Vela is a secure code-execution runtime purpose-built for AI agents. It lets large-language-model agents run arbitrary code — Python scripts, shell commands, data pipelines — inside an isolated sandbox that you fully control.
When AI agents generate and execute code on your infrastructure, you face a fundamental tension: the agent needs enough freedom to be useful, but unconstrained execution is a security nightmare. Vela resolves this by wrapping every execution in a Firecracker micro-VM with hardware-enforced isolation, fine-grained capability tokens, and a real-time intrusion-detection system — all with sub-200ms cold-start latency.
Vela is open source and available on GitHub.
It ships as a single vela binary for the daemon/CLI, plus native SDKs for Python and TypeScript.
At a high level Vela consists of three layers:
A typical execution flow looks like this:
client.execute(["python3", "script.py"]) via the SDK.Install the Vela daemon, CLI, and language SDKs on your system.
ls /dev/kvm--no-vm development mode or run inside a Linux VM / WSL2.
All features except hardware-level isolation work identically.
The vela-engine crate includes both the daemon (velad) and the CLI (vela):
The Python client library works with Python 3.9 and above:
For Node.js 18+ projects:
If you prefer containers, the official Docker image bundles the daemon, a minimal rootfs, and a pre-compiled kernel:
--device /dev/kvm access to launch Firecracker VMs.
Without it, the daemon falls back to --no-vm mode automatically.
Run the built-in health check to confirm everything is working:
Run your first sandboxed execution in under 5 minutes.
ls /dev/kvm should exist)rustup.rs)--no-vm mode to run as host subprocesses. All other features work identically.
pip install vela-agent langchain and you're done.
HMAC-signed tokens that define exactly what an AI agent's code is allowed to do inside the sandbox.
Capability tokens are the primary authorization mechanism in Vela. Instead of broad IAM roles or API keys, each execution is scoped to a cryptographically signed token that encodes fine-grained permissions: which files can be read, whether the network is accessible, how much memory the process may use, and how long it can run.
Tokens follow the principle of least privilege — you create a token with the minimum set of permissions your agent needs, and the Vela daemon enforces those boundaries at the VM level. If a token doesn't grant network access, the micro-VM's network interface is simply never attached.
A decoded capability token is a JSON object with the following structure:
Use the CLI to generate tokens. The token is signed with the secret set in VELA_TOKEN_SECRET:
The following scopes are available:
| Scope | Flag | Description |
|---|---|---|
filesystem.read | --allow-file | Paths the process may read from |
filesystem.write | --allow-write | Paths the process may write to |
network.enabled | --allow-network | Whether outbound networking is attached |
network.domains | --allow-domains | Allowlisted egress domains |
resources.memory | --max-memory-mb | Maximum RAM in megabytes |
resources.timeout | --max-timeout-ms | Maximum wall-clock execution time |
Every token has an expires_at timestamp. After expiry, the daemon rejects the token with a 401 TOKEN_EXPIRED error.
For long-running agents, set up a token-rotation strategy:
You can inspect and validate a token without starting the daemon:
Declarative YAML-based rules that enforce organisation-wide security policies on every execution.
While capability tokens define what an individual agent is allowed to do, the policy engine defines what your organisation allows. Policies are loaded at daemon start-up and act as a second layer of enforcement — even if a token grants network access, a policy can restrict which domains are reachable.
This two-layer model means you can issue broad tokens to trusted agents while still maintaining guardrails at the infrastructure level. Policies are evaluated in order: the first matching rule wins.
Network policies control which external domains the sandbox can reach. They use an allowlist model:
only domains explicitly listed in allow_domains are reachable. Wildcards are supported.
deny_domains as an additional safety net. Deny rules are evaluated before allow rules,
so deny_domains: ["*"] blocks all traffic regardless of allow rules.
Resource policies set hard ceilings on what a single execution may consume:
Filesystem rules restrict which paths are visible inside the micro-VM. By default the rootfs is read-only; only explicitly allowed paths are mounted writable.
Pass your policy file when starting the daemon:
Policies support an extends field that lets you compose layered policies. Child policies
can only restrict further — they cannot grant permissions beyond what the parent allows.
Structured JSON audit logs and execution metrics for every sandbox invocation.
Every execution in Vela produces a structured audit log entry. These logs capture the full lifecycle of an execution: who requested it, what token was used, which resources were consumed, and whether any security events were triggered. Audit logs are essential for compliance, debugging agent behaviour, and forensic investigation.
Vela also exports Prometheus-compatible metrics for real-time monitoring of daemon health, VM pool utilisation, and execution latency.
Each log entry is a single JSON line written to the configured log destination:
Configure where audit logs are written via the daemon config or CLI flags:
jq, Datadog, or Elasticsearch for real-time dashboards.
Use jq or the built-in vela logs command to filter audit entries:
| Field | Type | Description |
|---|---|---|
execution_id | string | Unique identifier for this execution |
subject | string | Token subject (agent identity) |
duration_ms | number | Wall-clock execution time |
security_events | array | IDS alerts triggered during execution |
resources | object | Peak resource consumption metrics |
The daemon exposes a Prometheus-compatible metrics endpoint:
Real-time behavioural monitoring that detects and responds to suspicious activity inside sandboxed executions.
