zipbox_Launch app
live in seconds · any agent · pay as you go

Boot any AI coding agent in a sandbox. In seconds.

Pick Claude Code, Codex, Cursor — whatever you run. zipbox boots it on a fresh cloud machine in seconds: nothing to install, no API key, no setup. Close the tab and it keeps working. Spin up ten at once, each its own box with its own URL, and pay only for the seconds they run. Nothing touches your laptop — so you can let every one go full-send.

Free credit to start — no card

terminal — claude code

Claude Code v2.1.190

Opus 4.8 (1M context) · Claude Max

/workspace

/workspace (main)

PR #1063 · ← for agents

01// why zipbox

Four things we refuse to compromise on.

zipbox is an instant, disposable cloud computer for your coding agent — and that’s only useful if the box is safe, private, instant, and cheap to spin up. So those are the four things zipbox is built around — not bolted on after.

01security

Hardware isolation

Every box is its own Firecracker microVM on hardware-secured KVM — a separate guest kernel with a minimal attack surface. Access is public-key only; there’s no password to phish or reuse.

02privacy

Your code stays yours

Nobody at zipbox reads what’s inside your box, and nothing in it is logged, mined, or used to train a model. Your work is wiped on exit — yours alone, start to finish.

03fast boot

Live in seconds

A pre-warmed Firecracker microVM is handed to you the instant you pick an agent — already booted, already running, streaming to your browser. No container scheduler, no warm-up, no cold-start tax.

04pay per use

Only pay while it runs

Billing is metered to the box and stops the second you do. You pay for the time an agent is actually working — nothing for idle, no subscription, no card to start.

02// how it works

From sign-in to a running agent in three steps.

01

Sign in your way

Email if you want it simple, a crypto key if you want anonymity. Either way, every session is cryptographically signed — no passwords, no shared secrets in a database.

Boot a sandbox
02

Pick an agent, get a sandbox

Claude Code, Codex, Cursor, Grok… choose one and a pre-warmed sandbox is handed to you in seconds — already booted, already named, already answering on HTTPS. No naming, no waiting for a kernel.

Pi logoClaude Code logoCodex logoGrok logoHermes logo+4
03

Give it root and walk away

A full-root terminal opens in your browser, wired straight into the sandbox. Auto-approve on, blast radius of one sandbox. Close the tab and let it do its worst — come back to the result, then nuke the box in one click.

yolo · on
03// security & privacy

Security isn’t a feature here. It’s the boundary.

Agents are powerful and unpredictable. So every box is built to contain one — isolated at the hardware level, sealed to your key, and yours alone to keep or wipe the moment you’re done.

Hardware-isolated microVMs

Every box runs in its own Firecracker microVM on hardware-secured KVM — its own guest kernel, a minimal attack surface. The same isolation technology trusted to run untrusted code at massive scale.

No passwords. Ever.

Access to every box is unlocked by a signature from your key — never a password. Each session is cryptographically bound to you, with no shared secret to phish, leak, reuse, or brute-force.

Disposable by default

A box is yours to throw away. Delete it and the entire VM — disk, memory, network — is wiped for good, on the host and in storage. Nothing persists unless you pause it, which tucks the disk into private storage for you, and only you, to restore later.

Your machine stays clean

The agent runs in the sandbox, never on your laptop. No local install, no filesystem access, nothing left on your disk — and no blast radius if it goes off the rails. Any keys it needs live in the box and die with it.

A network of its own

Each box gets its own NAT’d, tenant-isolated network — its own address, walled off from every other box on the host. It answers only at its own subdomain, and only over your signed session.

Your session, yours alone

Every command your agent runs streams live to your browser, and your scrollback is restored the instant you reconnect — so you always see exactly what it did. The session is tied to your key alone: we never store it, read it, mine it, or train on it.

you

Your machine

browser · your keypair

keypair signaturesigns each session · connects direct

isolated

Firecracker microVM

own kernel · isolated · wiped on delete

04// pricing

Pick a size. Free credit to start.

Every size is the same disposable box with more machine under it — billed by the hour, only while it runs. No seats, no subscription, no card to start.

Tiny
$0.0137/hr

$10/mo always-on

1 vCPU2 GB RAM20 GB disk
Smallrecommended
$0.0342/hr

$25/mo always-on

2 vCPU4 GB RAM80 GB disk
Medium
$0.0616/hr

$45/mo always-on

4 vCPU8 GB RAM160 GB disk
Large
$0.1164/hr

$85/mo always-on

6 vCPU16 GB RAM320 GB disk
need more?Bigger machines on request — contact us

// $0 while paused · credits never expire

05// what you get

The only place it’s sane to run an agent flat-out.

