NodeOps
UK

Egress

Sandboxes are open by default. A sandbox with no egress rules can reach any external host. For sandboxes that run untrusted or AI-generated code, set an allowlist before the sandbox runs any user-supplied input. Rules are enforced in-kernel on the host and cannot be bypassed from inside the VM.

Egress rules control which external hosts a sandbox can reach. By default (empty rule list) all outbound traffic is allowed. Once you set any rules, only the listed destinations pass; everything else is dropped in-kernel.

Rules apply live with no sandbox restart required.

Get your API key from https://createos.nodeops.network/profile. Pass it as X-Api-Key: <token> on every request.

Base URL: https://api.sb.createos.sh


At a glance

  • Base URL: https://api.sb.createos.sh
  • Auth: X-Api-Key: <token> header. Get a token
  • Response envelope: JSend, {"status": "...", "data": ...}

Rule formats

Each rule is a string in one of these forms:

FormatExampleEffect
hostpypi.orgAllow all ports to that hostname.
host:portgithub.com:443Allow only that port.
*.host*.pythonhosted.orgWildcard subdomain match.
ip1.1.1.1Allow all ports to that IP.
ip:port1.1.1.1:53Allow only that port.
cidr10.0.0.0/8Allow all ports to that CIDR block.
cidr:port10.0.0.0/8:8080Allow only that port in the block.
**Allow all destinations (same as empty list).

Empty list / null / ["*"] allows all outbound traffic (no iptables chain installed).

There is no denylist token. To block one destination you must list all destinations you do want.


GET /v1/sandboxes/{id}/egress

Read the current egress allowlist for a sandbox.

Auth required: Yes

Path parameters

ParameterDescription
idSandbox id.

Example

Bash
1curl https://api.sb.createos.sh/v1/sandboxes/sb-01K.../egress \
2 -H "X-Api-Key: $CREATEOS_API_KEY"

Success response 200

JSON
1{
2 "status": "success",
3 "data": {
4 "id": "sb-01K…",
5 "egress": [
6 "pypi.org",
7 "*.pythonhosted.org",
8 "github.com:443"
9 ]
10 }
11}

Notable errors: 404 sandbox not found or not owned by caller.


PUT /v1/sandboxes/{id}/egress

Replace the egress allowlist atomically. The new rules take effect immediately; the in-kernel iptables chain is flushed and rebuilt in a single update.

Auth required: Yes

Path parameters

ParameterDescription
idSandbox id.

Request body

FieldTypeRequiredDescription
egressarray of stringsNoFull replacement allowlist. null, missing, [], or ["*"] all mean allow-all.

Example: restrict to PyPI and GitHub

Bash
1curl -X PUT https://api.sb.createos.sh/v1/sandboxes/sb-01K.../egress \
2 -H "X-Api-Key: $CREATEOS_API_KEY" \
3 -H "Content-Type: application/json" \
4 -d '{
5 "egress": [
6 "pypi.org",
7 "*.pythonhosted.org",
8 "github.com:443",
9 "1.1.1.1:53"
10 ]
11 }'

Success response 200

JSON
1{
2 "status": "success",
3 "data": {
4 "id": "sb-01K…",
5 "egress": [
6 "pypi.org",
7 "*.pythonhosted.org",
8 "github.com:443",
9 "1.1.1.1:53"
10 ]
11 }
12}

Example: restore allow-all

Bash
1curl -X PUT https://api.sb.createos.sh/v1/sandboxes/sb-01K.../egress \
2 -H "X-Api-Key: $CREATEOS_API_KEY" \
3 -H "Content-Type: application/json" \
4 -d '{"egress": []}'

Notable errors: 404 sandbox not found.


Setting egress at sandbox creation

You can also supply the initial egress list when creating a sandbox. Pass egress in the POST /v1/sandboxes body:

JSON
1{
2 "shape": "s-1vcpu-256mb",
3 "egress": ["pypi.org", "github.com:443"]
4}

See /createos/docs/Sandbox/REST-API/Sandboxes for the full create request shape.

100,000+ Builders. One Platform.

Get product updates, builder stories, and early access to features that help you ship faster.

NodeOps is the agentic operating system for production AI. CreateOS is its flagship product.