Marketplace Deploy
Deploy a Next.js Sitecore marketplace app on Vercel with correct CSP and iframe embedding headers so Sitecore Cloud can embed the app without a blank frame.
Install
npx skills add https://github.com/vercel-labs/sitecore-skills --skill marketplace-deployWhat is this skill?
- Documents vercel.json and recommended next.config.ts async headers() patterns for Sitecore embedding
- Sets Content-Security-Policy frame-ancestors to 'self' and https://*.sitecorecloud.io
- Explains that missing frame-ancestors causes blank iframes inside Sitecore Cloud
- Covers environment variable setup for client-side marketplace apps on Vercel
Adoption & trust: 16 installs on skills.sh; 3 GitHub stars; 3/3 security scanners passed (skills.sh audits).
Recommended Skills
Azure Deploymicrosoft/azure-skills
Azure Preparemicrosoft/azure-skills
Azure Storagemicrosoft/azure-skills
Azure Validatemicrosoft/azure-skills
Appinsights Instrumentationmicrosoft/azure-skills
Azure Resource Lookupmicrosoft/azure-skills
Journey fit
Primary fit
Shipping to production hosting is the canonical moment you apply Vercel headers and env configuration for marketplace embedding. Launch prep on Vercel is where next.config.ts or vercel.json CSP and client env vars are finalized before go-live.
Common Questions / FAQ
Is Marketplace Deploy safe to install?
skills.sh reports 3 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.
SKILL.md
READMESKILL.md - Marketplace Deploy
# Vercel Configuration Templates ## vercel.json For most marketplace apps, you don't need a `vercel.json` since `next.config.ts` handles headers. But if you need it: ```json { "$schema": "https://openapi.vercel.sh/vercel.json", "framework": "nextjs", "headers": [ { "source": "/(.*)", "headers": [ { "key": "Content-Security-Policy", "value": "frame-ancestors 'self' https://*.sitecorecloud.io" }, { "key": "X-Frame-Options", "value": "ALLOW-FROM https://*.sitecorecloud.io" } ] } ] } ``` ## next.config.ts (Recommended) Headers in `next.config.ts` are preferred over `vercel.json`: ```typescript import type { NextConfig } from "next"; const nextConfig: NextConfig = { async headers() { return [ { source: "/(.*)", headers: [ { key: "Content-Security-Policy", value: "frame-ancestors 'self' https://*.sitecorecloud.io", }, ], }, ]; }, }; export default nextConfig; ``` ## CSP Header Explanation | Directive | Value | Purpose | |-----------|-------|---------| | `frame-ancestors` | `'self' https://*.sitecorecloud.io` | Allows the app to be embedded in iframes on Sitecore Cloud domains | **Important**: Without `frame-ancestors`, Sitecore cannot embed your app, and it will show a blank iframe. ## Environment Variables on Vercel ### Client-Side Apps | Variable | Vercel Setting | |----------|---------------| | `NEXT_PUBLIC_SITECORE_APP_ID` | Must be set for all environments | ### Full-Stack (Auth0) Apps | Variable | Vercel Setting | |----------|---------------| | `NEXT_PUBLIC_SITECORE_APP_ID` | All environments | | `AUTH0_SECRET` | Different per environment (generate unique per env) | | `AUTH0_BASE_URL` | Must match the deployment URL for each environment | | `AUTH0_ISSUER_BASE_URL` | Same across environments (your Auth0 tenant) | | `AUTH0_CLIENT_ID` | Same across environments | | `AUTH0_CLIENT_SECRET` | Same across environments | | `AUTH0_AUDIENCE` | `https://api.sitecorecloud.io` | | `AUTH0_SCOPE` | `openid profile email` | ### Setting Variables via CLI ```bash # Add for all environments vercel env add VARIABLE_NAME # Add for specific environment vercel env add VARIABLE_NAME production vercel env add VARIABLE_NAME preview vercel env add VARIABLE_NAME development ``` --- name: marketplace-deploy description: Deploys a Sitecore Marketplace app to Vercel with correct CSP headers and configuration. disable-model-invocation: true --- # Deploy to Vercel You are helping the user deploy their Sitecore Marketplace app to Vercel. **Important**: This skill has real side effects (deploying to production). Confirm each step with the user before executing. ## Pre-Deploy Checklist Before deploying, verify: 1. **Build succeeds locally**: ```bash npm run build ``` 2. **CSP headers are configured** — Check `next.config.ts` for `frame-ancestors`: ```typescript // next.config.ts must include: headers: [ { source: "/(.*)", headers: [ { key: "Content-Security-Policy", value: "frame-ancestors 'self' https://*.sitecorecloud.io", }, ], }, ] ``` 3. **Environment variables are set** — Check that `.env.local` exists and has required values 4. **Extension points are registered** — All routes defined in the app should be registered in the Developer Portal ## Deploy Steps ### Step 1: Install Vercel CLI (if needed) ```bash npm i -g vercel ``` ### Step 2: Link to Vercel project ```bash vercel link ``` ### Step 3: Set environment variables ```bash # For client-side apps vercel env add NEXT_PUBLIC_SITECORE_APP_ID # For full-stack (Auth0) apps — add all Auth0 vars too vercel env add AUTH0_SECRET vercel env add AUTH0_BASE_URL vercel env add AUTH0_ISSUER_BASE_URL vercel env add AUTH0_CLIENT_ID vercel env add AUTH0_CLIENT_SECRET vercel env add AUTH0_AUDIENCE vercel env add AUTH0_SCOPE ``` ### Step 4: Deploy ```b