A
argbe.tech - news
1min read

Deno Sandbox Adds Hosted Sandboxes with Secret-Safe API Access

Deno Deploy’s new Sandbox service exposes managed execution environments with resource limits, network controls, and a secret-proxy pattern that keeps API keys out of sandboxed code. Python and JavaScript clients can create and run sandboxes without relying on Deno itself.

Deno’s Sandbox service on Deno Deploy provides hosted execution environments with configurable controls and client libraries for building and running sandboxes.

  • The service is part of Deno Deploy and does not require Deno to use; a Python package named deno-sandbox and a JavaScript client library can create and manage sandboxes.
  • Sandboxes are provisioned with up to 4GB RAM, 2 vCPUs, and 10GB of ephemeral storage, and they can mount persistent volumes and boot from snapshots.
  • Each session can run for up to 30 minutes and is billed by CPU time, memory (GB-hours), and volume storage usage.
  • Network egress can be limited to specific domains when creating a sandbox instance.
  • Secrets are injected using placeholders that are swapped by a proxy on outbound requests, keeping the real secret values out of the sandboxed runtime.