[▲ Vercel Community](/) · [Categories](/categories) · [Latest](/latest) · [Top](/top) · [Live](/live)

[Showcase](/c/showcase/41)

# A small helper for service-first Vercel Sandbox network policies

22 views · 3 likes · 2 posts


Toyamarinyon (@toyamarinyon) · 2026-03-23 · ♥ 3

I published [`sandbox-policy-builder`](https://github.com/giselles-ai/sandbox-policy-builder), a small helper library for `@vercel/sandbox`.

It is for the case where you are building a coding agent or AI app in Vercel Sandbox and want to express outbound auth rules in terms of services like `OpenAI`, `Claude`, `GitHub`, or `AI Gateway`, rather than managing raw domain rules directly.

Example:

```ts
import { Sandbox } from "@vercel/sandbox";
import { allow } from "sandbox-policy-builder";

const sandbox = await Sandbox.create({
  networkPolicy: allow({
    codex: { apiKey: process.env.OPENAI_API_KEY! },
    openai: { apiKey: process.env.OPENAI_API_KEY! },
    gemini: { apiKey: process.env.GEMINI_API_KEY! },
    claude: { apiKey: process.env.ANTHROPIC_API_KEY! },
    github: { apiKey: process.env.GITHUB_TOKEN! },
    aiGateway: { apiKey: process.env.AI_GATEWAY_TOKEN! },
  }),
});
```

The library expands those names into the domain-level `NetworkPolicy` shape required by Vercel Sandbox.

Supported services today:
- `codex`
- `openai`
- `gemini`
- `claude`
- `github`
- `aiGateway`

Repo: https://github.com/giselles-ai/sandbox-policy-builder


BestCodes (@bestcodes) · 2026-03-31

Why is the API key required? Does it only allow requests made using that API key?