Vercel MCP
Vercel's official remote MCP server (mcp.vercel.com) for searching documentation and managing projects, deployments, and deployment logs. Uses OAuth (MCP Authorization spec) over Streamable HTTP. Note: scores other than authentication are a provisional assessment from Vercel's documentation; the hosted server has no public source to clone for a full tool-level audit.
Score Breakdown
Server Info
- Package
- https://mcp.vercel.com
- Registry
- remote
- Maintainer
- VercelVendor
- Category
- Cloud & Infrastructure
- Tags
- hostingdeploymentnextjshostedoauth
- Last Scanned
- 1 Jul 2026
Findings
5 issuesAuthentication & Identity
LOWImplements MCP OAuth spec for per-user authentication
Official first-party remote MCP server at https://mcp.vercel.com implementing the MCP Authorization specification (2025-06-18) over Streamable HTTP. Users authenticate directly with Vercel via OAuth; each client connection requires explicit user consent (confused-deputy protection). Public documentation-search tools are available without authentication; project, deployment, and log tools require Vercel authentication. Only Vercel-reviewed AI clients are permitted to connect.
Document the required OAuth scopes for each tool.
Tool Schema Quality
MEDIUMTool schemas not independently audited
The hosted server has no public source repository, so tool input schemas, required fields, and parameter constraints could not be verified directly. This is a provisional score pending a live tool-level audit.
Run a live audit against mcp.vercel.com to enumerate and score the tool schemas.
Permission Granularity
LOWPublic vs authenticated tool separation, per-client consent
Vercel documents a split between public (no-auth) documentation tools and authenticated project/deployment tools, requires explicit per-client user consent for each connection, and recommends enabling human confirmation for write actions. Fine-grained scope documentation per tool was not independently verified.
Publish per-tool OAuth scope requirements and read/write/admin classification.
LLM Safety
MEDIUMVendor documents prompt-injection and confused-deputy risk
Vercel publishes prompt-injection guidance and implements confused-deputy protection, but the server still operates with the full access of the authenticated Vercel user, and untrusted content (e.g. deployment logs) can carry injected instructions. Tool descriptions were not independently reviewed for instructional language.
Review tool descriptions for imperative language; scope tokens to the minimum required.
Data Exposure
MEDIUMPagination and field selection not verified
Whether list operations paginate and whether responses support field selection could not be verified without a live audit of the hosted tool surface.
Audit list operations for pagination and field-selection support.
Deploy Vercel MCP securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow