Add OTEL trace retrieval and session endpoints
Two new endpoints have been added to retrieve OpenTelemetry traces: GET /v1/projects/traces returns OTEL trace data for a given Vercel CLI request, and POST /v1/projects/traces/session mints a short-lived JWT token for scoping traces to a deployment hostname. These are purely additive endpoints that enable new tracing and debugging capabilities without affecting existing integrations.
Alert history
- Additive
Add OTEL trace retrieval and session endpoints
Two new endpoints have been added to retrieve OpenTelemetry traces: GET /v1/projects/traces returns OTEL trace data for a given Vercel CLI request, and POST /v1/projects/traces/session mints a short-lived JWT token for scoping traces to a deployment hostname. These are purely additive endpoints that enable new tracing and debugging capabilities without affecting existing integrations.
- Additive
Add organization-team-delete event type
The
organization-team-deleteevent type has been added to the Vercel API event schema in three locations. This is a new optional event that clients can now subscribe to or handle, providing visibility into team deletion events within organizations. - Additive
Add /storage/stores/{id} GET endpoint and restructure schema
New
GET /storage/stores/{id}endpoint added to retrieve storage store details by ID, returning store metadata including projects, environments, and deployment configurations. Additionally, several JSON schema property orderings were reorganized (movingdefaultfield position in form schemas andidfield in billing plan) without changing field presence or semantics, which is a non-breaking schema normalization. - Additive
Add POST /api-keys endpoint for creating API keys
A new
POST /api-keysendpoint is introduced to create API keys with configurable purpose, expiration, project restriction, and AI Gateway quota settings. Two new schema definitions (APIKeyandAPIKeyQuota) are added to represent API key objects and their quota configuration. This is purely additive and does not affect existing integrations. - Additive
Add optional image field to sandbox schema
A new optional
imagefield has been added to the sandbox schema, providing a digest-pinned container image reference when the sandbox was created from an image. This is a backward-compatible addition that does not affect existing integrations. - Additive
Add domain_environment to type enums
The
domain_environmentvalue has been added to multiple enum definitions across the Vercel API specification. This is an additive change that extends the allowed values for type fields without breaking existing functionality — existing clients passing other enum values (likeenvironmentorcookie) will continue to work. - Additive
Added organization field to accountUpdateContext
The
accountUpdateContextresponse object now includes a new optionalorganizationfield withid,name, andslugproperties. This is a purely additive change that expands the account update context data structure without altering existing fields. - Breaking
Remove organizationId/organizationSlug fields; add organization-team-create event
Two changes are present in this diff:
- Breaking: The
organizationIdandorganizationSlugproperties have been removed from a webhook/event payload schema (the object previously hadslug,organizationId, andorganizationSlug; now onlyslugremains). Clients reading these fields from that payload will stop receiving them. - Additive: A new event type
"organization-team-create"has been added to three event-type enum lists, allowing webhooks/filters to subscribe to this new event.
- Breaking: The
- Additive
Add custom-environments-settings-updated event type
The Vercel API now includes a new webhook event type custom-environments-settings-updated that reports when custom environment settings change. The event payload includes
project(id and name),packs, andprevPacksfields to track configuration updates. This is purely additive and does not affect existing integrations. - Breaking
New required field `tokenId` added to a response object
A new field
tokenId(typestring) has been added to a response object'spropertiesand simultaneously added to itsrequiredarray alongside the existingtoken,connector, andexpiresAtfields. BecausetokenIdis marked required in the schema, any client that validates responses against this spec will now fail if the server doesn't return it — and any server implementation that doesn't yet emit it will produce invalid responses. This is a breaking schema change for strict consumers. - Additive
Add reason field to response object
A new optional
reasonfield of typestringhas been added to a response object. This is purely additive and will not break existing integrations. - Additive
Add AI Gateway routing rules API endpoints
Adds four new endpoints for managing AI Gateway routing rules:
POST /v1/ai-gateway/rules(create),GET /v1/ai-gateway/rules(list),PATCH /v1/ai-gateway/rules(update), andDELETE /v1/ai-gateway/rules(delete). Also introduces two new schema types (AiGatewayRuleandAiGatewayRuleList) and a new authorization scoperead:integration-resource. These are purely additive and do not affect existing functionality. - Additive
Add AiGatewayBudgetManager permission scope
A new permission scope AiGatewayBudgetManager has been added to the available enum values across multiple API operations. This is a purely additive change that extends the set of valid permission scopes without altering existing ones, allowing integrations to request additional permissions for managing AI Gateway budgets.
