# Safely inject credentials in HTTP headers with Vercel Sandbox

**Published:** February 23, 2026 | **Authors:** Valerian Roche, Rob Herley

---

[Vercel Sandbox](https://vercel.com/docs/vercel-sandbox) can now automatically inject HTTP headers into outbound requests from sandboxed code. This keeps API keys and tokens safely outside the sandbox VM boundary, so apps running inside the sandbox can call authenticated services without ever accessing the credentials.

Header injection is configured as part of the network policy using `transform`. When the sandbox makes an HTTPS request to a matching domain, the firewall adds or replaces the specified headers before forwarding the request.

```typescript
const sandbox = await Sandbox.create({
  timeout: 300_000,
  networkPolicy: {
    allow: {
      "ai-gateway.vercel.sh": [{
        transform: [{
          headers: {
            authorization: `Bearer ${process.env.AI_GATEWAY_API_KEY}`
          }
        }],
      }],
    },
  },
});
// Code inside the sandbox calls AI Gateway without knowing the API key
const result = await sandbox.runCommand('curl',
  ['-s', 'https://ai-gateway.vercel.sh/v1/models']
);
```

This is designed for AI agent workflows where prompt injection is a real threat. Even if an agent is compromised, there's nothing to exfiltrate, as the credentials only exist in a layer outside the VM.

![Header injection light desktop](//images.ctfassets.net/e5382hct74si/4SUlBNFbOPd6Fg4yYjtvTX/169053bc60352e177aa9fec0d03f864c/image.png)

Injection rules work with all egress network policy configurations, including open internet access. To allow general traffic while injecting credentials for specific services:

```typescript
const sandbox = await Sandbox.create({
  networkPolicy: {
    allow: {
      "ai-gateway.vercel.sh": [{
        transform: [{
          headers: {
            Authorization: `Bearer ${process.env.AI_GATEWAY_API_KEY}` 
          }
        }],
      }],
      "*.github.com": [{
        transform: [{
          headers: {
            Authorization: `Bearer ${process.env.GITHUB_TOKEN}`
          }
        }],
      }],
      // Allow traffic to all other domains.
      "*": []
    }
  }
});
```

### Live updates

Like all network policy settings, injection rules can be updated on a running sandbox without restarting it. This enables multi-phase workflows, inject credentials during setup, then remove them before running untrusted code:

```typescript
// Phase 1: Clone repos with credentials
await sandbox.updateNetworkPolicy({
  allow: {
    "api.github.com": [{
      transform: [{
        headers: {
          Authorization: `Bearer ${process.env.GITHUB_TOKEN}`
        }
        }],
    }],
  }
});
// ... clone repos, download data ...
// Phase 2: Lock down before running untrusted code
await sandbox.updateNetworkPolicy('deny-all');
```

### Key highlights

- Header overwrite: Injection applies to HTTP headers on outbound requests.
- Full replacement: Injected headers overwrite any existing headers with the same name set by sandbox code, preventing the sandbox from substituting its own credentials.
- Domain matching: Supports exact domains and wildcards (e.g., *.github.com). Injection only triggers when the outbound request matches.
- Works with all policies: Combine injection rules with `allow-all`, or domain-specific allow lists.

Available to all Pro and Enterprise customers. Learn more in the [documentation](https://vercel.com/docs/vercel-sandbox/concepts/firewall#credentials-brokering).

---

📚 **More updates:** [View all changelog entries](/changelog/sitemap.md) | [Blog](/blog/sitemap.md)