Key takeaways
- Container-based agent sandboxes on Cloudflare's edge — command execution, file management, Python/JS code interpreter, and auto-generated preview URLs, coordinated by Durable Objects; 1,038 GitHub stars as of June 2026
- Still beta: @cloudflare/sandbox is pre-v1 (0.12.1, June 9, 2026), and the platform splits in two — containers for full Linux, the Dynamic Worker Loader's V8 isolates for millisecond-start JS sandboxes
- Code Mode is the strategic layer: agents write TypeScript against typed SDKs inside an isolate instead of making tool calls, which Cloudflare claims cuts input tokens 99.9% on its own 2,500-endpoint API
- Isolation is containers and V8 isolates, not Firecracker microVMs — Cloudflare itself concedes isolates have "a more complicated attack surface than hardware virtual machines"
FAQ
What is the Cloudflare Sandbox SDK?
An open-source TypeScript SDK that gives Cloudflare Workers applications secure, isolated Linux container environments for running untrusted or AI-generated code — shell commands, file operations, a Python/JavaScript code interpreter, and public preview URLs.
How much does the Cloudflare Sandbox SDK cost?
The SDK is free; sandboxes bill at Cloudflare Containers rates on the Workers Paid plan ($5/month) — $0.000020 per vCPU-second and $0.0000025 per GiB-second of memory beyond included usage, with charges stopping when a sandbox sleeps. The Dynamic Worker Loader is free in beta, then $0.002 per unique Worker loaded per day.
How does it relate to Dynamic Worker Loader and Code Mode?
The Sandbox SDK provides full Linux containers; the Dynamic Worker Loader (open beta March 2026) spins up V8-isolate sandboxes Cloudflare says start in milliseconds, and Code Mode uses those isolates to let agents write TypeScript against typed SDKs instead of making MCP tool calls.
How is Cloudflare Sandbox SDK different from E2B?
E2B runs Firecracker microVMs with hardware-level isolation as a standalone sandbox service; Cloudflare's sandboxes are Linux containers (plus V8 isolates) embedded in the Workers platform, trading isolation depth for edge distribution and tight Workers integration.
Executive Summary
Cloudflare Sandbox SDK is the company's entry into AI agent sandboxes: an open-source TypeScript SDK that lets a Workers application spin up "secure, isolated code execution environments" — full Linux containers with command execution, file management, a Python/JavaScript code interpreter, and automatically generated preview URLs — built on Cloudflare Containers with Durable Objects as the "stateful coordination layer."[1] The repository has grown to 1,038 stars and 100 forks since its June 2025 creation, and the product is still pre-v1 — @cloudflare/sandbox 0.12.1 shipped June 9, 2026.[2][3]
The more interesting story is the two-tier architecture forming around it. In March 2026 Cloudflare opened the Dynamic Worker Loader beta — runtime-instantiated V8-isolate sandboxes it claims are "around 100x faster and 10x-100x more memory efficient than a typical container," starting in "a few milliseconds."[4] Those isolates power Code Mode, which collapses the entire 2,500+-endpoint Cloudflare API into two MCP tools (search() and execute()) by having agents write TypeScript against a typed SDK instead of making tool calls — with a claimed 99.9% input-token reduction versus the 1.17 million tokens an equivalent conventional server would consume.[5] Containers for full Linux, isolates for fast JS: Cloudflare is betting both horses.
| Attribute | Value |
|---|---|
| Company | Cloudflare (NYSE: NET) |
| Repository created | June 22, 2025[2] |
| GitHub Stars | 1,038 (as of June 2026)[2] |
| Forks | 100[2] |
| Latest release | @cloudflare/sandbox 0.12.1 — June 9, 2026 (beta, pre-v1)[3] |
| Language | TypeScript[2] |
| License | Non-standard — GitHub reports "Other"[2] |
Product Overview
The SDK exposes sandboxes as objects inside a Worker: get a sandbox, exec commands, write files, expose a port. Each sandbox runs "in its own isolated container with a full Linux environment," persists state through Durable Objects, and can mount R2 or S3 buckets for durable storage.[1]
Key Capabilities
| Capability | Description |
|---|---|
| Command execution | Shell commands, Python scripts, and Node.js apps with "streaming output support and automatic timeout handling"[1] |
| File management | Read/write/manipulate the sandbox filesystem; background processes with output monitoring[1] |
| Code interpreter | Python and JavaScript execution "with rich outputs including charts, tables, and images," persistent state between executions[1] |
| Preview URLs | "Expose HTTP services running in your sandbox with automatically generated preview URLs"[1] |
| File watching | Native filesystem-event monitoring of files and directories[1] |
| Terminal access | Browser-based terminals over WebSocket connections to sandbox shells[1] |
Product Surfaces
| Surface | Description | Availability |
|---|---|---|
| Sandbox SDK | Container sandboxes from Workers code | Workers Paid plan, pre-v1 beta[1][3] |
| Dynamic Worker Loader | Runtime V8-isolate sandboxes for generated code | Open beta since March 24, 2026, all paid Workers users[4] |
| Code Mode (@cloudflare/codemode) | Agents write TS against typed SDKs in an isolate instead of tool calls | Built on Dynamic Worker Loader[5] |
Technical Architecture
A sandbox is a Durable Object fronting a Cloudflare Container: the Durable Object provides identity, routing, and state coordination, while the container provides the Linux environment.[1] The Dynamic Worker Loader takes the opposite trade — code runs "inside a Dynamic Worker isolate — a lightweight V8 sandbox with no file system, no environment variables to leak through prompt injection and external fetches disabled by default."[5]
Cloudflare is candid about the isolation gradient: isolates use "the same isolate-based mechanism underlying Cloudflare Workers since launch," but "hardening an isolate-based sandbox is tricky" because isolates present "a more complicated attack surface than hardware virtual machines."[4] Neither tier is a Firecracker microVM — the hardware-virtualization standard at E2B and Vercel Sandbox.