- Additive
Add organizationId and organizationSlug fields to API response
Two new optional fields
organizationIdandorganizationSlug(both strings) have been added to a response schema. These are additive changes that do not affect existing integrations — clients that do not use these fields continue to work without modification. - Additive
Add 'basic' to purchaseType enum
The
purchaseTypefield enum was extended to include a new"basic"value across three schema definitions. This is additive — existing clients continue to work, and those handling the field can now encounter this new value. - Additive
Add shouldShowEnterpriseManagedWelcome field to user responses
A new optional boolean field
shouldShowEnterpriseManagedWelcomehas been added to two user response schemas in the Vercel API. This field indicates whether an Enterprise Managed User should see a welcome experience after joining through the Update Account flow. The change is purely additive and does not affect existing integrations. - Additive
Add optional status filter to sandbox list endpoint
A new optional
statusquery parameter was added to theGET /v2/sandboxesendpoint, allowing filtering of named sandboxes by status (running, stopping, or stopped). The parameter only applies whensortByiscreatedAt. This is a purely additive change that does not affect existing clients. - Additive
Add firewall OAuth scopes to Vercel API
The Vercel API now includes two new OAuth scopes:
read-write:firewallandread:firewall. These scopes are added to multiple endpoints and can be requested by applications that need firewall configuration management capabilities. This is purely additive and does not affect existing integrations. - Additive
Add creator field to domain and project response objects
The Vercel API now includes a new optional
creatorfield in domain and project response schemas. This field captures who created the resource (user, app, integration, or system), with optional delegation details for OAuth-delegated actions. This is purely additive and does not break existing integrations. - Additive
Add passport-access-granted event type and external principal metadata
The Vercel API now supports a new
passport-access-grantedevent type and adds support for external principals (non-system identities) withid,name, andemailfields in event metadata. Additionally, a new event payload structure is introduced for passport access events containing environment, host, connector, and session details. These are purely additive changes that do not affect existing integrations. - Additive
Add organization-delete event type
The Vercel API now includes a new
organization-deleteevent type in audit log event enumerations. This is a new optional event value that applications can now receive and handle in audit log webhooks and event streams. - Additive
Add aiGatewayBudget ACL action field
A new optional field aiGatewayBudget has been added to multiple ACL-related request/response schemas in the Vercel API. This field is an array of
ACLActionobjects, following the same structure as the existingaiGatewayCreditsfield. Since it is additive and does not modify existing fields or remove functionality, clients can safely ignore it without impact. - Additive
Add tanstack-start-lovable framework support
The Vercel API now includes
tanstack-start-lovableas a supported framework option in framework enumeration fields. This is an additive change allowing deployments to specify this new framework type without breaking existing integrations. - Additive
Add Passport publicPathRules and enforcementScope fields
Three new optional fields added to the Vercel API: publicPathRules (array of path matching rules) in the passport configuration, and enforcementScope (with values "all" or "preview") in two different security policy contexts. These are backwards-compatible additions that enable new functionality without affecting existing integrations.
- Informational
Removed empty 402 error response descriptions from OpenAPI
The OpenAPI specification removed two instances of HTTP 402 error responses that had empty descriptions from unspecified endpoints. These changes are documentation/schema cleanup with no impact on actual API behaviour or functionality.
