ssh exe.dev new
your sandbox
# create a sandbox, run a command on it, delete it
$ ssh exe.dev new --name sbx1234 --image exeuntu
$ ssh sbx1234.exe.xyz "python3 -c 'print(2+2)'"
4
$ ssh exe.dev rm sbx1234
// npm install node-ssh — uses only node:https + node-ssh
import { request } from "node:https";
import { NodeSSH } from "node-ssh";
import ssh2 from "ssh2"; // bundled with node-ssh
const TOKEN = process.env.EXE_TOKEN;
// POST to the HTTPS API. The body is the command you'd type after `ssh exe.dev`.
function exec(command) {
return new Promise((resolve, reject) => {
const req = request("https://exe.dev/exec",
{ method: "POST", headers: { Authorization: `Bearer ${TOKEN}` } },
(res) => {
let body = "";
res.on("data", (c) => (body += c));
res.on("end", () => res.statusCode < 300
? resolve(JSON.parse(body))
: reject(new Error(body)));
});
req.on("error", reject);
req.end(command);
});
}
const name = `sbx-${Math.random().toString(36).slice(2, 8)}`;
// 1. create a sandbox (exeuntu ships with python3)
await exec(`new --name ${name} --image exeuntu`);
// 2. generate an SSH key and register the public half
const key = ssh2.utils.generateKeyPairSync("ed25519");
await exec(`ssh-key add '${key.public} ${name}'`);
// 3. SSH in with the private key and run a command
const ssh = new NodeSSH();
await ssh.connect({ host: `${name}.exe.xyz`, username: "exedev", privateKey: key.private });
const out = await ssh.execCommand("python3 -c 'print(2+2)'");
console.log(out.stdout.trim()); // => "4"
ssh.dispose();
// 4. clean up
await exec(`ssh-key remove ${name}`);
await exec(`rm ${name}`);
The JS example needs a token whose SSH key can create VMs and SSH into them:
ssh exe.dev "ssh-key generate-api-key --label=demo --cmds='new,rm,ssh-key add,ssh-key remove,ssh' --exp=1d"
A sandbox an agent can actually live in.
Most “AI sandboxes” are short-lived containers in a vendor’s cluster. Great for one-shot code execution. Awkward for everything else: long-running services, browser automation, databases, builds with caches, agents that come back tomorrow.
An exe.dev VM is just a Linux box. It has a public hostname, a routable IP, root,
systemd, a disk that persists, and SSH on the front door. Your agent can apt install,
serve HTTP, hold state across runs, and pick up where it left off.
- Real isolation. KVM virtual machines, not shared kernels.
- Persistent. Disks survive restarts. Stopped VMs cost disk-only.
- Networked. Each VM gets a public HTTPS hostname behind exe.dev’s proxy.
- Yours. Same VM you’d SSH into yourself — no proprietary container shape.
Tokens your security team will sign off on.
API tokens carry their permissions in the token, as signed JSON. Set exp
to bound replay risk, set cmds to whitelist exactly the operations an agent
may perform, and embed your own ctx for tenant tagging.
Tokens are signed by your SSH key. Rotate by adding a new key. Revoke by removing one. No console required.
Secrets your agent can use, but never see.
Hand an agent an API key and one of two things happens: it refuses to touch it (“the secret is exposed!”), or it cheerfully scribbles it into memory and tries to reuse it next session, long after you’ve rotated the key.
exe.dev Integrations solve this with an HTTP proxy that lives inside your VM. The agent makes plain unauthenticated requests to an internal hostname; the proxy attaches the auth header on the way out. The secret never enters the model’s context.
- Tag-based scoping. Attach an integration to a tag; tagged VMs (and their clones) get it for free.
- Works for most APIs. Stripe, OpenAI, Anthropic, anything that auths via an HTTP header.
- OAuth, handled. The GitHub integration is a full GitHub App — no manual token rotation.
- Clone-safe. Spin off a fresh sandbox for each agent run; integrations follow automatically.
Read the design notes: Some secret management belongs in your HTTP proxy.
Two pricing models. Same VMs.
Spiky agent workloads aren’t one shape. Use pool pricing for predictable monthly capacity, or usage pricing for elastic, per-second billing.
Pool
flat monthly
A fixed bundle of CPU, RAM, disk, and transfer that your fleet of VMs shares. Spin up a thousand short-lived sandboxes against the same pool. Predictable invoice.
- Personal: $20/mo — 50 VMs, 2×8 baseline
- Team: $25/user/mo — burst into teammates’ capacity
- Cloud Pool: from $35.84/hr — thousands of VMs, SSO, AWS VPC
Usage
per second
Pay only for what an agent actually used. CPU and active memory bill by peak hourly usage; idle VMs drop to disk-only. Best for bursty agent fleets and per-tenant isolation.
- CPU: $0.05 / core-hour
- Active memory: $0.016 / GiB-hour
- Disk: $0.08 / GiB-month
- Idle VMs: no CPU charge, memory at disk rate
Need both? You can. Pool your steady-state workers, burst overflow onto usage. Talk to us: support@exe.dev.
There are many sandboxes
for AI agents,
but this one is a real computer.
exe.dev gives your agents persistent Linux VMs with root, a public hostname, and a real network stack. Drive them from your code over SSH or plain HTTPS.