Vercel CLI version 5.14.5 adds native support for signed Blob URLs via two new commands: `vercel blob presign` and `vercel blob signed-token`. Signed URLs are scoped to a single operation (get, head, put, or delete), a single pathname, and expire in up to 7 days.
The `presign` command handles the common case: generate a short-lived GET URL for a private file, or a PUT URL with enforced content-type and size constraints for user uploads. Expiry is set with `--valid-for` using values like 15m, 1h, or 7d, or with an absolute `--valid-until` timestamp. Pass `--json` to get structured output for scripting. The `signed-token` command separates token generation from URL generation entirely, useful when you need to delegate write access without exposing your private blob store credentials.
The split between `presign` and `signed-token` is the part worth reading in full. The delegation model lets an agent or service generate client-signing tokens without direct access to the store, which has real implications for how you design access control in automated workflows. Run `vercel blob presign --help` after updating, and check the official documentation for the full token chaining flow.
[READ ORIGINAL →]