Boot any AI coding agent
in a sandbox. In seconds.
Pick Claude Code, Codex, Cursor — whatever you run. zipbox boots it on a fresh cloud machine in seconds: nothing to install, no API key, no setup. Close the tab and it keeps working. Spin up ten at once, each its own box with its own URL, and pay only for the seconds they run. Nothing touches your laptop — so you can let every one go full-send.
› Free credit to start — no card
Claude Code v2.1.190
Opus 4.8 (1M context) · Claude Max
/workspace
/workspace (main)
PR #1063 · ← for agents
boots the agent you already use
Four things we refuse to compromise on.
zipbox is an instant, disposable cloud computer for your coding agent — and that’s only useful if the box is safe, private, instant, and cheap to spin up. So those are the four things zipbox is built around — not bolted on after.
Hardware isolation
Every box is its own Firecracker microVM on hardware-secured KVM — a separate guest kernel with a minimal attack surface. Access is public-key only; there’s no password to phish or reuse.
Your code stays yours
Nobody at zipbox reads what’s inside your box, and nothing in it is logged, mined, or used to train a model. Your work is wiped on exit — yours alone, start to finish.
Live in seconds
A pre-warmed Firecracker microVM is handed to you the instant you pick an agent — already booted, already running, streaming to your browser. No container scheduler, no warm-up, no cold-start tax.
Only pay while it runs
Billing is metered to the box and stops the second you do. You pay for the time an agent is actually working — nothing for idle, no subscription, no card to start.
From sign-in to a running agent in three steps.
Sign in your way
Email if you want it simple, a crypto key if you want anonymity. Either way, every session is cryptographically signed — no passwords, no shared secrets in a database.
Pick an agent, get a sandbox
Claude Code, Codex, Cursor, Grok… choose one and a pre-warmed sandbox is handed to you in seconds — already booted, already named, already answering on HTTPS. No naming, no waiting for a kernel.
Give it root and walk away
A full-root terminal opens in your browser, wired straight into the sandbox. Auto-approve on, blast radius of one sandbox. Close the tab and let it do its worst — come back to the result, then nuke the box in one click.
Security isn’t a feature here. It’s the boundary.
Agents are powerful and unpredictable. So every box is built to contain one — isolated at the hardware level, sealed to your key, and yours alone to keep or wipe the moment you’re done.
Hardware-isolated microVMs
Every box runs in its own Firecracker microVM on hardware-secured KVM — its own guest kernel, a minimal attack surface. The same isolation technology trusted to run untrusted code at massive scale.
No passwords. Ever.
Access to every box is unlocked by a signature from your key — never a password. Each session is cryptographically bound to you, with no shared secret to phish, leak, reuse, or brute-force.
Disposable by default
A box is yours to throw away. Delete it and the entire VM — disk, memory, network — is wiped for good, on the host and in storage. Nothing persists unless you pause it, which tucks the disk into private storage for you, and only you, to restore later.
Your machine stays clean
The agent runs in the sandbox, never on your laptop. No local install, no filesystem access, nothing left on your disk — and no blast radius if it goes off the rails. Any keys it needs live in the box and die with it.
A network of its own
Each box gets its own NAT’d, tenant-isolated network — its own address, walled off from every other box on the host. It answers only at its own subdomain, and only over your signed session.
Your session, yours alone
Every command your agent runs streams live to your browser, and your scrollback is restored the instant you reconnect — so you always see exactly what it did. The session is tied to your key alone: we never store it, read it, mine it, or train on it.
you
Your machine
browser · your keypair
isolated
Firecracker microVM
own kernel · isolated · wiped on delete
Pick a size. Free credit to start.
Every size is the same disposable box with more machine under it — billed by the hour, only while it runs. No seats, no subscription, no card to start.
≈ $10/mo always-on
≈ $25/mo always-on
≈ $45/mo always-on
≈ $85/mo always-on
// $0 while paused · credits never expire
The only place it’s sane to run an agent flat-out.
A sandbox is where “dangerous” turns into “go.” Full power, a clean identity, ten at once, and nobody who has to watch it — the capabilities you’d never hand your own laptop.
Full root, full send
Auto-approve every tool call. Let it rm -rf, sudo, install a kernel module, peg all four cores overnight. You’d never allow that on your laptop — which is exactly why most people quietly throttle their agent. Here you don’t. The sandbox is the permission slip.