A sandbox is where “dangerous” turns into “go.” Full power, a clean identity, ten at once, and nobody who has to watch it — the capabilities you’d never hand your own laptop.

power

Full root, full send

Auto-approve every tool call. Let it rm -rf, sudo, install a kernel module, peg all four cores overnight. You’d never allow that on your laptop — which is exactly why most people quietly throttle their agent. Here you don’t. The sandbox is the permission slip.

privacy · anonymity

A clean room every time

No cookies, no ~/.ssh, no shell history, no logins — and with a crypto key, no name attached to you. A fresh sandbox on a fresh IP that was never yours. The agent researches, scrapes, logs in, and tests without ever touching your fingerprint; stop the sandbox and everything it saw is gone with it.

disposable

Ten ideas, ten sandboxes

One sandbox per project, per branch, per “what if this dependency is malware.” Boot them in parallel, let them run, throw them away. Each is fully independent — a mistake in one can’t reach the next, and idle ones cost nothing.

unattended

Walk away and let it cook

Hand the agent a goal and close the tab. It keeps working in a sandbox that can’t hurt anything you own — refactor a repo overnight, grind a migration, run an experiment to completion. Come back to a result, not a babysitting bill.

// what you can finally do

Run an untrusted repo end-to-endScrape at scale behind a clean IPReproduce a security PoCHand it keys that die with the boxBrowser automation on throwaway accountsAn overnight refactor on a sketchy codebase
06// proof

Your laptop, a container, and a sandbox — side by side.

Your laptop
zipbox
Kernel isolation
Shared with you
Dedicated kernel (KVM)
If the agent is hijacked
Your whole laptop
Just this sandbox
Reach into ~/.ssh, .env, cookies
Full access
None
Throwaway in one click
No
Deleted instantly
Safe in auto-accept mode
Reckless
By design
Public HTTPS URL included
No
Own subdomain
Price
Free, but it’s your laptop
$0.0342/hr, isolated & anonymous

Safer and more capable. Start with free credit on us, no card.

Boot a sandbox
07// questions

Worth asking before you give an agent root.

How fast is it, and do I need to install anything?
Pick an agent and a pre-warmed sandbox is handed to you in seconds with the agent already installed and running — no setup, no Docker, no kernel to wait on. You can even run models through our proxy, metered at cost plus 3%, so you don’t need your own API key to start — or bring your own key and pay the provider direct.
Why not just run coding agents on my laptop?
A coding agent is a shell. It can read your SSH keys, .env files and cookies, run any command it’s told to, and be steered by prompt injection — all as you. A sandbox hands it a throwaway machine instead, so a bad command or a hijacked tool call hits that sandbox and nothing else.
How is a sandbox different from a Docker container?
A container shares the host’s Linux kernel, so a kernel-level escape is a host compromise. A sandbox boots its own kernel behind a hardware (KVM) boundary — the same isolation cloud providers use to separate customers, and the same primitive behind AWS Lambda. The agent gets full root inside without putting your laptop at risk.
Can the agent escape the sandbox?
Not without breaking the hardware-virtualization boundary itself — a KVM-level exploit, not just a misconfigured container. That’s the strongest isolation generally available, and exactly why it’s safe to hand the agent full root inside.
How is my terminal access secured?
There is no password and no session token. When a sandbox boots, it’s cryptographically bound to you alone. To connect, your browser signs a fresh challenge and the sandbox verifies it against the owner it was born with. Nothing that unlocks your terminal is ever stored in a database, so there’s nothing to leak.
What happens when I pause or delete a sandbox?
Two buttons, honestly: Pause shuts the machine down and parks its disk in private storage — free, never billed — and you can restore it later and pick up where the agent left off. Delete shuts it down and wipes the image permanently: disk, memory, network, gone.
Which agents can I run?
Pi, Claude Code, Codex, Grok, Hermes, OpenClaw, opencode, Cline and Cursor CLI today, with more over time — or plain bash. Pick one when you boot a sandbox — most start pre-trusted, in full auto-approve mode; Cursor CLI signs in with your own Cursor account first.
How many sandboxes can I run?
As many as you want. Run one per project or one per experiment, then tear them down freely — each sandbox is fully independent.
What is the subdomain for?
Every sandbox gets a live address at <slug>.zbox.sh. Anything the agent serves inside the sandbox — a preview, dashboard, or API — is reachable there over HTTPS.
What does it cost?
Sandboxes come in 6 sizes, from $10 to $320 a month. The default Small box (2 vCPU · 4 GB RAM · 80 GB disk) is $0.0342 per hour — about $25 a month if you leave it on around the clock — and every size costs nothing while it’s paused. You start with free credit — no card required.
What happens when I run out of credit?
We email you the moment your balance hits zero, then hold a 1-hour grace period so nothing stops mid-run. Top up — manually or with auto top-up — and your sandboxes keep going. Ignore it and the sandboxes are archived (saved, never silently billed past zero). To unarchive one or boot more, bring your balance back above $0.
Do credits expire?
No. Credit you buy or earn stays on your balance until you spend it on sandbox time. There’s no monthly reset and no “use it or lose it.”
Can I cap my spend?
Yes. It’s prepaid, so you can only ever spend credit you’ve already added — there’s no surprise invoice. Top up in amounts as small as $5, leave auto top-up off, and your spend is hard-capped at whatever is on the balance.

Boot your first agent in seconds.

Pick an agent and get a fresh cloud machine with it already running — close the tab and it keeps working, and you pay only for what you use. Spin up as many as you want, then nuke them when you’re done.

Boot a sandbox

Free credit to start — no card, no setup