>>emschw+Hb
Reminds me a little of Fly's Tokenizer - https://github.com/superfly/tokenizer

It's a little HTTP proxy that your application can route requests through, and the proxy is what handles adding the API keys or whatnot to the request to the service, rather than your application, something like this for example:

Application -> tokenizer -> Stripe

The secrets for the third party service should in theory then be safe should there be some leak or compromise of the application since it doesn't know the actual secrets itself.

Cool idea!

>>emschw+Hb
Yeah, this is a really neat idea: https://deno.com/blog/introducing-deno-sandbox#secrets-that-...

  await using sandbox = await Sandbox.create({
    secrets: {
      OPENAI_API_KEY: {
        hosts: ["api.openai.com"],
        value: process.env.OPENAI_API_KEY,
      },
    },
  });
  
  await sandbox.sh`echo $OPENAI_API_KEY`;
  // DENO_SECRET_PLACEHOLDER_b14043a2f578cba75ebe04791e8e2c7d4002fd0c1f825e19...

It doesn't prevent bad code from USING those secrets to do nasty things, but it does at least make it impossible for them to steal the secret permanently.

Kind of like how XSS attacks can't read httpOnly cookies but they can generally still cause fetch() requests that can take actions using those cookies.

>>johnsp+(OP)
Note that you don't need to use Deno or JavaScript at all to use this product. Here's their Python client SDK: https://pypi.org/project/deno-sandbox/

  from deno_sandbox import DenoDeploy
  
  sdk = DenoDeploy()
  
  with sdk.sandbox.create() as sb:
      # Run a shell command
      process = sb.spawn("echo", args=["Hello from the sandbox!"])
      process.wait()
  
      # Write and read files
      sb.fs.write_text_file("/tmp/example.txt", "Hello, World!")
      content = sb.fs.read_text_file("/tmp/example.txt")
      print(content)

Looks like the API protocol itself uses websockets: https://tools.simonwillison.net/zip-wheel-explorer?package=d...

>>johnsp+(OP)
See also Sprites (>>46557825 ) which I've been using and really enjoying. There are some key architecture differences between the two, but very similar surface area. It'll be interesting to see if ephemeral + snapshots can be as convenient as stateful with cloning/forking (which hasn't actually dropped yet, although the fly team say it's coming).

Will give these a try. These are exciting times, it's never been a better time to build side projects :)

>>emschw+Hb
Dagger has a similar feature: https://docs.dagger.io/getting-started/types/secret/

Same idea with more languages on OCI. I believe they have something even better in the works, that bundles a bunch of things you want in an "env" and lets you pass that around as a single "pointer"

I use this here, which eventually becomes the sandbox my agent operates in: https://github.com/hofstadter-io/hof/blob/_next/.veg/contain...

>>emschw+Hb
It’s pretty neat.

Had some previous discussion that may be interesting on >>46595393

>>ATechG+Vm
Well, this is the hard part, but the idea is that if you're working with both untrusted inputs and private data/resources, then your agent is susceptible to the "lethal trifecta"[0], and you should be extremely limiting in its ability to have external network access. I would suggest starting with nothing beyond the single AI provider you're using, and only add additional domains if you are certain you trust them and can't do without them.

[0] https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

>>drewbi+Fs
Saw quite bit on HN.

A quick search this popped up:

>>45486006

If we can spin up microVM so quickly, why bother with Docker or other containers at all?

>>svieir+uz
Like the Tokenizer, I think they're open source.

https://fly.io/blog/operationalizing-macaroons/

>>echelo+0x
we have 100% open-source Sandboxes at E2B

git: https://github.com/e2b-dev/infra

wiki: https://deepwiki.com/e2b-dev/infra

>>johnsp+(OP)
Love their network filtering, however it definitely lacks some capabilities (like the ability to do direct TCP connections to Postgres, or direct IP connections.

Those limitations from other tools was exactly why I made https://github.com/danthegoodman1/netfence for our agents

>>johnsp+(OP)
We already have a pretty good sandbox in our platform: https://github.com/Qbix/Platform/blob/main/platform/plugins/...

It uses web workers on a web browser. So is this Deno Sandbox like that, but for server? I think Node has worker threads.

>>booi+tS
This is effectively what happened with the BotGhost vulnerability a few months back:

>>44359619

>>motrm+Ud
I've been working on something similar (with claude code).

It's a sandbox that uses envoy as a transparent proxy locally, and then an external authz server that can swap the creds.

The idea is extended further in that the goal is to allow an org to basically create their own authz system for arbitrary upstreams, and then for users to leverage macaroons to attentuate the tokens at runtime.

It isn't finished but I'm trying to make it work with ssh/yubikeys as an identity layer. The authz macaroon can have a "hole" that is filled by the user/device attestation.

The sandbox has some nice features like browser forwarding for Claude oauth and a CDP proxy for working with Chrome/Electron (I'm building an Obsidian plugin).

I'm inspired by a lot of the fly.io stuff in tokenizer and sprites. Exciting times.

https://github.com/dtkav/agent-creds

>>eis+EM1
Ditto... but it's more like 30x.

Mentioned the same in this comment as well: >>46881920

>>johnsp+(OP)
This sandboxing solution list is getting long... created https://github.com/arjan/awesome-agent-sandboxes, PRs welcome :)

>>johnsp+(OP)
Not sure if anyone from the deno team is monitoring this forum, but I was trying to stand up a dev-base snapshot and pretty quickly ran into a wall. Is it not currently possible to create a bootable volume from the CLI? https://docs.deno.com/sandbox/volumes/#creating-a-snapshot has an example for the js API, but the CLI equivalent isn't specifying --from and the latest verson of the deno CLI installed fresh from deno.land has no --from option. Is the CLI behind, here? Or is the argument provided some other way?

>>johnsp+(OP)
Fun! Our work from 10 years ago introduced the secrets protection technique being used in Deno: https://www.earlence.com/assets/papers/flowfence_sec16.pdf and fly's tokenizer. We called it "opaque computation" and it did a lot more than secrets protection.

>>johnsp+(OP)
Is this Extism, but running as a service? https://extism.org/ It seems to me that a key feature of Extism is host functions (which can be called from the sandbox). But maybe I'm not comparing apples to apples?

>>simonw+Oe
Took this idea and ran with it using Fly's Sprites, inspired by Simon's https://simonwillison.net/2026/Feb/3/introducing-deno-sandbo.... Use case: Claude Code running in a sandboxed Sprite, making authenticated API calls via a Tokenizer proxy without credentials ever entering the sandbox.

Hit a snag: Sprites appear network-isolated from Fly's 6PN private mesh (fdf:: prefix inside the Sprite, not fdaa::; no .internal DNS). So a Tokenizer on a Fly Machine isn't directly reachable without public internet.

Asked on the Fly forum: https://community.fly.io/t/can-sprites-reach-internal-fly-se...

@tptacek's point upthread about controlling not just hosts but request structure is well taken - for AI agent sandboxing you'd want tight scoping on what the proxy will forward.