Headline:
Notion Runs Untrusted Code at Scale Using Vercel Sandbox MicroVMs
Key Facts
- What: Notion Workers execute arbitrary code from third-party developers and AI agents inside isolated Firecracker microVMs powered by Vercel Sandbox.
- Security: Uses credential injection at the network level, dynamic network policies, and per-execution isolation to prevent prompt injection and data leaks.
- Performance: Snapshots filesystem state for fast cold starts; bills only for active CPU time, ideal for low-utilization agent workloads.
- Use Cases: Syncs CRM data, triggers automations on buttons or schedules, and extends Notion Custom Agents via tool calls.
- Availability: Vercel Sandbox now generally available; powers Notion Workers for millions of concurrent executions.
Lead paragraph
Notion has launched Workers, a new capability that lets developers and AI agents run custom code directly inside Notion workspaces, with every execution secured by Vercel Sandbox. The platform uses ephemeral Firecracker microVMs to provide hard isolation between Workers, protecting enterprise credentials and user data from prompt injection attacks that could otherwise exfiltrate secrets. By offloading the complex infrastructure for secure code execution to Vercel, Notion is accelerating its transformation into a full developer platform.
How Notion Workers Solve the Untrusted Code Problem
Notion wanted to open its platform so anyone could extend Custom Agents with new powers: syncing external data on a schedule, opening issues when error rates spike, or turning Slack threads into formatted database content. But allowing arbitrary code written by third-party developers or generated by AI agents created a massive security challenge.
Every Notion Worker runs on behalf of a specific user and potentially inside an enterprise workspace. Without proper isolation, a single malicious or compromised Worker could access secrets, permissions, and data belonging to other users. A prompt injection in an AI agent could trick it into leaking API keys or reading sensitive pages.
The requirements were demanding: complete isolation between Workers, credential security that keeps secrets out of the code execution environment, enforceable network controls for enterprise customers, support for millions of concurrent executions, fast cold starts through filesystem snapshots, and an economic model suited for agent workloads that spend most of their time waiting on I/O rather than consuming CPU.
Inside Vercel Sandbox: Firecracker MicroVMs at Scale
Vercel Sandbox addresses these requirements by running each Notion Worker in an ephemeral Firecracker microVM. Unlike containers, each microVM boots its own kernel, delivering stronger security boundaries with its own filesystem, network stack, and security context.
When a Worker finishes executing, the microVM is either destroyed or snapshotted for future reuse. This snapshotting capability allows Notion to install dependencies once, capture the filesystem state, and restore it instantly on subsequent runs — dramatically reducing cold start times.
According to Vercel’s architecture, the Sandbox includes several critical features specifically useful for agent-driven platforms:
- Credential injection via firewall proxy: API keys are injected at the network level into outbound requests. The credentials never enter the execution environment of the untrusted code, eliminating the primary vector for prompt injection attacks that attempt to exfiltrate secrets.
- Dynamic network policies: Policies can be updated at runtime without restarts. A Worker might start with open internet access to install packages, then have egress locked down to only approved services before running untrusted code.
- Active CPU billing: Customers pay only for time when code is actively executing, not while waiting on network calls or I/O. This model aligns perfectly with agent workloads that typically have low CPU utilization.
Vercel processes over 2.7 million deployments per day using similar microVM technology, giving the company significant experience running isolated workloads at massive scale.
Notion’s Shift to a Developer Platform
Notion Workers represent more than a single feature. As described in Vercel’s announcement, they mark the beginning of Notion evolving into a true developer platform. Building the required infrastructure in-house — secure code execution, credential management, network isolation, and filesystem snapshotting — becomes increasingly complex as a platform grows to serve millions of users.
By partnering with Vercel, Notion can focus on developer experience and product innovation while relying on Vercel Sandbox for the hard infrastructure problems.
Developers are already using Notion Workers in three primary patterns:
- Scheduled syncing of external data such as CRM records, analytics, and support tickets into Notion databases.
- Button-triggered automations that run arbitrary code with one click.
- Tool calls from Notion’s Custom Agents, dramatically expanding what AI agents can accomplish beyond pre-built integrations.
The Broader Industry Need for Secure Code Execution
The challenges Notion faced are not unique. Any platform that wants to let users or AI agents run custom code — whether for developer plugins, workflow automation, or agent tool calling — encounters the same set of problems around isolation, credential security, network controls, and scale.
Vercel Sandbox, now generally available, provides these capabilities out of the box through its SDK. It creates ephemeral, isolated microVMs with support for executions up to 45 minutes and includes resource limits, automatic timeouts, and strong isolation guarantees.
This approach is particularly relevant as AI agents become more prevalent. Running AI-generated code safely has become a core requirement for many platforms, and traditional container-based approaches often fall short on security boundaries.
"Vercel Sandbox handles the infrastructure complexity so Notion can focus on the developer experience," the announcement states, highlighting the strategic value of the partnership.
Impact on Developers and the AI Ecosystem
For developers, Notion Workers combined with Vercel Sandbox dramatically lowers the barrier to building sophisticated automations and agent capabilities inside Notion. They no longer need to manage their own secure execution environments or worry about the security implications of running untrusted code.
Enterprise customers gain strong guarantees about network access and data isolation, addressing key compliance and security requirements that previously made such features difficult to adopt in large organizations.
The active CPU pricing model is especially significant for AI agent use cases. Traditional serverless billing often penalizes workloads that spend significant time waiting on external APIs. By charging only for actual CPU usage, Vercel makes running many agent-driven Workers economically viable at scale.
This announcement also signals a maturing infrastructure layer for the AI agent ecosystem. As more platforms seek to let users extend functionality through code or AI-generated tools, demand for secure sandboxing solutions is likely to grow rapidly.
What’s Next
Vercel Sandbox is now generally available to customers on all plans. Notion has begun rolling out Workers to developers, with the initial focus on data syncing, button actions, and agent tool calling.
As more platforms adopt similar capabilities, the pattern of using Firecracker-based microVMs with network-level credential injection and snapshotting is likely to become a standard approach for running untrusted code safely.
For developers interested in building on this technology, Vercel provides documentation on safely executing AI-generated code and an SDK for creating custom sandboxed environments.
The partnership demonstrates how platform companies can leverage specialized infrastructure providers to solve complex security and scaling problems, allowing them to move faster on their core product vision.