- Breaking
Remove dheCipherSuite field and 409/500 response codes from API spec
Two distinct breaking changes are present: 1) The
dheCipherSuiteresponse field (typestring) has been removed from multiple log/event response schemas — it also appears inrequiredarrays, meaning clients that rely on its presence will break. 2) The409and500response status codes have been removed from one endpoint's documented responses, which may affect error-handling logic in clients that branch on those codes. - Additive
Add user-emu-account-deleted webhook event type
The Vercel API now includes a new webhook event type
user-emu-account-deletedin the list of supported events. This is a purely additive change that enables integrations to receive notifications when enterprise managed user accounts are deleted. - Additive
Add alias, aliasError, aliasWarning fields to deployment event response
Three new response fields —
alias,aliasError, andaliasWarning— are added to deployment event objects in two response schemas (likely covering two related list/get endpoints).aliasis a string array;aliasErrorandaliasWarningare nullable objects withcodeandmessage(required), plus optionallinkandactiononaliasWarning. Although listed asrequiredin the schema, these are net-new fields added to the response, so existing clients that ignore unknown fields are unaffected — no existing fields were removed or changed. - Additive
Add mfe_group_ids array field to environment schemas
A new optional
mfe_group_idsarray field (containing string items) has been added to environment response schemas across multiple API endpoints. This is a purely additive change that allows clients to optionally consume the new field without breaking existing integrations. - Additive
Add new log event types to deployment logs
The Vercel API now includes additional log event type schemas in deployment logs, supporting new event types like
command,delimiter,deployment-state,edge-function-invocation,exit,fatal,metric,middleware,middleware-invocation,report,stderr, andstdout. These new schemas add support for structured payload data including proxy metrics and edge function details, while maintaining backward compatibility by keeping the previously supported event type available. - Additive
Add strictPasswordProtectionSettings to API schema
A new
strictPasswordProtectionSettingsobject property has been added to the API schema, allowing project owners to require Owner role for password protection changes. This is an additive change that includes the new field in team settings responses and introduces a corresponding audit log event type (strict-password-protection-settings). - Additive
Add organization-slug-update event type and payload schema
The Vercel API adds a new
organization-slug-updateevent type to three locations in the OpenAPI specification, along with a new payload schema containingorganizationIdandslugfields. This is purely additive and enables customers to subscribe to organization slug update events without affecting existing integrations. - Additive
Add organization-create event type support
The Vercel API now supports a new
organization-createevent type in webhooks. This includes a new event payload schema with fieldsrootTeamId,slug, andnamealongside the existingorganizationId. The change is backwards-compatible as it only adds new options to existing event type enumerations and introduces a new optional event payload variant. - Additive
Add headers source type and transforms/rulesets fields
The diff adds
headersas a new enum option to source type fields (alongside existingheader,cookie,environment, etc.), introduces a newtransformsarray field supporting header manipulation operations, and adds a comprehensiverulesetsfield with support for advanced rule conditions and actions including rate limiting, redirects, and logging. These are all purely additive schema changes that extend existing security/routing configurations without removing or breaking existing functionality. - Additive
Add omitScriptNonce boolean field to security options
A new optional boolean field
omitScriptNoncehas been added to security configuration objects in the Vercel API. This allows users to control script nonce behavior when configuring security headers, and does not break existing integrations as the field is optional. - Additive
Add AI Gateway guardrails and moderation fields to API
The Vercel API adds support for AI Gateway guardrails via new
aiGatewayGuardrailsACL action fields, moderation fields (moderationApplied,piiRedactionApplied) in response schemas, and new auth scopes (read-write:ai-gateway-guardrails,read:ai-gateway-guardrails). A new webhook event typeai-gateway-guardrails-updatedis also introduced. These are purely additive changes with no impact on existing integrations. - Additive
Add DELETE artifacts endpoint and new auth/event scopes
This change adds a new DELETE /v1/artifacts endpoint to clear all remote cache artifacts for a team, new OAuth permission scopes (
manage:speed-insights,manage:web-analytics,read:speed-insights,read:web-analytics), and a new webhook event typeteam-remote-caching-purge. All additions are purely new without breaking existing API contracts. - Additive
