You can now access GLM-5 via AI Gateway with no other provider accounts required.

GLM-5 from Z.AI is now available on AI Gateway. Compared to GLM-4.7, GLM-5 adds multiple thinking modes, improved long-range planning and memory, and better handling of complex multi-step agent tasks. It's particularly strong at agentic coding, autonomous tool use, and extracting structured data from documents like contracts and financial reports.

To use this model, set model to zai/glm-5 in the AI SDK:

1
import { streamText } from 'ai';
2

3
const result = streamText({
4
  model: 'zai/glm-5',
5
  prompt:
6
    `Generate a complete REST API with authentication,
7
     database models, and test coverage for a task management app.`,
8
});

AI Gateway provides a unified API for calling models, tracking usage and cost, and configuring retries, failover, and performance optimizations for higher-than-provider uptime. It includes built-in observability, Bring Your Own Key support, and intelligent provider routing with automatic retries.

Learn more about AI Gateway, view the AI Gateway model leaderboard or try it in our model playground.

Vercel Sandbox can now enforce egress network policies through Server Name Indication (SNI) filtering and CIDR blocks, giving you control over which hosts a sandbox can reach. Outbound TLS connections are matched against your policy at the handshake, unauthorized destinations are rejected before any data is transmitted.

By default, sandboxes have unrestricted internet access. When running untrusted or AI generated code, you can lock down the network to only the services your workload actually needs. A compromised or hallucinated code snippet cannot exfiltrate data or make unintended API calls, traffic to any domain not on your allowlist is blocked.

Link to headingGoing beyond IP based rules to host based

The modern internet runs on hostnames, not IP addresses, a handful of addresses serve thousands of domains. Traditional IP-based firewall rules can't precisely distinguish between them.

Host-based egress control typically requires an HTTP proxy, but that breaks non-HTTP protocols like Redis and Postgres. Instead, we built an SNI-peeking firewall that inspects the initial unencrypted bytes of a TLS handshake to extract the target hostname. Since nearly all internet traffic is TLS-encrypted today, this covers all relevant cases. For legacy or non-TLS systems, we do also support IP/CIDR-based rules as a fallback.

Link to headingRestrict to specific hosts at creation

Define which domains the sandbox can reach. Everything else is denied by default. Wildcard support makes it easy to allowlist services behind CDNs:

1
import { Sandbox } from '@vercel/sandbox';
2

3
const sandbox = await Sandbox.create({
4
  networkPolicy: {
5
    allow: ['ai-gateway.vercel.sh', '*.vercel.com'],
6
  },
7
});
8

9
// Can reach Vercel AI Gateway and Vercel, nothing else
10
await sandbox.runCommand('node', ['process-data.js']);

Link to headingAdjust after initial setup

Policies can be updated dynamically on a running sandbox without restarting the process. Start with full internet access to install dependencies, lock it down before executing untrusted code, reopen to stream results after user approval, and then air gap again with deny-all, fully in one session:

1
import { Sandbox } from '@vercel/sandbox';
2

3
const sandbox = await Sandbox.create();
4

5
// Phase 1: Open network, download everything we need
6
await sandbox.runCommand('npm', ['install']);
7
await sandbox.runCommand('aws', ['s3', 'cp', 's3://my-bucket/input-data', './data', '--recursive']);
8

9
// Phase 2: Lock down, only the AI gateway is reachable
10
await sandbox.updateNetworkPolicy({
11
  allow: ['ai-gateway.vercel.sh'],
12
});
13

14
// Run the untrusted / agent-driven workload in isolation
15
await sandbox.runCommand('node', ['agent.js']);
16

17
// Phase 3: Open a narrow hole to post results back
18
await sandbox.updateNetworkPolicy({
19
  allow: ['my-bucket.s3.amazonaws.com'],
20
});
21

22
await sandbox.runCommand('aws', ['s3', 'cp', './output/results.json', 's3://my-bucket/output/results.json']);
23

24
// Phase 4: Lockdown Internet access
25
await sandbox.updateNetworkPolicy('deny-all');

Read the documentation to learn more about network egress firewall policies, available on all plans.

Vercel Flags is a feature flag provider built into the Vercel platform. It lets you create and manage feature flags with targeting rules, user segments, and environment controls directly in the Vercel Dashboard.

