Vercel Blob adds time-bound signed URLs
Generate scoped, operation-specific signed URLs (get/put/head/delete) with expiry up to 7 days to enable direct browser uploads and conditional deletes without exposing credentials.
June 3, 2026
Summary
Eliminates server round-trips for file uploads by streaming directly from browser to Blob storage, and keeps long-lived tokens server-side while issuing narrow, expiring URLs to clients. Reduces attack surface for file operations.
Why it matters
Eliminates server round-trips for file uploads by streaming directly from browser to Blob storage, and keeps long-lived tokens server-side while issuing narrow, expiring URLs to clients. Reduces attack surface for file operations.
Implementation verdict
Replaces custom pre-signed URL logic if you're building it yourself. Requires @vercel/blob ≥2.4.0 and a server endpoint to generate tokens (OIDC-backed). Ready to use now; multipart PUT and conditional DELETE (ifMatch) work out of the box.
Sources
- 1.A signed URL is a scoped URL with an expiry that allows you to upload, download, inspect, or delete a specific object without giving access to your entire Blob store
- 2.Each URL is scoped to a single operation (`put`, `get`, `head`, or `delete`), a single pathname, and an expiry you choose, up to 7 days
- 3.a URL signed for a `GET` can't be reused as a `PUT`
- 4.Upload URLs (`put`) support multipart, so the browser can stream large files straight to Blob storage without round-tripping through your server
- 5.your long-lived `BLOB_READ_WRITE_TOKEN` never leaves the server
- 6.Update `@vercel/blob` to `2.4.0`
Dev Signal
Get briefs like this in your inbox — free, 3x a week.
100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.