Vela's Intrusion Detection System (IDS) monitors every execution for anomalous behaviour patterns. Unlike traditional network-based IDS tools, Vela's system operates at the VM level — it can observe syscalls, process trees, network connections, and filesystem mutations in real time.
When suspicious activity is detected, the IDS generates a structured alert and can optionally terminate the execution immediately. Alerts are included in the audit log and can trigger webhook notifications.
Vela ships with a set of pre-configured detection rules:
sudo, su, or exploit SUID binariesids.disable_rules: ["crypto-mining"].
When a rule triggers, the IDS emits a structured alert:
Define custom detection rules in your policy YAML. Rules match on syscalls, process names, network patterns, and filesystem access:
Each rule specifies an action when triggered:
alert — log the event and continue execution (default)kill — immediately terminate the execution with a non-zero exit codepause — freeze the VM and wait for manual review (Cloud API only)webhook — send the alert to a configured webhook URL in addition to loggingValidate custom rules with the dry-run mode, which simulates executions against your ruleset:
Use Vela as a secure code-execution tool inside your LangChain agents and chains.
The vela-agent package includes a drop-in LangChain Tool that wraps Vela's
sandboxed execution. Your LangChain agent can generate Python code, execute it safely inside a
Firecracker micro-VM, and receive the results — all with the full protection of capability tokens,
policy enforcement, and intrusion detection.
Create a VelaTool and add it to your agent's toolkit:
The VelaTool accepts the same permission parameters as the CLI token generator.
You can also pass a pre-generated token file:
VELA_TOKEN_SECRET in your source code. Use environment variables or a secrets manager.
The tool integrates with any LangChain agent type — OpenAI tools agents, ReAct agents, and plan-and-execute agents all work out of the box. The tool automatically captures stdout, stderr, and the exit code and returns them to the LLM.
When an execution fails — due to a timeout, OOM kill, or IDS alert — the tool returns the error details to the LLM so it can retry or adjust its approach:
Plug Vela's secure sandbox into LlamaIndex agents and query pipelines.
Vela provides a native LlamaIndex FunctionTool wrapper that lets your LlamaIndex agents
execute code securely. Whether you're building RAG pipelines with code execution, data analysis agents,
or multi-step reasoning workflows, the integration handles sandbox lifecycle, token management, and
result formatting automatically.
You can also use the Vela tool inside a LlamaIndex query pipeline for post-processing or data transformation steps:
Pass sandbox permissions directly when creating the tool:
setup_commands to pre-install Python packages. These run once when the VM is
provisioned and are cached across executions for the same agent.
Give your CrewAI agents access to secure code execution via Vela's sandboxed tool.
CrewAI is a framework for orchestrating teams of AI agents. Vela's CrewAI integration provides a tool class that any crew member can use to run code in an isolated micro-VM. Each agent in the crew can have its own capability token with different permissions, allowing you to enforce the principle of least privilege across the team.
Give each agent a different token to enforce role-specific permissions:
A complete example with task dependencies and output parsing:
Use Vela as a function-calling tool with the OpenAI Chat API and Assistants API.
Vela integrates with OpenAI's function calling (tool use) feature, allowing GPT-4 and other models to generate code and execute it in a secure sandbox. The integration works with both the Chat Completions API and the newer Assistants API.
Define Vela as a tool in your OpenAI function calling schema, then handle tool calls by routing code to the sandbox:
With the Assistants API, you can create a persistent assistant that uses Vela for code execution:
Process tool calls from the model response and execute them in the sandbox:
For streaming use cases, handle tool calls incrementally:
Authenticate requests to the Vela Cloud API using API keys and bearer tokens.
The Vela Cloud API uses API keys for authentication. Every request must include a valid API key in
the Authorization header. API keys are scoped to a project and can be restricted to
specific operations (read-only, execute, admin).
Generate API keys from the Vela dashboard or using the CLI. Each key is tied to a project and inherits the project's policies:
Include the API key as a Bearer token in the Authorization header:
Or using the SDK:
Rotate keys without downtime by creating a new key before revoking the old one. The API supports a 24-hour grace period during which both keys are valid:
Restrict API keys to specific operations for defence in depth:
execute — can submit code for executionread — can query execution results and logsadmin — can manage policies, keys, and webhooksThe primary API endpoint for running code in a secure Vela sandbox.
POST https://api.vela.dev/v1/execute creates a new sandboxed execution.