The Flags SDK provides a framework-native way to define and use these flags within Next.js and SvelteKit applications, integrating directly with your existing codebase:

1
import { vercelAdapter } from "@flags-sdk/vercel"
2
import { flag } from 'flags/next'; 
3

4
export const showNewFeature = flag({  
5
    key: 'show-new-feature',  
6
    decide: () => false,  
7
    description: 'Show the new dashboard redesign',
8
    adapter: vercelAdapter()
9
});

And you can use them within your pages like:

1
import { showNewFeature } from '~/flags'; 
2

3
export default async function Page() {  
4
    const isEnabled = await showNewFeature();
5

6
    return isEnabled ? <NewDashboard /> : <OldDashboard />
7
;}

For teams using other frameworks or custom backends, the Vercel Flags adapter supports the OpenFeature standard, allowing you to combine feature flags across various systems and maintain consistency in your flag management approach:

1
import { OpenFeature } from '@openfeature/server-sdk';
2
import { VercelProvider } from '@vercel/flags-core/openfeature';
3

4
// Set up the provider and client
5
await OpenFeature.setProviderAndWait(new VercelProvider());
6
const client = OpenFeature.getClient();
7

8
// Evaluate flags
9
const enabled = await client.getBooleanValue('show-new-feature');

Vercel Flags is priced at $30 per 1 million flag requests ($0.00003 per event), where a flag request is any request to your application that reads the underlying flags configuration. A single request evaluating multiple feature flags of the same source project still counts as one flag request.

Vercel Flags is now in beta and available to teams on all plans.

Learn more about Vercel Flags to get started with feature flag management.

The login experience now supports Sign in with Apple, enabling faster access for users with Apple accounts.

If your Apple account uses an Apple email (@icloud.com, @mac.com, @me.com, etc.) that matches your Vercel account's email, you can use the Apple button from the login screen and your accounts will be automatically linked.

If the emails don't match, you can manually connect your Apple account from your account settings once logged in.

The vercel logs command has been rebuilt with more powerful querying capabilities, designed with agent workflows in mind. You can now query historical logs across your projects and filter by specific criteria, such as project, deploymentID, requestID, and arbitrary strings, to find exactly what you need.

The updated command uses git context by default, automatically scoping logs to your current repository when run from a project directory. This makes it easy to debug issues during development without manually specifying project details.

Whether you're debugging a production issue or building automated monitoring workflows, the enhanced filtering gives you precise control over log retrieval across your Vercel projects.

Learn about Vercel CLI and vercel logs command.

Agents can now access runtime logs through Vercel's MCP server.

The get_runtime_logs tool lets agents retrieve Runtime Logs for a project or deployment. Runtime logs include logs generated by Vercel Functions invocations in preview and production deployments, including function output and console.log messages.

This enables agents to:

• debug failing requests

• inspect function output

• search logs for specific errors or request IDs

• investigate runtime behavior across deployments

Get started with the Vercel MCP server.

PostHog is now available in the Vercel Marketplace as a feature flags, experimentation and Analytics provider.

With this integration, you can now:

• Declare flags in code using Flags SDK and the @flags-sdk/posthog adapter

• Toggle features in real time for specific users or cohorts

• Roll out changes gradually using percentage-based rollouts

• Run A/B tests to validate impact before a full release

This integration helps teams building on Vercel ship with more confidence. You can test in production, reduce release risk, and make data-driven decisions based on real user behavior, all within your existing Vercel workflows.

Create a flags.ts file with an identify function and a flag check:

1
import { postHogAdapter } from '@flags-sdk/posthog'
2
import { flag, dedupe } from 'flags/next'
3
import type { Identify } from 'flags'
4

5
export const identify = dedupe(async () => ({
6
  distinctId: 'user_distinct_id'  // replace with real user ID
7
})) satisfies Identify<{ distinctId: string }>
8

9
export const myFlag = flag({
10
  key: 'my-flag',
11
  adapter: postHogAdapter.isFeatureEnabled(),
12
  identify,
13
})

Check out the PostHog template to learn more about this integration.

When Vercel API credentials are accidentally committed to public GitHub repositories, gists and npm packages, Vercel now automatically revokes them to protect your account from unauthorized access.

When the exposed credentials are detected, you'll receive notifications and can review any discovered tokens and API keys in your dashboard. This detection is powered by GitHub secret scanning and brings an extra layer of security to all Vercel and v0 users.

As part of this change, we've also updated token and API key formats to make them visually identifiable. Each credential type now includes a prefix:

• vcp for Vercel personal access tokens

• vci for Vercel integration tokens

• vca for Vercel app access tokens

• vcr for Vercel app refresh tokens

• vck for Vercel API keys

We recommend reviewing your tokens and API keys regularly, rotating long-lived credentials, and revoking unused ones.

Learn more about account security.