Introducing Deno Sandbox

Deno Sandbox is a new security feature from Deno Deploy that provides lightweight Linux microVMs for running untrusted code, such as LLM-generated scripts, with defense-in-depth isolation. It protects secrets by never exposing real API keys to the code environment, only materializing them during approved outbound requests, and enforces strict network egress control by blocking unauthorized host connections. The sandbox also allows direct deployment to Deno Deploy without rebuilding and offers features like persistent volumes and snapshots for development environments.

Introducing Deno Sandbox Over the past year, we’ve seen a shift in what Deno Deploy customers are building: platforms where users generate code with LLMs, and that code runs immediately without review. That code frequently calls LLMs itself, which means it needs API keys and network access. This isn’t the traditional “run untrusted plugins” problem. It’s deeper: LLM-generated code, calling external APIs with real credentials, without human review. Sandboxing the compute isn’t enough. You need to control network egress and protect secrets from exfiltration. Deno Sandbox provides both. And when the code is ready, you can deploy it directly to Deno Deploy without rebuilding. Sandboxes? You don’t want to run untrusted code generated by your LLMs, your users LLMs, or even hand written by users directly on your server. It will compromise your system, steal your API keys, and call out to evil.com. You need isolation. Deno Sandbox gives you lightweight Linux microVMs running in the Deno Deploy cloud to run untrusted code with defense-in-depth security. You can create them programmatically via our JavaScript or Python SDKs, and they boot in under a second. You can also interact with them via SSH, HTTP, or even open a VS Code window directly into the sandbox. import { Sandbox } from "@deno/sandbox"; await using sandbox = await Sandbox.create ; await sandbox.sh ls -lh / ; Secrets That Can’t Be Stolen But there is more. In Deno Sandbox, secrets never enter the environment. Code sees only a placeholder: import { Sandbox } from "@deno/sandbox"; await using sandbox = await Sandbox.create { secrets: { OPENAI API KEY: { hosts: "api.openai.com" , value: process.env.OPENAI API KEY, }, }, } ; await sandbox.sh echo $OPENAI API KEY ; // DENO SECRET PLACEHOLDER b14043a2f578cba75ebe04791e8e2c7d4002fd0c1f825e19... The real key materializes only when the sandbox makes an outbound request to an approved host. If prompt-injected code tries to exfiltrate that placeholder to evil.com ? Useless. Network Egress Control You can also restrict which hosts the sandbox can talk to: await using sandbox = await Sandbox.create { allowNet: "api.openai.com", " .anthropic.com" , } ; Any request to an unlisted host gets blocked at the VM boundary. Both features are implemented via an outbound proxy similar to coder/httpjail. This gives us a chokepoint for policy enforcement. We plan to add more capabilities here: analytics for outbound connections and programmatic hooks for trusted code to inspect or modify requests. If you’re running untrusted JavaScript or TypeScript, combine this with Deno’s --allow-net flag for defense in depth: VM-level network restrictions plus runtime-level permissions. Sandbox to Production sandbox.deploy deploys code from your sandbox directly to Deno Deploy. const build = await sandbox.deploy "my-app", { production: true, build: { mode: "none", entrypoint: "server.ts" }, } ; const revision = await build.done; console.log revision.url ; One call to go from sandbox to production deployment. No rebuilding in a different CI system, no re-authenticating with a different tool. Just turn your dev environment directly into a production ready, auto-scaling serverless deployment. Persistence Sandboxes are ephemeral by default, but when you need state we have you covered: - Volumes: read-write storage for caches, databases, user data - Snapshots: read-only images for pre-installed toolchains and volume base Run apt-get install once, snapshot it, and every future sandbox boots with everything already installed. Create read-write volumes from the snapshots to create a fresh development environment in seconds. Technical Details Perfect for AI agents executing code, vibe-coding environments, secure plugin systems, ephemeral CI runners, and customer-supplied code. Pricing Deno Sandbox is included in your Deno Deploy plan with competitive, usage-based pricing. You pay for compute time, not wall-clock time. - $0.05/h CPU time 40h included with Pro - $0.016/GB-h memory 1000 GB-h included with Pro - $0.20/GiB-month volume storage 5 GiB included with Pro Enterprise pricing available—contact deploy@deno.com. Get Started Deno Sandbox launches in beta today, alongside the general availability of Deno Deploy. - Landing page: deno.com/sandbox - Docs: docs.deno.com/sandbox - JavaScript SDK: jsr.io/@deno/sandbox or npm - Python SDK: pypi.org/project/deno-sandbox We’re excited to see what you or your AI agents build with Deno Sandbox.