The code runs inside a Firecracker micro-VM with the permissions defined by your project's
policy and the request parameters. The response includes stdout, stderr, exit code, and
resource usage metrics.
| Field | Type | Required | Description |
|---|---|---|---|
command | string[] | Yes | Command and arguments to execute |
timeout_ms | number | No | Max execution time (default: 30000) |
memory_mb | number | No | Memory limit (default: 128) |
environment | object | No | Environment variables to set |
network | object | No | Network access configuration |
files | object | No | Files to inject (path → content) |
For large files, use the multipart upload endpoint instead of inline files:
For long-running jobs, use async mode. The API returns immediately with an execution ID, and you poll for results or receive a webhook:
400 — Invalid request (missing command, invalid parameters)401 — Invalid or expired API key403 — Operation not allowed by policy or key scope408 — Execution timed out429 — Rate limit exceeded500 — Internal server error503 — No VMs available in pool (try again)Receive real-time HTTP notifications when executions complete or security events are triggered.
Webhooks let you subscribe to execution events without polling. Vela sends HTTP POST requests to your configured endpoint whenever an execution completes, fails, or triggers a security alert. This is especially useful for async executions and monitoring pipelines.
execution.completed — execution finished successfully (exit code 0)execution.failed — execution finished with non-zero exit codeexecution.timeout — execution exceeded its timeoutexecution.oom — execution killed due to memory limitids.alert — intrusion detection rule triggeredids.kill — IDS terminated an execution
Every webhook includes an X-Vela-Signature header. Verify it using HMAC-SHA256
to ensure the payload is authentic:
If your endpoint returns a non-2xx status code or times out (10s), Vela retries with exponential backoff: 1s, 5s, 30s, 5min, 1hr. After 5 failed attempts, the webhook is marked as failing and an email alert is sent to the project owner.
vela cloud webhook deliveries whk_abc123.
Understand and work with the Vela Cloud API's rate limiting system.
The Vela Cloud API enforces rate limits to ensure fair usage and protect infrastructure stability.
Rate limits are applied per API key and are based on a sliding-window counter. When you exceed the
limit, the API returns a 429 Too Many Requests response.
| Plan | Executions/min | Concurrent VMs | Max timeout |
|---|---|---|---|
| Free | 10 | 2 | 30s |
| Pro | 100 | 10 | 5min |
| Enterprise | 1000+ | 100+ | 30min |
Every API response includes rate-limit headers so you can adjust your request rate:
When rate-limited, implement exponential backoff. The Python SDK handles this automatically:
If your use case requires higher limits, contact the Vela team or upgrade your plan:
Hardware, software, and network prerequisites for self-hosting the Vela runtime.
| Component | Minimum | Recommended |
|---|---|---|
| CPU | 2 cores (x86_64 with VT-x) | 8+ cores |
| RAM | 2 GB | 16+ GB |
| Disk | 10 GB SSD | 100+ GB NVMe |
| Network | 100 Mbps | 1+ Gbps |
kvm, kvm_intel or kvm_amd)/usr/local/bin/firecrackerOpen the following ports for the Vela daemon:
rootfs.ext4) downloadedvmlinux.bin) downloadedVELA_TOKEN_SECRET set to a strong random valueInstall and configure Firecracker micro-VMs for hardware-enforced code isolation.
Firecracker is an open-source Virtual Machine Monitor (VMM) created by AWS for serverless computing. Each micro-VM boots in under 125ms and uses as little as 5 MB of overhead memory. Vela uses Firecracker to give every code execution its own Linux kernel and isolated filesystem — a level of isolation that containers alone cannot provide.
Vela provides pre-built rootfs images with Python, Node.js, and common tools pre-installed:
rootfs-minimal.ext4 (200 MB) for faster boot times if you only need Python.
The full image (rootfs-full.ext4, 800 MB) includes Node.js, Go, and system tools.
Vela pre-warms a pool of micro-VMs for near-instant execution. Configure the pool size based on your expected concurrency:
Vela creates a bridge network for VM egress. The bridge is set up automatically, but you can customise the network CIDR and DNS settings:
Tips for optimising Firecracker performance in production:
echo 256 | sudo tee /proc/sys/vm/nr_hugepages--cpu-affinity to pin VMs to specific cores for consistent latency--pool-refill-strategy eager to pre-warm replacement VMs immediately after useComplete reference for all Vela daemon configuration options, environment variables, and CLI flags.
The Vela daemon reads configuration from a YAML file. By default it looks for /etc/vela/config.yaml,
or you can specify a path with --config:
All configuration options can be set via environment variables with the VELA_ prefix:
| Variable | Default | Description |
|---|---|---|
VELA_TOKEN_SECRET | — | HMAC secret for signing capability tokens (required) |
VELA_LISTEN | /tmp/velad.sock | Unix socket path |
VELA_HTTP_LISTEN | disabled | HTTP listen address (e.g. 0.0.0.0:8080) |
VELA_LOG_LEVEL | info | Log level: debug, info, warn, error |
VELA_POOL_SIZE | 4 | Number of pre-warmed VMs |
VELA_VM_MEMORY_MB | 128 | Default VM memory in MB |
VELA_POLICY_FILE | none | Path to policy YAML file |
VELA_AUDIT_LOG | stdout | Audit log destination |
VELA_METRICS_PORT | disabled | Prometheus metrics port |
Configure default token parameters that apply when tokens don't specify explicit values:
A complete production configuration:
This page is coming soon. Check the GitHub repo for the latest documentation.