Deno Sandbox

Configure Deno Sandbox and run isolated sandboxes on Deno Deploy.

Deno Sandbox fits workloads that benefit from permission-style runtime controls. Use it when network allowlists, secrets, ports, or filesystem-style isolation matter more than matching a specific hosting platform.

Before you start

Install the Deno SDK alongside @vitehub/sandbox.

Terminal

pnpm add https://pkg.pr.new/nuxt-hub/agent/@vitehub/sandbox@main @deno/sandbox

Configure Deno

nuxt.config.ts

export default defineNuxtConfig({
  modules: ['@vitehub/sandbox/nuxt'],
  sandbox: {
    provider: 'deno',
    allowNet: ['api.notion.com'],
  },
})

Top-level sandbox config is the right place for defaults that most sandboxes should inherit.

Define a sandbox

Sandbox definitions accept only portable options (timeout, env, runtime). Set Deno-specific options such as allowNet, memory, region, and secrets in the top-level sandbox config.

server/sandboxes/release-notes.ts

import { defineSandbox } from '@vitehub/sandbox'

export default defineSandbox(async (payload?: { notes?: string }) => {
  return { notes: payload?.notes || '' }
}, {
  timeout: 90_000,
})

What changes on Deno

Concern	Behavior
Network access	Use `allowNet` to allow outbound connections from the sandbox.
Runtime configuration	Deno supports fields such as `env`, `labels`, `memory`, `port`, `region`, `root`, `secrets`, `ssh`, `timeout`, and `volumes`.
Scope	Put shared defaults at the top level. Put sandbox-local overrides next to the definition.

Choose Deno when one sandbox needs tighter execution permissions than the rest of the app.

Report an issue or Edit this page on GitHub

Vercel

Configure Vercel Sandbox and run isolated sandboxes on Vercel.

Docker

Configure Docker Sandbox and run isolated sandboxes locally.