SYSTEM Cited by 3 sources
Cloudflare Sandbox SDK¶
Sandbox SDK is Cloudflare's higher-level developer API for running untrusted or agent-generated code inside isolated Cloudflare Containers from a Workers application. It was announced in mid-2025 and is positioned as the structural answer to AI agents needing to execute arbitrary code securely without a user-managed container-lifecycle layer.
What the SDK gives you¶
Instead of raw Container APIs, the SDK exposes a small, ergonomic TypeScript surface for:
- Command execution:
sandbox.exec('node -v') - Filesystem management:
sandbox.mkdir(path, { recursive: true }) - Code contexts / REPL-style execution:
sandbox.createCodeContext({ language: 'python' })thensandbox.runCode(...)with persistent state across calls - Background processes
- Service exposure from inside the container
- Per-key sandbox instances:
getSandbox(env.Sandbox, 'user-123')— per-user or per-session isolation without the app managing lifecycle sandbox.mountBucket()— mount an R2 bucket as a filesystem partition inside the container, giving ephemeral containers a durable working directory with zero application code changes (canonical instance of patterns/mountable-persistent-storage)
The SDK owns container lifecycle, networking, file systems, process management, and the Worker↔container channel — letting the developer focus on application logic.
Relationship to Cloudflare Containers¶
Sandbox SDK is built on top of Cloudflare Containers. Containers are inherently ephemeral (concepts/container-ephemerality); Sandbox SDK adds the ergonomic layer and the mountable-persistence escape hatch via R2.
Example¶
import { getSandbox } from '@cloudflare/sandbox';
export { Sandbox } from '@cloudflare/sandbox';
export default {
async fetch(request: Request, env: Env): Promise<Response> {
const sandbox = getSandbox(env.Sandbox, 'user-123');
await sandbox.mkdir('/workspace/project/src', { recursive: true });
const version = await sandbox.exec('node -v');
const ctx = await sandbox.createCodeContext({ language: 'python' });
await sandbox.runCode('import math; radius = 5', { context: ctx });
const result = await sandbox.runCode('math.pi * radius ** 2', { context: ctx });
return Response.json({ version, result });
}
};
Seen in¶
- sources/2026-01-29-cloudflare-moltworker-self-hosted-ai-agent —
canonical wiki instance. Moltworker runs
Moltbot's Gateway runtime inside a per-user
Sandbox; uses
sandbox.mountBucket()to turn R2 into the agent's durable filesystem; uses the SDK's command-exec surface to issue callbacks into the container, establishing a two-way channel with the entrypoint Worker. - sources/2026-04-20-cloudflare-internal-ai-engineering-stack — referenced alongside Dynamic Workers as the tier for running agent-generated code securely in Cloudflare's internal stack.
- sources/2026-04-15-cloudflare-project-think-building-the-next-generation-of-ai-agents
— positioned as Tier 4 of the Project Think
execution ladder — the top rung
where agent-generated code runs in a full-OS sandbox configured
with toolchains, repos, and dependencies (
git clone,npm test,cargo build). "Bidirectionally synced with the Workspace" — the Tier-0 filesystem is visible from the Tier-4 Sandbox. Integrated viacreateSandboxTools(env.SANDBOX)in Think'sgetTools().
Related¶
- systems/cloudflare-containers — the lower-level container primitive Sandbox SDK wraps.
- systems/cloudflare-workers — the compute tier that drives Sandbox SDK.
- systems/cloudflare-r2 — mounted as durable filesystem via
mountBucket(). - systems/project-think — agent SDK that exposes Sandbox SDK as Tier 4 of the execution ladder.
- systems/dynamic-workers — the adjacent Tiers 1-3 isolate tier; the ladder escalates from Dynamic Workers to Sandbox when the workload needs full OS semantics.
- concepts/container-ephemerality — the problem shape.
- concepts/execution-ladder — Tier 4 capability.
- patterns/mountable-persistent-storage — the R2-as-FS solution shape.
- patterns/additive-capability-ladder — the ladder pattern Sandbox SDK slots into.
- companies/cloudflare — operator.