Key Technical Details
| Aspect | Detail |
|---|---|
| Deployment | Library inside a Cloudflare Worker; sandboxes run on Cloudflare Containers + Durable Objects[1] |
| Isolation | Linux containers (Sandbox SDK); V8 isolates (Dynamic Worker Loader) — not microVMs[1][4] |
| Instance sizes | lite (1/16 vCPU, 256 MiB) through standard-4 (4 vCPU, 12 GiB, 20 GB disk)[6] |
| Persistence | Durable Objects state, sleeping containers, R2/S3 bucket mounts[1] |
| Languages | Python and JavaScript/Node.js in the interpreter; isolates are JS-first[1][7] |
| Open Source | SDK source on GitHub (license reported as "Other"); platform is proprietary Cloudflare infrastructure[2] |
Strengths
- Two execution tiers under one vendor — full Linux containers when agents need a filesystem and shell, and V8 isolates that start in "a few milliseconds" and use "a few megabytes of memory" when they just need to run generated JS.[1][4]
- Code Mode is a genuinely different agent interface — converting 2,500+ API endpoints into two tools with a claimed 99.9% input-token reduction attacks MCP's context-bloat problem at the root, and the execution sandbox ships with external fetches disabled by default.[5]
- Scale-to-zero economics — charges start on request and "stop after the container instance goes to sleep," with CPU billed only during active usage; entry point is the $5/month Workers Paid plan.[6]
- Batteries included for agent UX — preview URLs, browser terminals, file watching, and a stateful code interpreter come standard rather than as integration work.[1]
- Platform gravity — sandboxes compose directly with Workers, Durable Objects, and R2, and the launch drew real attention: 256 points and 90 comments on Hacker News.[7]
Cautions
- Beta, pre-v1 — the package is at 0.12.1 a year after creation; API surface and semantics can still break.[3]
- Isolation is honest but weaker than microVMs — containers and V8 isolates versus the Firecracker hardware virtualization at E2B and Vercel Sandbox; Cloudflare's own post admits isolates have "a more complicated attack surface than hardware virtual machines."[4]
- Always-on containers get expensive — HN commenters computed roughly $51.84 per vCPU-month and $6.48 per GiB-month at continuous usage, well above commodity VM pricing; the model only wins if sandboxes actually sleep.[7][6]
- JavaScript-first bias — the isolate tier is V8, and launch examples skewed heavily to JS, a sore point for users of Go and other backend languages.[7]
- Egress and lifecycle gaps — network egress bills at $0.025/GB (North America/Europe) beyond included transfer, and early users flagged missing idle-timeout auto-destroy and coarse all-or-nothing network controls.[6][7]
- Non-standard license — GitHub reports the repository license as "Other," not a recognized SPDX identifier; review terms before forking or embedding.[2]
What Developers Say
The launch thread (256 points, 90 comments) split between competitive respect and pricing/scope complaints.[7]
"This looks rough for e2b.dev, Beam, and others... taking on Cloudflare is going to be tough" — an HN commenter[7]
"Memory: $6.48 per GB vCPU: $51.84 per vCPU (!!!)" — an HN commenter on continuous-usage cost versus GCP and Hetzner[7]
"1-5 seconds seems high for Firecracker... We boot VMs at ~20-50ms" — an HN commenter comparing container cold starts to microVM startup[7]
"Everything is JavaScript. Every example, all the things" — an HN commenter on the missing Go and backend-language examples[7]
"I'd like to avoid someone malicious using my container to launch attacks against other sites" — an HN commenter on the all-or-nothing network controls[7]
"it does not seem to be possible to auto destroy a sandbox after certain amount of idle time" — an HN commenter on lifecycle gaps[7]
Pricing & Licensing
The SDK is free; sandboxes bill as Cloudflare Containers usage on the Workers Paid plan.[1][6]
| Tier | Price | Includes |
|---|---|---|
| Workers Paid | $5/month | 25 GiB-hours memory, 375 vCPU-minutes, 200 GB-hours disk per month included[6] |
| Containers overage | $0.000020/vCPU-s, $0.0000025/GiB-s memory, $0.00000007/GB-s disk | Billed only while instances are awake; memory/disk on provisioned size, CPU on active usage[6] |
| Egress | $0.025/GB NA & Europe (1 TB included); $0.04–0.05/GB elsewhere | Per-region included transfer[6] |
| Dynamic Worker Loader | Free in beta; then $0.002 per unique Worker loaded per day | Plus standard Workers CPU and invocation charges[4] |
Licensing model: SDK source is public on GitHub under a license GitHub classifies as "Other"; the execution platform is proprietary, Cloudflare-hosted only.[2]
