Blog

Eve is an open-source agent framework for building, running, and scaling agents.

+7

Shar Dara, Casey Gowrie, and 7 others

Giving your agents access to your tools, data, and services is what makes them useful. As agents perform deeper work across systems, authenticating and authorizing that access becomes central to your application architecture. Today, agent access is usually granted through long-lived provider tokens stored in your environment variables, provisioned for everything your agent might need. These tokens are shared across every user, never expire, and give your agent full reach across every task, no matter how small the job. A vault makes that token harder to steal. It doesn't make it less dangerous. The problem is what happens when the token leaks: everything it can touch is now exposed. We built Vercel Connect to solve this problem. Now in Public Beta, Vercel Connect replaces the stored token with runtime credential exchange. You register a connector once. When your agent has work to do, your app proves its identity to Vercel Connect and gets back a short-lived credential, scoped to the task. Everything you used the token for still works. The agent just requests access each time instead of holding it. Register a connector once, then reuse it across projects and environments A connector is a reusable connection between your Vercel team and a provider like Slack or GitHub. You create it once from the dashboard or the CLI, then attach it to the projects and environments that need it, with project-level access controls. The relationship with the provider becomes a single entity you can see and manage, not something scattered across a dozen environment variable panels where a rotation means hunting down every copy. Your coding agent can run this setup too. Install the vercel-connect skill with npx skills add vercel/vercel-plugin --skill vercel-connect, and it can create and attach connectors for you. Request scoped tokens at runtime With a connector in place, the agent asks for a credential only when it has work to do. The @vercel/connect SDK returns a token you use immediately against the provider API, and no provider secret lives in your app. Tokens are short-lived, with a lifetime that depends on the provider. The SDK refreshes them automatically, so you never rotate a secret by hand. That leaves one question. If your app holds no secret, what proves it's allowed to ask? The app proves its identity with OIDC The proof is an identity your app already has. Every deployment on Vercel gets an OIDC identity, and when your app or agent requests a token, the SDK presents that identity to Vercel Connect. Vercel Connect verifies it, checks that the project and environment are allowed to use the connector, and returns the provider credential. That round trip is the runtime credential exchange. The same identity is available during local development through vercel link and vercel env pull, and outside Vercel, the SDK accepts a Vercel access token. Either way, there is no provider secret in your app to leak, commit, or copy between environments. Scope each token to exactly what the task needs Not every task needs the same reach, even within a single agent. One step might read a repository while the next opens an issue. Each requests exactly the access it needs, and the request itself sets limits. A request can include: Provider scopes An installation ID Resource restrictions Provider-specific authorization details GitHub is the sharpest example because it can restrict a token to specific repositories and permissions. The deployment agent can read that one repository and do nothing else. A fine-grained GitHub App install can be narrow too, but an install is a standing grant, set up once and trusted from then on. This limit exists for one request, one task. Least privilege becomes the shape of the request. Act on behalf of a specific user, with per-user token scoping A shared bot token gives every user's request the same identity and reach. Vercel Connect lets you set that identity. Switch subject from the app to a named user, and the token acts on that user's behalf, scoped to what that user authorized. When a user first grants access, startAuthorization runs the consent flow through a callback URL, a webhook, or a device code. After that, the agent requests tokens as that user. Contain access by environment, and revoke it when you need to A connector is attached to the projects and environments you choose, so you can run a separate connector for development, preview, and production instead of pointing one at all three. When each environment has its own connector with an authorization grant and scopes, a credential compromised in development cannot be replayed against production. Separate connectors limit where a credential works, but they don't pull back access already issued. That's normally the painful part. With a stored token, that means a rotation. You mint a new secret, update every place the old one lived, and redeploy whatever depended on it. With Vercel Connect, you revoke the connector's tokens, either your own or all of them. What revoking does depends on the provider. Where the provider supports revocation, Vercel Connect revokes the token at the provider. Where it does not, Vercel Connect stops issuing new tokens for that grant, and a token already issued stays valid at the provider until it expires. That is a real limit on any provider