New Token and API Key Formats

Vercel has standardized authentication credentials with visual prefixes that make credential types immediately identifiable:

• vcp – Vercel personal access tokens
• vci – Vercel integration tokens
• vca – Vercel app access tokens
• vcr – Vercel app refresh tokens
• vck – Vercel API keys

These prefixes help developers quickly identify credential types in logs, configuration files, and code reviews.

Automatic Secret Scanning and Revocation

Leveraging GitHub's secret scanning infrastructure, Vercel now automatically detects when API credentials are exposed in public GitHub repositories, gists, and npm packages. Upon detection:

• Exposed credentials are automatically revoked to prevent unauthorized account access
• Users receive immediate notifications about the breach
• Discovered tokens and API keys are visible in the Vercel dashboard for review

This provides an additional security layer for all Vercel and v0 users without requiring manual intervention.

Recommended Actions

Developers should:

• Regularly review tokens and API keys in their Vercel account settings
• Rotate long-lived credentials periodically
• Revoke any unused authentication credentials
• Refer to Vercel's account security documentation for best practices