Add OIDC token-exchange grant and audit log fields
The Vercel API now supports the
urn:ietf:params:oauth:grant-type:token-exchangegrant type for OAuth flows and adds three new optional response fields to audit logs:issuerUrl,policyId, andoidcSubject. These changes enable OIDC-authenticated token exchange workflows and provide enhanced audit trail information for authentication flows. - Additive
Add "attestation" enum value to manifest kind field
The
kindfield now accepts a new enum value"attestation"in addition to"index"and"manifest". This is an additive change that expands what types of container image manifests can be represented; existing integrations using the previous enum values will continue to work, but may now encounter the new value in responses. - Additive
Add cacheReason field and durationMs to Vercel API responses
Two new optional response fields have been added to the Vercel API:
cacheReason(type: string) has been added to multiple response schemas across different endpoints (appearing in 6 locations), anddurationMs(type: number) has been added to command execution data. These are purely additive changes that expand response information without affecting existing integrations. - Additive
Add blobs.isDefaultApp field and teamThrottled field to project schemas
This change adds two new optional response fields to project schemas:
blobs.isDefaultApp(a boolean marking the default team-level Vercel-managed blob project) andteamThrottled(a boolean synced from team billing status indicating team-wide throttling). Both are new optional fields appearing in multiple project response objects across the API, along with refinement of thethrottledfield description to clarify it applies to per-project rather than team-level throttling. A newread-write:team-membersauthorization scope is also added to several token scopes. These changes are purely additive and will not break existing clients. - Additive
Add alert-investigation-project-allowlist-updated event type
A new event type
alert-investigation-project-allowlist-updatedhas been added to the Vercel API webhook/event system, along with a new event payload schema containingpreviousProjectCountandnextProjectCountfields. This is a purely additive change that enables clients to subscribe to and handle allowlist update events without breaking existing integrations. - Additive
Add expiresAt field to sandbox response
A new optional response field
expiresAthas been added to the sandbox schema, indicating when the currently running sandbox will time out. This is a purely additive change that does not affect existing integrations. - Additive
Add providerAttemptSafetyIdentifier fields and read:remote-cache scope
Two new optional response fields (
providerAttemptSafetyIdentifierandproviderAttemptDevSafetyIdentifier) have been added to provider attempt objects in multiple endpoints, and a new optional OAuth scope (read:remote-cache) has been introduced. These additions do not break existing clients and are purely additive. - Additive
Add vcr field to user blocks object in user details
Added a new optional
vcrfield to the user blocks response object, containing blockage information for VCR features with properties likeblockReason,blockedFrom,blockedUntil, andupdatedAt. This is a purely additive change that does not affect existing integrations. - Additive
Add VCR get repository tag endpoint
A new endpoint
GET /v1/vcr/repository/{idOrName}/tags/{tag}has been added to fetch a single tag from a Vercel Container Registry repository along with image metadata and VHS-readiness status. A newVcrTagschema was introduced to support this endpoint's response. This is a purely additive change that extends the VCR API without modifying existing behavior. - Additive
Add DOMAIN_OWNER_DELETION_REQUEST suspension reason
A new enum value
DOMAIN_OWNER_DELETION_REQUESThas been added to thereasonfield in suspension-related response schemas. This is an additive change that expands the set of documented suspension reasons without breaking existing integrations. - Informational
Update environment variable creation error descriptions
Error response descriptions for environment variable creation endpoints were updated: the 403 response removed text about production variable permission requirements, and the 409 response description was cleared. These are documentation-only changes to error messaging that do not affect API behavior or client integrations.
- Additive
Add attributionTarget and attributionEventName fields
Two new optional response fields,
attributionTargetandattributionEventName, have been added to analytics/logs endpoints. These fields are purely additive and do not affect existing integrations. - Additive
Add "list" operator for filtering in Vercel API
The Vercel API adds a new
"list"operator (type: string) to filter query parameters across multiple endpoints. This is purely additive — the new operator appears as an optional field in filter objects and an allowed enum value, enabling clients to perform new filtering operations without breaking existing code.