Skip to main content
By default, a sandbox’s public URL is reachable by anyone who knows it. For sensitive workloads, you can require callers to authenticate with a per-sandbox token before any request reaches the services inside.

Restricting public access to sandbox URLs

By default, sandbox URLs are publicly accessible. You can restrict access to require authentication using the allowPublicTraffic / allow_public_traffic option: 
import { Sandbox } from 'e2b'

// Create sandbox with restricted public access
const sandbox = await Sandbox.create({
  network: {
    allowPublicTraffic: false
  }
})

// The sandbox has a traffic access token
console.log(sandbox.trafficAccessToken)

// Start a server inside the sandbox
await sandbox.commands.run('python -m http.server 8080', { background: true })

const host = sandbox.getHost(8080)
const url = `https://${host}`

// Request without token will fail with 403
const response1 = await fetch(url)
console.log(response1.status) // 403

// Request with token will succeed
const response2 = await fetch(url, {
  headers: {
    'e2b-traffic-access-token': sandbox.trafficAccessToken
  }
})
console.log(response2.status) // 200
When allowPublicTraffic / allow_public_traffic is set to a falsy value, all requests to the sandbox’s public URLs must include the e2b-traffic-access-token header with the value from sandbox.trafficAccessToken / sandbox.traffic_access_token.