without a revocation API, and the shorter the provider keeps its tokens, the smaller that window is. Drive event-driven agents from verified Slack triggers So far, your agent has been the one reaching out. It requests a token and calls a service when it has work to do. Triggers run the other way. A connected service sends an event to your app, and your agent responds. Vercel Connect receives the provider's webhook, verifies it, and forwards it to your project. Trigger forwarding is in beta and supports Slack, GitHub, and Linear today. A Slack connector can forward its verified webhooks to up to three of your projects, so a message in Slack can wake an agent that acts on it. The flow runs end to end without a provider secret in your app: A user posts a message in Slack. Slack sends the event to Vercel Connect. Vercel Connect verifies the event against the Slack signing secret it holds, then forwards it to your Vercel app, re-attested with its OIDC identity. Your app verifies that attestation, then requests a scoped runtime token. The agent acts and responds. The Slack signing secret does not disappear. It moves server-side to Vercel Connect, which verifies the upstream webhook and re-signs the forwarded request with an identity your app can check. Your app holds no bot token to act with and no signing secret to verify against. Vercel Connect meets your code where it already is Underneath everything is one call. Whether your agent is built on the AI SDK, runs as a background job, or is a loop you wrote yourself, it asks for a token the same way, with getToken. Around that call are adapters for the stack you already run. Better Auth (@vercel/connect/betterauth) and Auth.js (@vercel/connect/authjs) get provider configs in the shape they expect, and @vercel/connect/ai-sdk and @vercel/connect/mcp do the same for AI SDK tools and MCP clients. The Nuxt starter gives you a working app to build on, with GitHub and Linear connected, no provider secret, and no OAuth refresh token stored in its database. Frameworks can take this further and make the connection itself declarative. In eve, the open-source agent framework by Vercel, a connection is one file, and the @vercel/connect/eve adapter supplies that connection's credential. There is no token handling in the agent's code, because connect maps the consent flow, refresh, and error cases onto eve. Any MCP server that supports OAuth can become a connector by its URL, which is how mcp.linear.app ends up with the same scoped-token model as Slack or GitHub. The same adapter wires a Slack channel. One connectSlackCredentials call covers both directions: the bot credentials for sending and the webhook verification for receiving. The two secrets a Slack integration usually keeps in your environment, SLACK_BOT_TOKEN and SLACK_SIGNING_SECRET, are gone from your app. There is nothing left to provision, store, or rotate. Access becomes something you request, scoped to the task An agent becomes more useful the more it can reach, which is exactly why access is the part to get right. Every system the agent can touch is a system someone could reach through a leaked token. With runtime credential exchange, nothing is provisioned for everything. Nothing is shared by every user. Nothing lasts forever. Nothing reaches past the task in front of it. Credential management used to be architecture. It was rotation scripts, secrets copied between environments, and bot tokens broad enough that you hoped no one leaked them. Now you store none of it. You request access the moment the agent needs it, scoped to the task. Start building with Vercel Connect Register a connector, request your first runtime token, and connect an agent to Slack or GitHub without storing a provider secret. Coding agents just need a prompt: Frequently asked questions What is Vercel Connect? Vercel Connect lets your agents and services access external systems on behalf of your users and teams. Instead of storing provider credentials in long-lived environment variables, you request user-authorized tokens at runtime with project-level access controls. What problem does Vercel Connect solve? It removes long-lived third-party secrets from your runtime while still letting agents act on external APIs. You register a connector for a provider, link it to projects and environments, and request provider tokens at runtime. When should I use Vercel Connect instead of Integrations? Use Vercel Integrations for marketplace-managed installs and provider-managed products in the Vercel Marketplace. Use Vercel Connect when you need delegated runtime credentials and user authorization for agent workflows, such as an agent that needs project-scoped access to a Slack workspace. Which connectors are available? Vercel Connect supports generic OAuth and API key connectors, plus dedicated connectors for Slack, GitHub, Linear, Discord, Notion, Salesforce, Figma, and Snowflake. Resend, Workday, Microsoft Teams, and more are coming soon. How does pricing work? Pricing is based on token requests. The Hobby plan includes 5K token requests per month at no additional cost. On Pro and Enterprise plans, token requests are billed at $3 per 10K token requests. What are the current Beta limitations? Trigger forwarding is limited to Slack, GitHub, and Linear, connector branding fields cannot be fully cleared after you set them, and token revocation, token lifetime, and scope granularity depend on provider support.

