cd /news/developer-tools/introducing-deno-sandbox · home topics developer-tools article
[ARTICLE · art-8734] src=deno.com ↗ pub= topic=developer-tools verified=true sentiment=↑ positive

Introducing Deno Sandbox

Deno Sandbox is a new security feature from Deno Deploy that provides lightweight Linux microVMs for running untrusted code, such as LLM-generated scripts, with defense-in-depth isolation. It protects secrets by never exposing real API keys to the code environment, only materializing them during approved outbound requests, and enforces strict network egress control by blocking unauthorized host connections. The sandbox also allows direct deployment to Deno Deploy without rebuilding and offers features like persistent volumes and snapshots for development environments.

read3 min views21 publishedFeb 3, 2026

Introducing Deno Sandbox Over the past year, we’ve seen a shift in what Deno Deploy customers are building: platforms where users generate code with LLMs, and that code runs immediately without review. That code frequently calls LLMs itself, which means it needs API keys and network access. This isn’t the traditional “run untrusted plugins” problem. It’s deeper: LLM-generated code, calling external APIs with real credentials, without human review. Sandboxing the compute isn’t enough. You need to control network egress and protect secrets from exfiltration. Deno Sandbox provides both. And when the code is ready, you can deploy it directly to Deno Deploy without rebuilding. Sandboxes? You don’t want to run untrusted code (generated by your LLMs, your users LLMs, or even hand written by users) directly on your server. It will compromise your system, steal your API keys, and call out to evil.com. You need isolation. Deno Sandbox gives you lightweight Linux microVMs (running in the Deno Deploy cloud) to run untrusted code with defense-in-depth security. You can create them programmatically via our JavaScript or Python SDKs, and they boot in under a second. You can also interact with them via SSH, HTTP, or even open a VS Code window directly into the sandbox.

import { Sandbox } from "@deno/sandbox";
await using sandbox = await Sandbox.create();
await sandbox.sh`ls -lh /`;

Secrets That Can’t Be Stolen But there is more. In Deno Sandbox, secrets never enter the environment. Code sees only a placeholder:

import { Sandbox } from "@deno/sandbox";
await using sandbox = await Sandbox.create({
secrets: {
OPENAI_API_KEY: {
hosts: ["api.openai.com"],

value: process.env.OPENAI_API_KEY,

},
},
});
await sandbox.sh`echo $OPENAI_API_KEY`;
// DENO_SECRET_PLACEHOLDER_b14043a2f578cba75ebe04791e8e2c7d4002fd0c1f825e19...

The real key materializes only when the sandbox makes an outbound request to an approved host. If prompt-injected code tries to exfiltrate that placeholder to evil.com ? Useless. Network Egress Control You can also restrict which hosts the sandbox can talk to:

await using sandbox = await Sandbox.create({
allowNet: ["api.openai.com", "*.anthropic.com"],
});

Any request to an unlisted host gets blocked at the VM boundary. Both features are implemented via an outbound proxy similar to coder/httpjail. This gives us a chokepoint for policy enforcement. We plan to add more capabilities here: analytics for outbound connections and programmatic hooks for trusted code to inspect or modify requests.

If you’re running untrusted JavaScript or TypeScript, combine this with Deno’s
--allow-net

flag for defense in depth: VM-level network restrictions plus runtime-level permissions. Sandbox to Production sandbox.deploy() deploys code from your sandbox directly to Deno Deploy. const build = await sandbox.deploy("my-app", { production: true,

build: { mode: "none", entrypoint: "server.ts" },
});
const revision = await build.done;
console.log(revision.url);

One call to go from sandbox to production deployment. No rebuilding in a different CI system, no re-authenticating with a different tool. Just turn your dev environment directly into a production ready, auto-scaling serverless deployment. Persistence Sandboxes are ephemeral by default, but when you need state we have you covered:

  • Volumes: read-write storage for caches, databases, user data
  • Snapshots: read-only images for pre-installed toolchains and volume base Run apt-get install once, snapshot it, and every future sandbox boots with everything already installed. Create read-write volumes from the snapshots to create a fresh development environment in seconds. Technical Details Perfect for AI agents executing code, vibe-coding environments, secure plugin systems, ephemeral CI runners, and customer-supplied code. Pricing Deno Sandbox is included in your Deno Deploy plan with competitive, usage-based pricing. You pay for compute time, not wall-clock time.
- $0.05/h CPU time (40h included with Pro)
- $0.016/GB-h memory (1000 GB-h included with Pro)
- $0.20/GiB-month volume storage (5 GiB included with Pro)

Enterprise pricing available—contact deploy@deno.com. Get Started Deno Sandbox launches in beta today, alongside the general availability of Deno Deploy.

- Landing page: deno.com/sandbox
- Docs: docs.deno.com/sandbox
  • JavaScript SDK: jsr.io/@deno/sandbox or npm
  • Python SDK: pypi.org/project/deno-sandbox We’re excited to see what you (or your AI agents) build with Deno Sandbox.
── more in #developer-tools 4 stories · sorted by recency
── more on @deno sandbox 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/introducing-deno-san…] indexed:0 read:3min 2026-02-03 ·