Skip to main content
Networking docs cover how sandbox processes receive inbound traffic, how clients connect to streaming endpoints, how tokens protect access, and when to use SSH instead of HTTP preview routing.

Choose A Connection Path

NeedUse
Open an HTTP service running inside a sandboxPreview URLs
Expose a sandbox service behind your own domain or app sessionCustom Preview Proxy
Connect to a WebSocket server in the sandboxWebSockets or a signed preview WebSocket URL
Connect local developer tools over OpenSSHSSH access
Restrict outbound traffic or understand bearer tokensAccess control and Token model

Preview URL Shape

from nullspace import Sandbox

with Sandbox.create(template="base", timeout=300) as sandbox:
    server = sandbox.commands.run(
        "python3 -m http.server 8080 --bind 0.0.0.0",
        shell=True,
        cwd="/workspace",
        background=True,
    )
    try:
        print(sandbox.get_url(8080))
    finally:
        server.kill()
The service inside the sandbox must bind to 0.0.0.0, not only 127.0.0.1. Preview URLs are signed bearer URLs; treat them like temporary credentials.

Security Model

SurfaceSecurity Note
API keysControl-plane credentials for SDK, CLI, and API calls.
Preview URLsSigned grants for a specific sandbox port.
Custom preview proxy targetsHeader-token targets intended for customer-run reverse proxies.
Traffic access tokensOptional private-traffic bearer tokens enforced by sandbox network policy.
SSHCertificate-backed relay access, separate from preview URL routing.

Networking Guides

Preview URLs

Expose HTTP and WebSocket services running inside a sandbox.

Custom Preview Proxy

Front sandbox previews with your own reverse proxy.

Access control

Restrict outbound network access for sandbox workloads.

Token model

Separate API keys, preview tokens, proxy tokens, traffic tokens, and signed URLs.

WebSockets

Connect to streaming sandbox endpoints.

SSH

Connect to a sandbox over SSH when the workflow requires it.