.

1 Like
6

I think we’re able to solve the first issue using the generated VERCEL_AUTOMATION_BYPASS_SECRET in the x-vercel-protection-bypass header as pointed out by Rich. I totally missed that in the docs here Protection Bypass for Automation

1 Like
8

Thanks for sharing the findings @eltigerchino. I’m still working with the team to get a hold of #2.

1 Like
9

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.