One Podflare sandbox is a real Linux box. Not a container. Not a
function. Root filesystem, up to 16 GB RAM, full internet access, can
pip install anything, has a persistent Python REPL, forks in ~80 ms.
See What is a sandbox? for the full feature list.What you get
The minimum program
with block.
The loop that made us build this
Agents keep solving tiny tasks in short bursts. Spinning up a fresh Docker container per tool call costs 500–2000 ms and loses all context. Running agent code on your own infra means one roguecurl can
exfiltrate your production database.
Podflare gives each agent session its own disposable Linux box that
it cannot escape from, that it doesn’t lose state in, and that
it can fork to explore N branches of a problem from a shared ancestor:
Why now
Every serious AI agent framework has converged on a small code-execution tool surface. Podflare ships the backend they all plug into:OpenAI Agents SDK
podflare_code_interpreter() returns a FunctionToolVercel AI SDK
podflareRunCode() wraps into tool({...})Anthropic Messages API
handle_code_execution_tool_use for tool_use blocksMCP
Drop-in server for Claude Desktop, Cursor, Cline, Zed
Architecture at a glance
- Podflare microVM per sandbox. KVM-backed hardware isolation, dedicated guest kernel, ~100 MB RSS each.
- Concurrent snapshot restore — N children boot from one seed snapshot in parallel.
- Copy-on-write rootfs — per-sandbox disk clones are metadata-only, ~1 ms each.
- Diff snapshots for fork — only dirty pages written, so a running sandbox can fan out into 5 siblings in ~100 ms.
- Warm pool — pre-booted VMs hand off instantly; pool refills in ~12 ms.
- Bridge + NAT for outbound network — every guest gets its own DHCP lease.