Hidden costs: provisioned-size billing means an over-sized sleeping-resistant sandbox accrues memory/disk charges; continuous workloads price like premium VMs (~$51.84/vCPU-month per community math), and egress applies beyond included transfer.[7][6]
Competitive Positioning
Direct Competitors
| Competitor | Differentiation |
|---|---|
| E2B | Firecracker microVMs with hardware-level isolation and the category's largest adoption; Cloudflare counters with edge distribution, Workers integration, and the isolate fast path |
| Vercel Sandbox | Also a platform-attached sandbox (Firecracker microVMs inside Vercel's ecosystem); the choice largely tracks which platform already hosts your app |
| Modal | gVisor-isolated containers with GPU support for heavier compute; Cloudflare has no sandbox GPU story but a far lighter entry point |
| Daytona | Standalone sandbox infrastructure with sub-100ms creation claims; Cloudflare's is a platform feature, not a standalone product |
The Dynamic Worker Loader has no direct analog among sandbox vendors — competitors sell VMs or containers, while Cloudflare can also sell millisecond V8 isolates because it already operates an isolate platform at scale.[4]
When to Choose Cloudflare Sandbox SDK Over Alternatives
- Choose Cloudflare when: you're already building on Workers/Durable Objects, want sandboxes co-located with your app logic, or want Code Mode's write-code-not-tool-calls pattern.
- Choose E2B or Vercel Sandbox when: hardware-virtualized (Firecracker) isolation is a security requirement.
- Choose Modal when: sandboxed workloads need GPUs or heavy data/ML compute.
Ideal Customer Profile
Best fit:
- Teams already on Cloudflare Workers who need agents to execute untrusted code without adding a second vendor
- Agent builders running short, bursty JS/Python executions that benefit from scale-to-zero billing
- MCP server authors fighting tool-definition context bloat — Code Mode's two-tool pattern is the draw
- Products needing preview URLs and browser terminals out of the box
Poor fit:
- Security postures that mandate hardware-virtualized (microVM) isolation
- GPU or large-memory workloads — instance sizes top out at 4 vCPU / 12 GiB
- Polyglot teams expecting first-class Go/Rust/JVM sandbox support today
- Continuous 24/7 sandbox workloads, where per-vCPU economics favor plain VMs
Viability Assessment
| Factor | Assessment |
|---|---|
| Financial Health | Backed by Cloudflare, a profitable public company — no startup risk |
| Market Position | Late entrant vs E2B/Modal/Daytona, but with unmatched distribution via the Workers platform |
| Innovation Pace | Fast — repo pushed same-day as of June 11, 2026; Worker Loader beta and Code Mode shipped within the last year[2][4] |
| Community/Ecosystem | 1,038 stars, 100 forks; strong launch attention (256-point HN thread) but smaller than incumbents[2][7] |
| Long-term Outlook | Strategic for Cloudflare's agent platform push — unlikely to be abandoned, likely to stay Cloudflare-only |
The viability question is not survival — Cloudflare will fund this indefinitely — but maturity and fit. The SDK is pre-v1, the isolation model is a tier below microVM competitors, and everything is welded to Cloudflare's platform. Against that: no sandbox competitor can offer a millisecond V8 tier, and Code Mode is one of the more credible answers yet to MCP token bloat.[4][5]
Bottom Line
Cloudflare Sandbox SDK is the platform-native option: if your agent already lives on Workers, it is the shortest path to giving it a shell, a filesystem, and a preview URL — and the Dynamic Worker Loader adds a uniquely fast isolate tier no microVM vendor can match. But it is still a beta product with container-grade (not hardware-virtualized) isolation, JavaScript-first ergonomics, and pricing that punishes always-on workloads. The Code Mode thesis — agents should write code, not make tool calls — may end up mattering more than the sandbox itself.
Recommended for: Workers-based teams adding code execution to agents, MCP builders adopting Code Mode, and bursty scale-to-zero workloads.
Not recommended for: microVM-mandated security postures, GPU workloads, or 24/7 continuous sandboxes.
Outlook: Cloudflare's resources and the isolate differentiator make this a durable top-tier contender once it exits beta — watch whether v1.0 hardens the isolation story and broadens beyond JavaScript.
Research by Ry Walker Research • methodology
Sources
- [1] Cloudflare Sandbox SDK Documentation
- [2] cloudflare/sandbox-sdk GitHub Repository
- [3] @cloudflare/sandbox on npm
- [4] Cloudflare Blog: Sandboxing AI agents, 100x faster (Dynamic Worker Loader)
- [5] Cloudflare Blog: Code Mode — give agents an entire API in 1,000 tokens
- [6] Cloudflare Containers Pricing
- [7] Hacker News: Cloudflare Sandbox SDK launch thread