Vercel doubled down on enterprise security this week with two posts that redefine how apps and agents authenticate against third-party services, while Europe's accessibility enforcement regime hit its first anniversary with a clear message: the EAA is not optional, and regulators are watching.
Introducing Vercel Connect
Vercel Connect eliminates the practice of storing long-lived API tokens in environment variables by issuing short-lived, task-scoped credentials at runtime. Apps authenticate using OIDC, request tokens for specific providers (Slack, GitHub, Linear), and those tokens are scoped per user, automatically refreshed, and instantly revocable. This is a meaningful shift for teams running AI agents or internal tools that touch sensitive systems: instead of a single leaked GITHUB_TOKEN compromising your entire org, each request gets its own ephemeral credential tied to a verified identity. The developer experience looks like this:
import { connect } from '@vercel/connect';
const github = await connect('github', { user: session.userId });
const repos = await github.repos.listForUser({ username: 'example' });
// Token is short-lived, scoped to this user, and expires after the taskIt's a pattern borrowed from cloud IAM and applied to the SaaS layer, which is long overdue.
Vercel for Enterprise Apps and Agents
This post frames the broader enterprise platform: Vercel Passport (automatic SSO), Vercel Connect (covered above), Enterprise Managed Users (centralized account lifecycle), and bring-your-own-cloud for AWS. The real insight is that AI agents amplify access control problems. When a chatbot can query your database, file a Jira ticket, and post to Slack on behalf of any employee, traditional token-based auth breaks down fast. Vercel's answer is to tie every agent action to a verified human identity, scope credentials per task, and centralize provisioning so offboarding actually works. For teams deploying internal AI tools, this is the security architecture that makes "move fast" compatible with "don't leak customer data."
Recapping our multi-city European roadshow celebrating the EAA's one-year anniversary
The European Accessibility Act turned one, and Deque's roadshow across five EU cities delivered a blunt reminder: accessibility is now an enforceable consumer-rights issue with regulatory teeth. Organizations must publish accessibility statements, maintain common testing standards, and treat accessibility as end-to-end customer experience, not a checkbox. Paralympic gold medalist Larissa Klaassen joined panels alongside regulators, reinforcing that enforcement is active and fines are real. For frontend teams, this means automated Lighthouse accessibility audits are table stakes, but manual testing, ARIA patterns, and keyboard navigation workflows need to be baked into every sprint. The EAA covers not just public websites but digital services, e-commerce, and customer portals, so the scope is broad and the compliance timeline is now.
Vercel's enterprise security stack and Europe's accessibility enforcement both reflect the same trend: higher stakes, tighter accountability, and infrastructure that assumes compliance from the start rather than as an afterthought. Whether you're shipping agents or accessible UI, 2026 expects both speed and rigor. 🔐