Vercel Sandbox can now automatically inject HTTP headers into outbound requests from sandboxed code. This keeps API keys and tokens safely outside the sandbox VM boundary, so apps running inside the sandbox can call authenticated services without ever accessing the credentials. Header injection is configured as part of the network policy using transform . When the sandbox makes an HTTPS request to a matching domain, the firewall adds or replaces the specified headers before forwarding the request. const sandbox = await Sandbox . create ( { timeout : 300_000 , networkPolicy : { allow : { "ai-gateway.vercel.sh" : [ { transform : [ { headers : { authorization : ` Bearer ${ process . env . AI_GATEWAY_API_KEY } ` } } ] , } ] , } , } , } ) ; // Code inside the sandbox calls AI Gateway without knowing the API key const result = await sandbox . runCommand ( 'curl' , [ '-s' , 'https://ai-gateway.vercel.sh/v1/models' ] ) ; This is designed for AI agent workflows where prompt injection is a real threat.…