Vercel Blob 现已支持生成带有效期的签名 URL

Vercel News

Vercel News2026年6月2日

Signed URLs are now available for Vercel Blob

8.2Score

TL;DR · AI Summary

Vercel Blob now supports generating time-bound signed URLs, enabling direct browser uploads, downloads, inspections, or deletions of specific objects with high security and no exposure of long-lived storage tokens.

Key Takeaways

Signed URLs support PUT, GET, HEAD, and DELETE operations with a maximum validit
Browsers can directly upload large files via signed URLs without server-side med
Delete operations support conditional deletion (ETag matching) to prevent accide

Outline

Jump quickly between sections.

§Background and Feature Overview
Introduces the core functions and application scenarios of Vercel Blob's signed URLs, including security, timeliness, and operational constraints.
§Specific Uses of Signed URLs
Details how signed URLs for GET, PUT, HEAD, and DELETE operations enable direct access and manipulation of Blob objects in the browser.
§Implementation of Direct Browser Uploads
Describes how PUT operations support multipart uploads, allowing browsers to stream large files directly to Blob storage.
§Conditional Control for Delete Operations
Explains how DELETE operations use ETags to implement conditional deletion, preventing accidental overwrites.
§Integration with OIDC
Explains how the server generates signed tokens via OIDC authentication, ensuring long-lived storage tokens remain secure on the server.

Mindmap

See how the topics connect at a glance.

查看大纲文本（无障碍 / 无 JS 友好）

Vercel Blob 签名 URL
- 核心功能
  - 支持四种操作：GET, PUT, HEAD, DELETE
  - 有效期最长 7 天
  - 单路径、单操作范围
- 应用场景
  - 浏览器直接上传大文件
  - 直接访问和操作 Blob 对象
  - 条件删除（ETag 匹配）
- 安全机制
  - 与 OIDC 集成
  - 长期存储令牌不外泄

Highlights

Key sentences worth saving and sharing.

Signed URLs support GET, PUT, HEAD, and DELETE operations with a maximum validity of up to 7 days.
— Paragraph 2
⬇︎ 下载 PNG 𝕏 分享到 X
Browsers can directly upload large files using signed URLs without going through the server.
— Paragraph 4
⬇︎ 下载 PNG 𝕏 分享到 X
DELETE operations support conditional deletion, only executing if the ETag matches.
— Paragraph 6
⬇︎ 下载 PNG 𝕏 分享到 X
After integrating with OIDC, long-lived storage tokens never leave the server, enhancing security.
— Paragraph 8
⬇︎ 下载 PNG 𝕏 分享到 X

#Vercel#Blob#Signed URLs#OIDC#File Storage

Open original article

1 min read

Jun 2, 2026

You can now generate time-bound signed URLs for Vercel Blob. A signed URL is a scoped URL with an expiry that allows you to upload, download, inspect, or delete a specific object without giving access to your entire Blob store.

Each URL is scoped to a single operation (put, get, head, or delete), a single pathname, and an expiry you choose, up to 7 days. The signature covers the operation and constraints, so a URL signed for a GET can't be reused as a PUT.

presigned-get.ts

import { issueSignedToken, presignUrl } from '@vercel/blob';const token = await issueSignedToken({ operations: ['get'],});const { presignedUrl } = await presignUrl(token, { pathname: 'invoices/2026-q1.pdf', operation: 'get', validUntil: Date.now() + 5 * 60 * 1000, // 5 minutes});// On client<img src={presignedUrl} />

Issue a token, mint a 5-minute read URL, and let the browser render the object directly.

[Link to heading](https://vercel.com/changelog/signed-urls-are-now-available-for-vercel-blob#direct-uploads-from-the-browser)Direct uploads from the browser

Upload URLs (put) support multipart, so the browser can stream large files straight to Blob storage without round-tripping through your server.

presigned-put.ts

import { presignUrl } from '@vercel/blob';const { presignedUrl } = await presignUrl(token, { pathname: 'user-uploads/avatar.png', operation: 'put', validUntil: Date.now() + 15 * 60 * 1000,});// On clientawait fetch(presignedUrl, { method: 'PUT', body: file })

Mint a 15-minute upload URL so the browser writes the file straight to Blob.

[Link to heading](https://vercel.com/changelog/signed-urls-are-now-available-for-vercel-blob#conditional-deletes)Conditional deletes

Delete URLs accept an ifMatch option so the delete only applies if the object hasn't been overwritten since you signed the URL:

presigned-delete.ts

import { presignUrl } from '@vercel/blob';const { presignedUrl } = await presignUrl(token, { pathname: 'tmp/session.json', operation: 'delete', validUntil: Date.now() + 60 * 1000, ifMatch: '"a1b2c3"', // ETag of the version you intend to remove});// On clientawait fetch(presignedUrl, { method: 'DELETE' })

The delete no-ops if the ETag has changed since you signed the URL.

Signed URLs work alongside OIDC. Your server authenticates to Blob via OIDC, generates a signed token, and produces narrowly scoped, time-bound URLs for the browser, so your long-lived BLOB_READ_WRITE_TOKEN never leaves the server.

Update @vercel/blob to 2.4.0 and read the documentation to get started.