Vercel Sandbox
Ephemeral Firecracker microVMs on Vercel for untrusted and AI-generated code — millisecond startup, Node and Python runtimes, persistent by default.
Vercel Sandbox (GA January 2026) runs untrusted and AI-generated code in ephemeral Firecracker microVMs: millisecond startup, Node and Python runtimes with sudo, sandboxes persistent by default via automatic filesystem snapshots, up to 2,000 concurrent on Pro. The SDK and CLI are open-source Apache-2.0; Hobby gets a real free monthly allotment, Pro is usage-billed.
Vercel Sandbox is the platform answer to the agent-code-execution problem: if your stack already lives on Vercel — AI SDK apps, v0 output, Next.js products — the sandbox is right there, with the same OIDC auth, billing, and SDK ergonomics as everything else you deploy.
Highlights
- Firecracker isolation — each sandbox is a microVM with its own filesystem and network; sandboxed code can't touch your environment, data, or cloud resources.
- Real runtimes with root — Node 26/24/22 and Python 3.13 on Amazon Linux, sudo included: package installs, Docker-in-sandbox, even VPN clients and FUSE.
- Persistent by default — automatic filesystem snapshots on stop; resume by name and skip the reinstall; explicit snapshots and beta Drives for attachable storage.
- Serious ceilings — millisecond startup, timeouts to 5 hours, 32 vCPUs/64GB at the top tier, 2,000 concurrent sandboxes on Pro.
- Open SDK + CLI —
@vercel/sandbox(and a Python SDK) open-sourced Apache-2.0 at GA, with a CLI for scripting fleets. - Honest free tier — Hobby includes monthly Active-CPU hours, creations, and storage at no charge (it pauses rather than bills when exhausted).
In an AI-assisted workflow
npm i @vercel/sandbox # auth via your linked project's OIDC: vercel link && vercel env pull
# const sandbox = await Sandbox.create(); await sandbox.runCommand("python", ["analyze.py"])The canonical loop: your agent (likely on the AI SDK) generates code → executes it in a sandbox → reads results as observations. Billing nuance worth knowing: I/O wait isn't billed as Active CPU, so long-running-but-idle agent sessions cost less than wall-clock suggests.
NOTE
Two setup quirks: it currently runs in a single region (iad1), and auth wants a linked Vercel project even if you deploy nothing. And remember persistence-by-default means snapshots accrue storage — clean up or opt out for throwaways.
Good to know
Beta June 2025, GA January 30, 2026, with v0, Blackbox AI, and Roo Code cited in production. The ecosystem gravity is the real differentiator — outside Vercel, E2B (code-interpreter ergonomics, open infra), Daytona (speed, multi-OS), and Modal (sandboxes inside a GPU platform) each pull differently: Sandboxing AI-Generated Code maps the choice.
Frequently asked questions
- What is Vercel Sandbox for?
- Running code you didn't write and can't trust — user submissions and, overwhelmingly, agent-generated code — in isolation: each sandbox is a Firecracker microVM with its own filesystem and network, unable to reach your env vars, databases, or cloud resources. It's the execution backend pattern v0 and AI-coding products use in production.
- What runtimes and limits does it support?
- Node (26/24/22) and Python 3.13 on Amazon Linux 2023, with sudo — install anything, including system-level workloads. Default timeout 5 minutes, extendable to 45 minutes on Hobby and 5 hours on Pro+; up to 8 vCPUs/16GB (Pro) or 32 vCPUs/64GB (Enterprise) per sandbox, with 2,000 concurrent sandboxes on Pro.
- How does persistence work?
- It's on by default: stopping a sandbox auto-snapshots the filesystem, and resuming by name restores it — dependency installs survive between runs. Snapshots count toward billed storage and expire 30 days after last use; pass persistent: false for true one-offs.
Related
- Sandboxing AI-Generated Code: E2B vs Modal vs Daytona vs Vercel SandboxWhere should agent-written code run? The four sandbox platforms compared — isolation models, persistence, economics — plus the design rules that keep execution safe.
- E2bOpen-source Firecracker-microVM sandboxes where AI agents safely execute untrusted code — stateful code interpreters with full Linux, pause/resume, and desktop VMs.
- ModalServerless AI infrastructure in pure Python — GPU functions with sub-second cold starts, secure sandboxes for agent code, batch jobs, and per-second billing.
- DaytonaSub-90ms agent sandboxes — isolated computers with snapshots, volumes, Git and LSP tools, on Linux, Windows, or Android; AGPL self-host or managed cloud.
- Vercel AI SDKAn open-source TypeScript toolkit for building AI apps — unified model API, streaming, structured output, tool calling, and UI hooks.
- V0Vercel's generative UI builder that turns prompts into production-ready React, Next.js, and shadcn/ui apps.