Hedi Zandi, Dima Voytenko

Today we’re open sourcing deepsec: a security harness powered by coding agents. It runs on your own infrastructure and surfaces hard-to-find issues in large codebases. You can run deepsec on your laptop without setting up a cloud service for privileged source code access. For inference, you can use your existing Claude or Codex subscription without any additional setup. Scanning large repos can take multiple days on a single machine. To run research jobs in parallel, deepsec supports optional fanout to Vercel Sandboxes for remote execution. Scans on Vercel’s codebases routinely scale up to 1,000+ concurrent sandboxes. Architecture At its core, deepsec uses claude and codex to perform tailored investigation of a codebase using Opus 4.7 at max effort and GPT 5.5 at xhigh reasoning. Scans start with static analysis to identify security-sensitive files, then coding agents investigate each candidate, tracing data flows, checking for mitigations, and producing actionable findings with severity ratings. Here is the workflow: Scan: It starts by performing a regex-only scan of all files for security-sensitive areas that subsequent steps will focus on. Investigate: Agents investigate each file identified in the scan. Revalidate: A second agent run validates investigation findings to remove false positives and reclassify severity. Enrich: Once investigation is complete, an agent uses git metadata and other optional services to identify the contributors responsible for fixing each issue. Export: The export command formats the findings as instructions so that they can be turned into tickets for humans and coding agents. Running deepsec on production code deepsec has been highly useful on our own monorepos and for our customers' codebases. During development, we ran deepsec on several open source repositories of Vercel customers and partners. For example, deepsec scanned the open source version of dub.co. Dub is a marketing attribution platform for affiliate programs and short links that is also available as SaaS. It features authenticated access, interacts with a database, and runs several backend services, creating a large security surface. When we shared our deepsec findings with founder Steven Tey, he replied: Running against Vercel’s own monorepos, deepsec identified subtle edge cases in auth conditions, leading us to develop a custom scanner plugin that covers every authentication path in our code. False positives and best uses Some of deepsec's findings will be false positives. In our experience the false positive rate is roughly 10-20%. Given the impact of true positive findings in our own research, we’ve been happy with this outcome, and we built the revalidate step to have the agent further verify its findings to reduce false positives. deepsec works best for applications and services. It may be usable for libraries and frameworks, but those would likely require custom prompts and scanners. Customization and plugins deepsec ships with a plugin system for adapting it to your codebase. The most common plugins are custom scanners: regex matchers tuned to your auth model, data layer, or team conventions. We recommend using deepsec with your coding agent and asking it to write those matchers based on findings from an initial scan: Do I need access to a special “cyber model”? Both Anthropic and OpenAI offer “cyber” versions of their most capable models, fine-tuned to accept security tasks the base models won’t. deepsec works with these, but is also fully functional with off-the-shelf models. deepsec ships with a classifier that checks whether the task was refused after each research step. In our experience, for the prompt that deepsec is using, refusals are a non-issue for both Opus 4.7 and GPT 5.5. Getting started To get started, run npx deepsec init at the root of your repository. This will create a directory called ./.deepsec, which is used to configure the system and store a catalog of your deepsec investigations. From there, follow the output of the command. Read the full documentation on Github. Feedback welcome While we’ve used deepsec extensively, it is still early in its development. Feedback and contributions on GitHub are welcome.

Malte UblCTO, Vercel