Validate a template build request without starting a build
Parses and normalizes a template build request, validates refs and build context descriptors, checks backend-compatible inputs, and returns structured validation errors without selecting a build executor.
Authorizations
API key passed as Bearer token
Body
Template name (falls back to alias, then auto-generated)
Inline Dockerfile content
Base OCI image reference imported directly on the Firecracker path (for example ubuntu:22.04). The importer currently supports raw tar, gzip, and zstd layer media types; regular files, directories, symlinks, and hard links; and Linux OCI User values in user, uid, user:group, user:gid, uid:group, or uid:gid form. OCI special files such as sockets, FIFOs, block devices, and character devices are rejected. For image indexes, the importer prefers exact Firecracker-compatible Linux variants for the current host architecture (amd64/v1 or arm64/v8 / arm64/v8.0) and falls back to a variantless Linux manifest when present; manifests with os.version or non-empty os.features are rejected. Guest boot recreates /dev, /dev/pts, /dev/shm, /proc, and /sys through nullspace-init, so those do not need to come from imported OCI layers.
Alternative name field used by SDK builders
Tags assigned to the built artifact. Omit this field to use ["default"]; explicit empty arrays are invalid.
Declarative builder steps converted to a Dockerfile server-side
- Option 1
- Option 2
- Option 3
- Option 4
- Option 5
- Option 6
- Option 7
- Option 8
- Option 9
- Option 10
- Option 11
- Option 12
- Option 13
- Option 14
- Option 15
Environment variables available during template build only
Firecracker template start command executed during template build before snapshotting; sandboxes later restore the snapshotted running state instead of rerunning this command, and create-time env injection is not visible to it
Explicit local build context used to satisfy COPY/ADD sources during template builds
Optional build VM configuration (vCPUs, memory, internet access)
Optional template build backend. Dockerfile builds default to BuildKit; declarative and external OCI import inputs use the native backend unless explicitly supported otherwise. Dockerfile input with native is rejected.
native, buildkit Relative Dockerfile path inside the uploaded build context for BuildKit builds.
Safe-to-persist Dockerfile build arguments for BuildKit builds.
Optional Dockerfile target stage for BuildKit builds.
Firecracker-only runtime defaults baked into the built template
Optional credentials for authenticated external OCI base-image imports. Applies to explicit base_image imports and Dockerfile builds that resolve to exactly one external non-template FROM image. Authenticated Dockerfile-backed imports currently reject variable-based FROM, alias-based imported stages, and multiple external registry hosts.
- Option 1
- Option 2
- Option 3
Optional per-registry request-time credentials for BuildKit Dockerfile pulls. Each registry must match a registry host used by the Dockerfile or base image. Secret values are forwarded only to the build worker and are not stored in durable build records.
Optional request-time BuildKit secrets exposed to Dockerfile RUN --mount=type=secret instructions. Supported only by the BuildKit backend. Values are forwarded only to the build worker and are not persisted in durable build records, cache keys, or context manifests.
Firecracker-only whole-build cache bypass
Optional reserved template-name claim token