Wraps Logo
DocsHome
Back to Guides
Guide

Vercel Setup

Deploy email infrastructure with Vercel OIDC federation. Zero stored credentials, automatic rotation, and seamless integration with your Vercel projects.

5 min read

Overview

When you deploy with the Vercel provider, Wraps sets up OpenID Connect (OIDC) federation between Vercel and your AWS account. This means your Vercel functions can securely access AWS SES without any stored secrets.

  • Zero stored credentials

    No API keys or secrets to manage, rotate, or leak

  • Automatic credential rotation

    Temporary credentials expire after 15 minutes

  • Scoped to your Vercel team and project

    Only your specific Vercel project can assume the IAM role

  • Revocable at any time

    Remove access instantly by deleting the IAM role or OIDC provider

Prerequisites

  • A Vercel project deployed
  • AWS account with CLI access configured
  • Wraps CLI installed (npm install -g @wraps.dev/cli)

1
Deploy with Vercel Provider

Run the init command with the Vercel provider flag. The CLI will guide you through the setup interactively.

GNU Bashterminal.sh
npx @wraps.dev/cli email init -p vercel

The CLI will:

  1. Prompt for your Vercel team slug and project name
  2. Create an OIDC identity provider in your AWS account
  3. Configure an IAM trust policy scoped to your Vercel team and project
  4. Deploy SES configuration, event tracking, and supporting infrastructure

Vercel team and project slugs

Your team slug is visible in your Vercel dashboard URL (e.g., vercel.com/my-team). The project name is the name shown in your Vercel project settings.

2
Set Environment Variables

After deployment, add the following environment variables to your Vercel project. The CLI will display these values after a successful deploy.

.ENV.env
WRAPS_AWS_ROLE_ARN=arn:aws:iam::123456789012:role/wraps-email-roleWRAPS_AWS_REGION=us-east-1

Per-Environment Configuration

In the Vercel dashboard, you can scope environment variables to specific environments for more granular control:

EnvironmentUse Case
ProductionLive email sending with verified domain
PreviewTest sending to verified addresses only (SES sandbox)
DevelopmentLocal development with personal AWS credentials

3
Configure DNS

Add the following DNS records to verify your domain and enable email authentication.

DKIM Records (3 CNAMEs)

DKIM Records
# Add these 3 CNAME records to your DNS:abc123._domainkey.yourdomain.com → abc123.dkim.amazonses.comdef456._domainkey.yourdomain.com → def456.dkim.amazonses.comghi789._domainkey.yourdomain.com → ghi789.dkim.amazonses.com

SPF Record (TXT)

SPF Record
# Add this TXT record:Name:  yourdomain.comType:  TXTValue: v=spf1 include:amazonses.com ~all

DMARC Record (TXT)

DMARC Record
# Add this TXT record:Name:  _dmarc.yourdomain.comType:  TXTValue: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

Verify DNS Configuration

GNU Bashterminal.sh
npx @wraps.dev/cli email domains verify -d yourdomain.com

DNS propagation takes up to 48 hours

DKIM verification typically completes within a few hours, but can take up to 48 hours for DNS to fully propagate. Use dig CNAME token._domainkey.yourdomain.com to check progress.

How OIDC Works

Vercel OIDC federation creates a secure trust chain between your Vercel functions and your AWS account, eliminating the need for long-lived credentials.

1
Vercel Issues Token
When your Vercel function runs, Vercel automatically issues a short-lived OIDC token containing your team and project identity.
2
AWS Validates Token
The token is presented to AWS STS, which validates it against the OIDC provider registered in your account.
3
Temporary Credentials
AWS returns temporary credentials with a 15-minute lifetime, scoped to the permissions defined in your IAM role.
4
SDK Sends Email
The Wraps SDK uses the temporary credentials to call AWS SES. No secrets are ever stored in your Vercel environment.

Why this is better

No long-lived secrets means nothing to leak, rotate, or manage. Credentials rotate automatically every 15 minutes, and every access is logged in AWS CloudTrail for a full audit trail.

Troubleshooting

"Access Denied" when sending emails
  • Verify the IAM trust policy matches your Vercel team slug and project name exactly
  • Check that environment variables are set in the correct Vercel environment (Production vs Preview)
  • Ensure the OIDC provider is in the same AWS region as your SES configuration
"Token expired" errors
  • Check your Vercel function timeout settings — long-running functions may exceed the 15-minute credential lifetime
  • Ensure your function completes SES calls promptly after obtaining credentials
"OIDC provider not found"
  • Verify the AWS region in your environment variables matches the region where you deployed
  • Run wraps email status to confirm the deployment region
DNS records not propagating
  • DNS propagation can take up to 48 hours — wait and check again
  • Use dig CNAME token._domainkey.yourdomain.com to check DNS records directly
  • Some DNS providers auto-append your domain to record names — check for duplicates
Environment variables not working
  • Check the Vercel dashboard to ensure variables are scoped to the correct environment (Production, Preview, or Development)
  • Redeploy your project after adding environment variables — they are not applied to existing deployments

Next Steps

Verify Your Domain

Set up DKIM, SPF, and DMARC for better deliverability and sender reputation.

Domain Verification
Request Production Access

Move out of the SES sandbox to send emails to any address.

Production Access