Pro teams can now choose how Git committers to private repositories are added to their Vercel team.

• Auto Approval: non-team committers with Vercel accounts are automatically added to your team and their deployments proceed immediately. Added members count toward your team seats at standard Pro pricing.

• Manual Approval: deployments are blocked until an owner approves the new member.

Choose your approval preference in team settings.

Learn more about collaboration settings and troubleshooting project collaboration.

You can now secure native integration resources by restricting where they can be used. Setting a resource to Production only removes non-production access and protects credentials as sensitive environment variables, so secret values are no longer readable from the dashboard or CLI.

From the integration resource Settings, select Allowed Environments → Production only and save. We recommend that you rotate the secrets of the integration resource after saving.

Once applied:

• Development and Preview connections are removed

• New non-production connections are blocked

• Connections without a Production target are disconnected

• Credentials are protected and no longer readable

Reverting this setting requires Owner permissions. Owners can re-enable Development and Preview access from Settings and reconnect projects if needed. You may be be prompted to reauthenticate with an MFA challenge. To learn more, read the documentation.

You can now access Observability Plus metrics in the Vercel CLI.

Query observability data for any Vercel team or project using the new vercel metrics command. Coding agents can also leverage this new command to better analyze the performance, reliability, or security of applications on Vercel, as well as debug issues.

This feature is available in public beta for all teams with Observability Plus.

Learn more about vercel metrics.

Vercel Sandbox can now connect to hosted Postgres databases, including Neon, Supabase, AWS RDS, Nile, and Prisma Postgres. To enable a connection, add the database host to your Sandbox's allowed domains.

Link to headingBackground

When SNI based filtering is used with Vercel Sandbox, the sandbox firewall restricts outbound network access by checking the domain name during a connection's TLS handshake. This works seamlessly for HTTPS traffic, where the domain is visible at the start of the connection.

Postgres, however, negotiates TLS differently. A Postgres client first opens a plain TCP connection and then upgrades to TLS. Because the domain isn't available when the firewall first needs it, Postgres connections through a standard domain-restricted Sandbox would fail.

Link to headingWhat changed

The Sandbox firewall now adjusts for the Postgres TLS negotiation flow. It detects the protocol's startup sequence, waits for the TLS upgrade, and then applies your domain policy before forwarding the connection to the database. No changes are needed to your code or database configuration.

Link to headingConnecting to hosted database

Here's a full example: create a Sandbox, install a Postgres client, lock down the network to only the database host, and run a query.

1
import { Sandbox } from '@vercel/sandbox';
2

3
const { PGHOST, PGUSER, PGPASSWORD, PGDATABASE } = process.env;
4
const connectionString = `postgres://${PGUSER}:${PGPASSWORD}@${PGHOST}:5432/${PGDATABASE}?sslmode=require`;
5

6
// Start with unrestricted network access to install dependencies.
7
const sandbox = await Sandbox.create();
8

9
await sandbox.runCommand({
10
  cmd: 'sudo',
11
  args: ['dnf', 'install', '-y', 'postgresql15'],
12
});
13

14
// Lock the sandbox down to only the database host before running untrusted code.
15
await sandbox.updateNetworkPolicy({
16
  allowDomains: [PGHOST!],
17
});
18

19
const result = await sandbox.runCommand({
20
  cmd: 'psql',
21
  args: [connectionString, '-c', 'SELECT now();'],
22
});
23

24
console.log(await result.stdout());

Link to headingImportant to know

• TLS is required: Domain-based rules rely on the hostname being visible during the TLS handshake, so clients must connect with sslmode=require or higher. If your database doesn't support TLS, you can allow it by IP range instead. Most managed Postgres providers require TLS by default.

• GSSAPI encryption is not supported: Clients using gssencmode=prefer will fall back to TLS automatically; gssencmode=require will not connect.

• No silent downgrades: If a client uses sslmode=prefer and the database doesn't support TLS, the connection will fail rather than silently falling back to plain-text.

