Self-Hosted Sandboxes Guide
Reference implementations for running Claude Managed Agents sessions against **self-hosted execution sandboxes**. Each variant implements the same contract on a different compute provider: 1. Receive the session.status_run_started webhook (verified with client.beta.webhooks.unwrap()). 2. Drain the environment work queue so a single delivery recovers any earlier missed items. 3. Per work item, launch a per-session sandbox that runs the SDK/CLI tool runner (bash/read/write/edit/glob/grep), heartbeats the lease, and posts tool_results back to the session. No org API key reaches the runner — the sandbox authenticates with the **environment key**, the single credential for both the control plane and the per-session calls. | Variant | Compute | Runner | |---|---|---| | docker/ | Plain Docker on a host you control | ant beta:worker run in a per-session container | | cf/ | Cloudflare Containers | ant beta:worker run in a per-session Cloudflare Container | | cf-worker/ | Cloudflare Workers (no container) | TS SessionToolRunner in a Durable Object with an in-isolate fake filesystem | | modal/ | Modal | Python sandbox_runner.py in a Modal Sandbox with a per-session Volume | | daytona/ | Daytona | Same sandbox_runner.py uploaded to a Daytona sandbox | | vercel/ | Vercel Functions + Sandbox | Node runner.mjs in a Vercel Sandbox |
When to use Self-Hosted Sandboxes
Reference implementations for running Claude Managed Agents sessions against **self-hosted execution sandboxes**. Each variant implements the same contract on a different compute provider: 1. Receive the session.status_run_started webhook (verified with client.beta.webhooks.unwrap()). 2. Drain the environment work queue so a single delivery recovers any earlier missed items. 3. Per work item, launch a per-session sandbox that runs the SDK/CLI tool runner (bash/read/write/edit/glob/grep), heartbeats the lease, and posts tool_results back to the session. No org API key reaches the runner — the sandbox authenticates with the **environment key**, the single credential for both the control plane and the per-session calls. | Variant | Compute | Runner | |---|---|---| | docker/ | Plain Docker on a host you control | ant beta:worker run in a per-session container | | cf/ | Cloudflare Containers | ant beta:worker run in a per-session Cloudflare Container | | cf-worker/ | Cloudflare Workers (no container) | TS SessionToolRunner in a Durable Object with an in-isolate fake filesystem | | modal/ | Modal | Python sandbox_runner.py in a Modal Sandbox with a per-session Volume | | daytona/ | Daytona | Same sandbox_runner.py uploaded to a Daytona sandbox | | vercel/ | Vercel Functions + Sandbox | Node runner.mjs in a Vercel Sandbox |
How to use Self-Hosted Sandboxes
Self-Hosted Sandboxes is a single agent agent built on the Anthropic SDK framework. Set it up from the source repository, configure your model credentials, and invoke it for tasks that match its description. Review the safety profile below before running it against production data or systems.
Safety profile
Autonomy
Semi-autonomous
Sandbox-aware
Yes
Network access
Unspecified
Filesystem access
Unspecified