Sandboxes

orkestr Sandboxes

orkestr Sandboxes are hardware-isolated, ephemeral Linux VMs you can spin up from any agent loop. Designed for AI agents that need to run untrusted code, build artifacts, run tests, or operate a stateful development environment without touching your own infrastructure.

Use sandboxes to:

Execute LLM-generated code safely. Each sandbox is its own VM with its own kernel and rootfs, dropped on terminate. No shared runtime, no syscall surface across tenants.
Build interactive coding agents. Long-lived sessions with pause and resume across requests, so an agent can come back to where it left off without rerunning setup.
Run real CI-style workloads from an LLM. Install packages, write files, exec scripts, read results. Per-second metering keeps short bursts cheap.
Stay in the EU. Compute, env vars, files, and snapshots never leave the EU. Same legal entity that operates the rest of orkestr, GDPR DPA available.

Private beta

Sandboxes are currently in private beta. Request access to be onboarded.

Get started

The fastest way in is the SDK. Pick your language, install, mint an API token, and run your first sandbox in under five minutes.

Quickstart - install, authenticate, run your first sandbox
Python SDK reference - full API surface for the orkestr PyPI package
JS SDK reference - full API surface for the orkestr npm package
REST API reference - call the wire format directly from any language

Authentication

Every request to the sandbox API carries a Bearer token. Mint tokens in the orkestr console with the sandboxes:read and sandboxes:write scopes. Tokens scoped to sandboxes only cannot reach the rest of the platform - use them in agent environments where the credential is at higher risk of exposure.

System specifications

Sandboxes run a stripped-down Linux guest with one of the supported templates: Python 3.12 with common libraries, a bare Python 3.12 without preinstalled libraries, Node 22 with npm, or a minimal Ubuntu 24.04 shell. Each sandbox gets its own kernel, its own rootfs, its own filesystem (overlayed on the read-only base), and its own network stack (or no network stack at all in the default off mode).

Default sizing fits most agent workloads:

1 vCPU, 2 GB RAM, network off, 10-minute timeout
Cold start under 200 ms, under 30 ms from a warm pool
Burst up to 4 vCPU / 8 GB on the Team plan

Each sandbox is metered per second of wall-clock time it's alive (whether or not the workload is busy), with separate meters for egress and snapshot storage. See pricing on the product page for current rates.

Features

Isolation. Each sandbox is its own VM. No shared container runtime, no syscall surface between tenants.
Python and Node templates. Python 3.12 (full or bare), Node 22, Ubuntu 24.04. Install whatever else you need at runtime.
Snapshot and resume. Pause a sandbox and pick up where you left off, even on a different host. Skip dependency installation across requests.
Network policies. Default off for full isolation; opt into a curated allowlist of dev hosts (PyPI, npm, GitHub, common LLM APIs) or open egress when you need it.
Python and JS SDKs. Both ship at public beta with a matching surface. Use the language your agent runs in.
MCP server. One URL to give any MCP client (Claude Code, Cursor, custom agent) access to spin up sandboxes as tool calls.

Resources

Quickstart - your first sandbox in five minutes
Python SDK
JS SDK
REST API reference
Product page and waitlist