🤖 AI Tools
· 4 min read

Cloudflare Sandbox for AI Agents: Secure Code Execution at the Edge

Some links in this article are affiliate links. We earn a commission at no extra cost to you when you purchase through them. Full disclosure.

AI agents that write and execute code need a sandbox. You can’t eval() AI-generated code in your application — a single prompt injection could compromise your entire system. Cloudflare Sandboxes provide isolated execution environments at the edge, purpose-built for AI agent workloads.

The service went GA in April 2026 after launching in beta last year. It runs on Cloudflare’s container runtime with full filesystem access, Git operations, package installation, and the ability to expose running services via public URLs.

Why Cloudflare over other sandboxes

SandboxCold startPersistenceEdge deploymentPricing
Cloudflare~100ms (Dynamic Workers)✅ Filesystem + Git✅ Global edgePay-per-use
E2B~500ms✅ Snapshots❌ US regions$0.01/min
Modal~1s✅ Volumes❌ US/EUPay-per-second
Docker (self-hosted)~2-5s✅ Volumes❌ Your infraYour cost

Cloudflare’s key advantage is speed. Their “Dynamic Workers” approach sandboxes AI agents 100x faster than traditional containers by using V8 isolates for lightweight tasks and full containers only when needed.

The other advantage is edge deployment. Your agent’s sandbox runs close to your users globally, which matters for latency-sensitive applications.

Setup

Install the Sandbox SDK:

npm install @anthropic-ai/sdk @cloudflare/sandbox-sdk
# or for OpenAI integration:
npm install openai @cloudflare/sandbox-sdk

Basic sandbox usage:

import { Sandbox } from "@cloudflare/sandbox-sdk";

const sandbox = await Sandbox.create({
  template: "node",  // or "python", "base"
});

// Execute commands
const result = await sandbox.commands.run("echo 'Hello from sandbox'");
console.log(result.stdout);

// Write files
await sandbox.files.write("/app/index.js", `
  const express = require('express');
  const app = express();
  app.get('/', (req, res) => res.json({ status: 'running' }));
  app.listen(3000);
`);

// Install packages
await sandbox.commands.run("npm install express");

// Run the app
const process = await sandbox.commands.run("node /app/index.js", {
  background: true,
});

// Expose it via public URL
const url = await sandbox.ports.expose(3000);
console.log(`App running at: ${url}`);

Integration with OpenAI Agents SDK

Cloudflare provides an official tutorial for connecting the OpenAI Agents SDK with Cloudflare Sandboxes:

import { Agent, Runner } from "openai-agents";
import { Sandbox } from "@cloudflare/sandbox-sdk";

const sandbox = await Sandbox.create({ template: "python" });

const agent = new Agent({
  name: "Data Analyst",
  instructions: "Analyze data using Python. Write and execute code in the sandbox.",
  tools: [
    {
      name: "execute_python",
      description: "Run Python code in an isolated sandbox",
      handler: async (code: string) => {
        await sandbox.files.write("/app/script.py", code);
        const result = await sandbox.commands.run("python /app/script.py");
        return result.stdout || result.stderr;
      },
    },
    {
      name: "install_package",
      description: "Install a Python package",
      handler: async (pkg: string) => {
        const result = await sandbox.commands.run(`pip install ${pkg}`);
        return result.stdout;
      },
    },
  ],
});

The agent can now write Python code, install packages, and execute scripts — all in an isolated environment that can’t access your host system.

Code interpreter with streaming

The SDK supports live streaming of output, which is essential for long-running computations:

const sandbox = await Sandbox.create({ template: "python" });

// Stream output in real-time
const stream = await sandbox.commands.stream(
  "python -c 'import time; [print(f\"Step {i}\", flush=True) or time.sleep(1) for i in range(10)]'"
);

for await (const chunk of stream) {
  process.stdout.write(chunk);  // Real-time output
}

The code interpreter supports rich output: charts (matplotlib), tables (pandas), HTML, and JSON. This makes it suitable for data analysis agents that need to generate visualizations.

Git operations

Sandboxes have full Git support, which is critical for AI coding agents:

// Clone a repo
await sandbox.commands.run("git clone https://github.com/user/repo /app/repo");

// Make changes
await sandbox.files.write("/app/repo/src/fix.py", fixedCode);

// Commit and push
await sandbox.commands.run("cd /app/repo && git add . && git commit -m 'AI fix'");
await sandbox.commands.run("cd /app/repo && git push origin main");

This is how you’d build an agent that can autonomously fix bugs, create PRs, and deploy — similar to what the agents in our AI Startup Race do.

Security model

Cloudflare Sandboxes provide multiple isolation layers:

  1. Process isolation: Each sandbox runs in its own container
  2. Network isolation: Sandboxes can’t access your internal network by default
  3. Filesystem isolation: Each sandbox has its own filesystem
  4. Resource limits: CPU, memory, and execution time are bounded

You control what the sandbox can access:

const sandbox = await Sandbox.create({
  template: "node",
  network: {
    allowOutbound: true,       // Can make HTTP requests
    allowedDomains: ["api.github.com", "registry.npmjs.org"],
  },
  resources: {
    maxCpuMs: 30000,           // 30 seconds of CPU time
    maxMemoryMb: 512,          // 512 MB RAM
  },
});

For agent security best practices, always restrict network access to only the domains your agent needs. An unrestricted sandbox with AI-generated code is a security risk.

When to use Cloudflare Sandboxes

Good fit:

  • AI coding agents that need to execute generated code
  • Code interpreters for data analysis
  • CI/CD-like workflows triggered by AI
  • Multi-tenant applications where each user’s agent needs isolation
  • Edge-deployed agents that need low latency globally

Not ideal for:

  • GPU workloads (use RunPod or cloud GPUs)
  • Long-running training jobs
  • Agents that need persistent state across sessions (use snapshots or external storage)

Cloudflare Sandboxes vs self-hosted Docker

If you’re already running agents on a VPS with Docker, Cloudflare Sandboxes offer:

  • No infrastructure management
  • Global edge deployment
  • Faster cold starts (100ms vs 2-5s)
  • Built-in security isolation
  • Pay-per-use pricing

The trade-off is vendor lock-in and less control. For our AI Startup Race, we use a self-hosted VPS because we need full control over the agent orchestration. For a SaaS product serving many users, Cloudflare Sandboxes would be the better choice.

Related: OpenAI Agents SDK Guide · How to Sandbox Local AI Models · AI Agent Security · How to Deploy AI Agents to Production · Best Cloud GPU Providers · AI App Deployment Checklist

You might also like

How to Deploy AI Agents to Production (2026)

Deploy AI agents on Vercel, Railway, Cloudflare, or self-hosted infrastructure. Covers long-running processes, WebSockets, cost management, and monitoring.

Agent-to-Agent Communication: A2A, MCP, and Inter-Agent Protocols (2026)

How AI agents communicate with each other using Google A2A, Anthropic MCP, and shared workspace patterns. Protocol comparison with practical examples.

AI Agent Authentication: OAuth, API Keys, and Scoped Permissions (2026)

Secure AI agent tool access with OAuth flows, scoped API keys, least-privilege permissions, and credential management patterns.

AI Agent Platforms Compared: Build vs Buy in 2026

Should you build your own AI agent infrastructure or use a managed platform? Cost analysis, feature comparison, and decision framework.