Cloudflare Sandboxes and Containers: General Availability and What's New
Cloudflare Sandboxes, launched in June last year, were designed with a simple premise: AI agents need a safe place to develop and run code. As agents increasingly act like developers—cloning repos, building code, running dev servers—they need a full computer. While many developers stitch together solutions using VMs or containers, they face hard problems like burstiness, quick state restoration, security, control, and ergonomics.
Cloudflare has spent time solving these issues, and today, Sandboxes and Cloudflare Containers are both generally available. This article breaks down the key new features and why they matter for your AI agent workflows.
Source: Cloudflare Blog - Sandbox GA
Core Feature Deep Dive
Secure Credential Injection
One of the hardest problems in agentic workloads is authentication. Agents often need access to private services, but you can't fully trust them with raw credentials. Sandboxes solve this by injecting credentials at the network layer using a programmable egress proxy.
class OpenCodeInABox extends Sandbox {
static outboundByHost = {
"my-internal-vcs.dev": (request, env, ctx) => {
const headersWithAuth = new Headers(request.headers);
headersWithAuth.set("x-auth-token", env.SECRET);
return fetch(request, { headers: headersWithAuth });
}
}
}
This approach ensures agents never have access to credentials while allowing full customization of auth logic. For a deeper dive, check out our Beyond Prototypes: How Vercel's New v0 Brings AI Coding to Production for a perspective on production AI coding platforms.
Real Terminal with PTY Support
Early agent systems modeled shell access as a request-response loop. Cloudflare now ships PTY support, giving agents a real terminal proxied over WebSocket and compatible with xterm.js.
// Worker: upgrade a WebSocket connection into a live terminal session
export default {
async fetch(request: Request, env: Env) {
const url = new URL(request.url);
if (url.pathname === "/terminal") {
const sandbox = getSandbox(env.Sandbox, "my-session");
return sandbox.terminal(request, { cols: 80, rows: 24 });
}
return new Response("Not found", { status: 404 });
},
};
Persistent Code Interpreters
Sandboxes allow you to create persistent execution contexts where variables and imports survive across calls, similar to a Jupyter notebook.
// Create a Python context. State persists for its lifetime.
const ctx = await sandbox.createCodeContext({ language: "python" });
// First execution: load data
await sandbox.runCode(`
import pandas as pd
df = pd.read_csv('/workspace/sales.csv')
df['margin'] = (df['revenue'] - df['cost']) / df['revenue']
`, { context: ctx });
// Second execution: df is still there
const result = await sandbox.runCode(`
df.groupby('region')['margin'].mean().sort_values(ascending=False)
`, { context: ctx, onStdout: (line) => console.log(line.text) });
Snapshots for Quick Warm Starts
Snapshots preserve a container's full disk state, allowing you to quickly restore it later. This is crucial for agent workflows where you need to resume work without paying for idle compute.
class AgentDevEnvironment extends Sandbox {
sleepAfter = "5m";
persistAcrossSessions = {type: "disk"};
}
async function forkDevEnvironment(baseId: string, numberOfForks: number) {
const baseInstance = await getSandbox(baseId);
const snapshotId = await baseInstance.snapshot();
const forks = Array.from({ length: numberOfForks }, async (_, i) => {
const newInstance = await getSandbox(`${baseId}-fork-${i}`);
return newInstance.start({ snapshot: snapshotId });
});
await Promise.all(forks);
}
Active CPU Pricing
Sandboxes now only charge for actively used CPU cycles. This means you aren't paying for idle CPU while your agent waits for an LLM to respond—a huge cost saving for production workloads.
Limitations and Considerations
- Snapshot memory state: Live memory state capture is not yet available (coming in future releases). Currently, only disk state is persisted.
- Cold starts: While snapshots improve warm start times, the first boot still takes time. Booting a sandbox, cloning a repo, and installing dependencies takes about 30 seconds.
- Complexity: The programmable egress proxy and credential injection require initial setup and understanding of Cloudflare Workers bindings.
Next Steps for Learning
- Experiment with the SDK: Install
@cloudflare/sandbox@latestand try the examples in this article. - Explore backup/restore: If you need session state persistence before snapshots are fully rolled out, use the backup and restore methods.
- Scale gradually: Start with a few concurrent instances and monitor costs using the active CPU pricing model.
- Read the official docs: Check the Cloudflare documentation for advanced configuration and best practices.
Conclusion
Cloudflare Sandboxes have evolved from a simple command runner to a full development environment for AI agents. With features like secure credential injection, PTY support, persistent code interpreters, snapshots, and active CPU pricing, it's now a production-ready platform for running agents at scale. The tight feedback loop that makes human engineers effective is now available to your agents.
Feature Comparison: Sandboxes vs. Traditional Containers
| Feature | Cloudflare Sandbox | Traditional Container |
|---|---|---|
| Burstiness | Auto-sleep/wake, no idle cost | Manual scaling, idle cost |
| State restoration | Snapshots (disk), backup/restore | Rebuild from image |
| Security | Network-layer credential injection | Manual env vars, secrets management |
| Terminal | PTY over WebSocket, xterm.js compatible | SSH or exec only |
| Code interpreter | Persistent context (Python, JS, TS) | Stateless per invocation |
| File watching | Native inotify via SSE | Polling or custom watchers |
| Pricing | Active CPU cycles only | Always-on, idle cost |
| Max instances (standard) | 15,000 (lite), 6,000 (basic), 1,000+ (large) | Varies by provider |
Final Thoughts
Cloudflare Sandboxes are not just another container service—they are purpose-built for the agentic AI era. By solving the hard problems of burstiness, security, and state management, they let you focus on building intelligent agents rather than infrastructure plumbing.
If you're building AI agents that need to write code, run tests, or interact with development servers, give Cloudflare Sandboxes a try. The SDK is at version 0.8.9, and you can get started with a single npm install.
Also, check out our article on Python 3.15 Alpha 3: A Look at the Upcoming Features to see how the latest Python release complements these container capabilities.