A clean room every time
No cookies, no ~/.ssh, no shell history, no logins — and with a crypto key, no name attached to you. A fresh sandbox on a fresh IP that was never yours. The agent researches, scrapes, logs in, and tests without ever touching your fingerprint; stop the sandbox and everything it saw is gone with it.
Ten ideas, ten sandboxes
One sandbox per project, per branch, per “what if this dependency is malware.” Boot them in parallel, let them run, throw them away. Each is fully independent — a mistake in one can’t reach the next, and idle ones cost nothing.
Walk away and let it cook
Hand the agent a goal and close the tab. It keeps working in a sandbox that can’t hurt anything you own — refactor a repo overnight, grind a migration, run an experiment to completion. Come back to a result, not a babysitting bill.
// what you can finally do
Your laptop, a container, and a sandbox — side by side.
Safer and more capable. Start with free credit on us, no card.
Boot a sandboxWorth asking before you give an agent root.
- How fast is it, and do I need to install anything?
- Pick an agent and a pre-warmed sandbox is handed to you in seconds with the agent already installed and running — no setup, no Docker, no kernel to wait on. You can even run models through our proxy, metered at cost plus 3%, so you don’t need your own API key to start — or bring your own key and pay the provider direct.
- Why not just run coding agents on my laptop?
- A coding agent is a shell. It can read your SSH keys, .env files and cookies, run any command it’s told to, and be steered by prompt injection — all as you. A sandbox hands it a throwaway machine instead, so a bad command or a hijacked tool call hits that sandbox and nothing else.
- How is a sandbox different from a Docker container?
- A container shares the host’s Linux kernel, so a kernel-level escape is a host compromise. A sandbox boots its own kernel behind a hardware (KVM) boundary — the same isolation cloud providers use to separate customers, and the same primitive behind AWS Lambda. The agent gets full root inside without putting your laptop at risk.
- Can the agent escape the sandbox?
- Not without breaking the hardware-virtualization boundary itself — a KVM-level exploit, not just a misconfigured container. That’s the strongest isolation generally available, and exactly why it’s safe to hand the agent full root inside.
- How is my terminal access secured?
- There is no password and no session token. When a sandbox boots, it’s cryptographically bound to you alone. To connect, your browser signs a fresh challenge and the sandbox verifies it against the owner it was born with. Nothing that unlocks your terminal is ever stored in a database, so there’s nothing to leak.
- What happens when I pause or delete a sandbox?
- Two buttons, honestly: Pause shuts the machine down and parks its disk in private storage — free, never billed — and you can restore it later and pick up where the agent left off. Delete shuts it down and wipes the image permanently: disk, memory, network, gone.
- Which agents can I run?
- Pi, Claude Code, Codex, Grok, Hermes, OpenClaw, opencode, Cline and Cursor CLI today, with more over time — or plain bash. Pick one when you boot a sandbox — most start pre-trusted, in full auto-approve mode; Cursor CLI signs in with your own Cursor account first.
- How many sandboxes can I run?
- As many as you want. Run one per project or one per experiment, then tear them down freely — each sandbox is fully independent.
- What is the subdomain for?
- Every sandbox gets a live address at <slug>.zbox.sh. Anything the agent serves inside the sandbox — a preview, dashboard, or API — is reachable there over HTTPS.
- What does it cost?
- Sandboxes come in 6 sizes, from $10 to $320 a month. The default Small box (2 vCPU · 4 GB RAM · 80 GB disk) is $0.0342 per hour — about $25 a month if you leave it on around the clock — and every size costs nothing while it’s paused. You start with free credit — no card required.
- What happens when I run out of credit?
- We email you the moment your balance hits zero, then hold a 1-hour grace period so nothing stops mid-run. Top up — manually or with auto top-up — and your sandboxes keep going. Ignore it and the sandboxes are archived (saved, never silently billed past zero). To unarchive one or boot more, bring your balance back above $0.
- Do credits expire?
- No. Credit you buy or earn stays on your balance until you spend it on sandbox time. There’s no monthly reset and no “use it or lose it.”
- Can I cap my spend?
- Yes. It’s prepaid, so you can only ever spend credit you’ve already added — there’s no surprise invoice. Top up in amounts as small as $5, leave auto top-up off, and your spend is hard-capped at whatever is on the balance.
Boot your first agent in seconds.
Pick an agent and get a fresh cloud machine with it already running — close the tab and it keeps working, and you pay only for what you use. Spin up as many as you want, then nuke them when you’re done.
Boot a sandbox› Free credit to start — no card, no setup