Cloudflare has announced the general availability of Sandboxes and Cloudflare Containers as part of its Agents Week, providing persistent, isolated Linux environments for AI agent workloads.
First launched in beta last June, the GA release adds secure credential injection, PTY terminal support, persistent code interpreters, filesystem watching, snapshot-based session recovery, and active CPU pricing, which charges only for used cycles. Kate Reznykova and Mike Nomitch from the Cloudflare team write:
What we have now is different in kind. A Sandbox today is a full development environment: a terminal you can connect a browser to, a code interpreter with persistent state, background processes with live preview URLs, a filesystem that emits change events in real time, egress proxies for secure credential injection, and a snapshot mechanism that makes warm starts nearly instant.
A Cloudflare Sandbox is a container that starts on demand when requested by name, sleeps automatically when idle, and wakes when it receives a new request. The same sandbox is accessible from anywhere via a consistent ID, providing agents with a stateful environment that persists across interactions. The SDK provides methods for executing commands, cloning repositories, writing files, and managing processes through a TypeScript API.
The main improvements since the beta center on security, developer experience, and cost. On the security side, outbound Workers provide a programmable egress proxy that intercepts outbound requests from the sandbox and injects credentials at the network layer. The agent never sees the token. Developers can write custom auth logic per destination domain, apply identity-aware policies per sandbox, and dynamically restrict network access as a task progresses. Cloudflare describes this as a zero-trust model where no token is ever granted to the untrusted workload.
class OpenCodeInABox extends Sandbox {
static outboundByHost = {
"my-internal-vcs.dev": (request, env, ctx) => {
const headersWithAuth = new Headers(request.headers);
headersWithAuth.set("x-auth-token", env.SECRET);
return fetch(request, { headers: headersWithAuth });
}
}
}
For developer experience, PTY support replaces the request-response shell simulation of earlier agent systems with real pseudo-terminal sessions proxied over WebSocket. Persistent code interpreters maintain state across execution calls, so variables and imports survive between steps the way they would in a Jupyter notebook. Background processes with live preview URLs let agents start development servers and share a working link. Filesystem watching, built on Linux inotify, allows agents to react to file changes in real time.
Snapshots, rolling out in the coming weeks, will preserve a container's full disk state and allow near-instant restoration. This enables a pattern where agents can fork sessions: boot four sandboxes from the same snapshot to explore different approaches in parallel. Cloudflare demonstrates the practical impact with a concrete number: cloning a repository, running npm install, and booting from scratch takes 30 seconds, while restoring from a backup takes two seconds.
Figma is running production agent workloads on the infrastructure. Alex Mullans, who leads AI and Developer Platforms at Figma, described the use case in the announcement:
Figma Make is built to help builders and makers of all backgrounds go from idea to production, faster. To deliver on that goal, we needed an infrastructure solution that could provide reliable, highly-scalable sandboxes where we could run untrusted agent- and user-authored code.
The AI agent sandbox space has become increasingly crowded. E2B uses Firecracker microVMs with dedicated kernels per session and reports adoption by roughly half of the Fortune 500. Daytona, which pivoted from development environments to AI agent infrastructure in early 2025, claims sub-90ms sandbox creation using Docker containers. Modal targets GPU-heavy Python workloads with serverless infrastructure. Vercel launched its own Firecracker-based Sandbox in beta. What differentiates Cloudflare's offering is edge distribution across its global network, combined with the two-tier architecture: lightweight V8 isolate-based Dynamic Workers for ephemeral code execution (which entered open beta during the same Agents Week) alongside full container-based Sandboxes for when agents need a complete operating system with git, bash, dev servers, and multi-language builds.
On pricing, Sandboxes now use active CPU pricing, charging only for CPU cycles actually used rather than for provisioned resources. CPU time is billed at $0.00002 per vCPU-second. The standard plan supports up to 15,000 concurrent lite instances, 6,000 basic instances, and over 1,000 larger instances. The SDK is at version 0.8.9, and the documentation is now available.