Learn more about the Sandbox firewall.

Grok 4.3 is now available on Vercel AI Gateway. The model has a 1M token context window and improvements in accuracy, tool calling, and instruction following.

To use Grok 4.3, set model to xai/grok-4.3 in the AI SDK.

1
import { streamText } from 'ai';
2

3
const result = streamText({
4
  model: 'xai/grok-4.3',
5
  prompt: 'Analyze this dataset and summarize the key trends.',
6
});

AI Gateway provides a unified API for calling models, tracking usage and cost, and configuring retries, failover, and performance optimizations for higher-than-provider uptime. It includes built-in custom reporting, observability, Bring Your Own Key support, and intelligent provider routing with automatic retries.

Learn more about AI Gateway, view the AI Gateway model leaderboard or try it in our model playground.

As teams scale isolated environments for AI agents, code generation, or dev workflows, keeping track of which sandbox belongs to whom, and why, becomes critical. Custom tags allow you to organize, filter, and manage Vercel Sandboxes at scale. Each sandbox supports up to five tags.

Link to headingOrganize by environment, team, or customer

Tags are flexible by design. Use them to separate staging from production, attribute usage to specific teams, or isolate sandboxes per customer in multi-tenant platforms:

1
const sandbox = await Sandbox.create({
2
  name: "my-sandbox",
3
  tags: { env: "staging" },
4
});

Link to headingUpdate tags as context changes

Promote a sandbox from staging to production, reassign ownership, or mark it for cleanup without recreating it:

1
await sandbox.update({
2
  tags: { env: "production", team: "infra" },
3
});

Link to headingEasily track your sandboxes

Filter sandboxes by any tag to quickly surface the ones that matter. This is useful for dashboards, cleanup scripts, or routing logic that needs to find all sandboxes matching a specific environment or team:

1
const productionSandboxes = await Sandbox.list({
2
  tags: { env: "production" },
3
});
4
console.log(
5
  "Production sandboxes:",
6
  productionSandboxes.sandboxes.map((s) => s.name),
7
); // my-sandbox

Link to headingUse Cases

• AI agents at scale: Tag sandboxes by session, user, or agent run to track which execution environment belongs to which workflow.

• Multi-tenant platforms: Isolate and filter sandboxes per customer or workspace, making billing attribution and cleanup straightforward.

• Team-level visibility: Attribute sandbox usage to specific teams for cost tracking or capacity planning.

This feature is in beta and requires upgrading to the beta SDK and CLI packages. Learn more in the documentation.

You can now sign up for or upgrade to a Vercel Pro plan directly from Stripe Projects using shared payment tokens (SPTs). Agents and developers can manage plan changes programmatically from the Stripe CLI, without leaving their workflow.

Link to headingWhat’s new

• Provision or upgrade to Vercel Pro directly from the Stripe CLI

• Support for both upgrade and downgrade flows

• Powered by shared payment tokens for secure, streamlined billing

This builds on our Stripe Projects launch in developer preview by enabling end-to-end provisioning and billing in one place. Instead of switching between dashboards, you can now handle infrastructure setup and plan management directly from the terminal.

Link to headingGetting started

If you’re already using Stripe Projects and have set up billing via stripe projects billing add , you can upgrade your Vercel plan from the CLI simply by running stripe projects add vercel/pro

If you are new to Stripe Projects, Install the plugin and initialize your project:

1
stripe plugin install projects 
2

3
stripe projects init my-app 
4

5
stripe projects add vercel/pro

You can now run lint and typecheck on every Vercel deployment, in parallel with the build. Native Deployment Checks are available to every team and join your existing Deployment Checks alongside GitHub and Marketplace integrations.

Once added from your project's Build and Deployment settings, Vercel runs the matching script from your package.json on each deployment, and skips the check if no matching script exists. You can mark a check as required to hold the deployment from production until it passes, and choose which environments each check runs on.

When a Native Deployment Check fails on a pull request, Vercel Agent investigates the failure and suggests a fix you can review and merge.