Vercel Sandbox

Vercel Sandbox is a compute primitive designed to safely run untrusted or user-generated code on Vercel. It supports dynamic, real-time workloads for AI agents, code generation, and developer experimentation.

Use sandboxes to:

• Execute untrusted code safely: Run AI agent output, user uploads, or third-party scripts without exposing your production systems.
• Build interactive tools: Create code playgrounds, AI-powered UI builders, or developer sandboxes.
• Test in isolation: Preview how user-submitted or agent-generated code behaves in a self-contained environment with access to logs, file edits, and live previews.
• Run development servers: Spin up and test applications with live previews.

The Sandbox SDKs are the recommended way to integrate Vercel Sandbox into your applications. They provide a programmatic interface to create sandboxes, run commands, and manage files.

• JS SDK Reference: Use @vercel/sandbox for JavaScript and TypeScript
• Python SDK Reference: Use vercel.sandbox from the vercel Python package
• CLI: Use the sandbox CLI for manual testing, agentic workflows, debugging, and one-off operations

Vercel Sandbox supports two authentication methods:

• Vercel OIDC tokens (recommended): Vercel generates the OIDC token that it associates with your Vercel project. For local development, run vercel link and vercel env pull to get a development token. In production on Vercel, authentication is automatic.
• Access tokens: Use access tokens when VERCEL_OIDC_TOKEN is unavailable, such as in external CI/CD systems or non-Vercel environments.

To learn more on each method, see Authentication for complete setup instructions.

Sandboxes run on Amazon Linux 2023 with node26, node24, node22, and python3.13 runtimes available. The default runtime is node24. Each sandbox runs as the vercel-sandbox user with sudo access and a default working directory of /vercel/sandbox.

For detailed information about runtimes, available packages, and sudo configuration, see System Specifications.

• Isolation: Each sandbox runs in a secure Firecracker microVM with its own filesystem and network. Run untrusted code without affecting production.
• Node.js and Python runtimes: Choose from node26, node24, node22, or python3.13 with full root access. Install any package or binary you need.
• System-privileged processes: Run workloads that need system-level privileges, such as container runtimes like Docker, VPN clients, and FUSE filesystem drivers.
• Fast startup: Sandboxes start in milliseconds, making them ideal for real-time user interactions and latency-sensitive workloads.
• Persistent sandboxes: Sandboxes that auto-save state on stop and resume where you left off. Persistence is the default. No manual snapshot management needed.
• Snapshotting: Save the state of a running sandbox to resume later. Skip dependency installation on subsequent runs.
• Tags: Categorize sandboxes by environment, team, or any other criteria using key-value tags.
• Drives (beta): Attach persistent filesystem storage to sandboxes and reuse data across sandbox runs.
• CLI and SDKs: Manage sandboxes through the CLI, JS SDK, or Python SDK. Automate sandbox workflows in your application.