What are sandbox images?
Sandbox images are pre-configured container images that serve as blueprints for creating sandboxes. Each image includes:- Base environment: Operating system and runtime configurations
- Tools: Languages, frameworks, and development tools
- Configuration: Environment variables, startup scripts, …
- Resources: Memory allocated
How sandbox images work
- Initial setup: Follow this guide to create your sandbox image for the first time. Use
bl pushto publish the image to Blaxel’s registry without creating a new sandbox or affecting existing sandboxes, orbl deployto push the image and also create a sandbox from it. - Build phase: Your Dockerfile is used to create a container with all required tools and configurations.
- Initialization phase: The sandbox API is injected and startup commands are executed.
- Instantiation: New sandboxes can be spawned from this image in seconds.
You cannot directly use “library” container images (such as those hosted on Docker Hub and other registries) as sandbox images. Instead, you must create one or more custom images for your sandboxes using Dockerfiles and ensure that each image includes Blaxel’s sandbox API binary. This is necessary for sandbox functionality like process management and file operations.
Pre-built images
Blaxel provides a library of pre-built container images for common needs.| Image | Description |
|---|---|
blaxel/base-image:latest | Minimal environment with Node.js 22 (Alpine) and Python 3.12 |
blaxel/py-app:latest | Python 3.12 development environment |
blaxel/ts-app:latest | TypeScript development environment with Node.js 22 (slim) |
blaxel/node:latest | Node.js development environment with Node.js 23 (Alpine) |
blaxel/claude-code:latest | Claude Code CLI environment with Node.js 24 (slim) |
blaxel/codex:latest | Codex CLI environment with Node.js 24 (slim) |
blaxel/nextjs:latest | Next.js development environment with Node.js 22 (Alpine) |
blaxel/vite:latest | Vite + React + TS development environment with Node.js 22 (Alpine) |
blaxel/astro:latest | Astro development environment with Node.js 22 (Alpine) |
blaxel/expo:latest | React Native (Expo) development with Node.js 22 (Alpine) |
blaxel/chromium:latest | Headless Chromium environment with Chrome 124 (Alpine) |
blaxel/lightpanda:latest | Lightweight headless browser |
blaxel/playwright-chromium:latest | Playwright + Chromium browser automation environment with Node.js 20 |
blaxel/playwright-firefox:latest | Playwright + Firefox browser automation environment with Node.js 20 |
blaxel/docker-in-sandbox:latest | Docker environment |
blaxel/xfce-vnc:latest | XFCE desktop environment with VNC |
blaxel/cua-xfce:latest | XFCE desktop environment with CUA |
blaxel/jupyter-notebook:latest | Jupyter Notebook with Python 3.12 |
blaxel/jupyter-server:latest | Jupyter Server with Python 3.12 |
blaxel/benchmark:latest | Sandbox benchmarking environment |
Custom images
You can also customize an image for specific needs.Create a sandbox image
You can create a customized sandbox image using the Blaxel CLI or REST API.Blaxel CLI
1. Initialize an image
Start by creating a new sandbox image using the Blaxel CLI:2. Customize the Dockerfile
The Dockerfile is the heart of your image. It defines what will be available in your sandbox environment.3. Configure image settings
Theblaxel.toml file defines your image’s runtime configuration:
It is not possible to add or update environment variables for a sandbox after it is created. Ensure that any required environment variables are defined in your Dockerfile, your
blaxel.toml file, or at sandbox creation time using the Blaxel SDKs. See the variables and secrets documentation for details.4. Define initialization
Theentrypoint.sh script runs when a sandbox is created from this image:
5. Build and test locally
Before pushing the image to Blaxel, test it locally:6. Push the image
Once satisfied with your configuration, push the image to Blaxel:- Build your Docker image
- Push it to Blaxel’s registry (private to your workspace)
- Return an image ID you can use for creating sandboxes
Blaxel SDK
The Blaxel SDK includes a declarative image builder that lets you define custom sandbox images directly in your code using a fluent, chainable API. Instead of writing Dockerfiles manually, you describe your image step by step, and the SDK generates the Dockerfile, builds the image, and deploys it as a sandbox. This approach is ideal for dynamic image definitions, CI/CD pipelines, or when your image configuration depends on runtime logic.The declarative image builder is available in the TypeScript and Python SDKs. The Go SDK does not support this feature.
- Define: Use the fluent API to describe your image starting from a base image.
- Chain: Each method returns a new immutable
ImageInstance, so you can branch and reuse configurations. - Build: Call
build()to generate a Dockerfile, package it with any local files, upload it to Blaxel, and deploy it as a sandbox.
Select a base image
Start by selecting a base image from any Docker registry:Execute build commands
Execute shell commands during the image build:Use package managers
The SDK provides convenience methods for common package managers. These generate optimizedRUN commands with sensible defaults (e.g., cache cleanup for apt).
Python (pip)
Python (uv)
Node.js (npm, yarn, pnpm, bun)
Install system packages (apt, apk)
Use other package managers
Add Dockerfile instructions
All standard Dockerfile instructions are available as methods.Specify the working directory
Define environment variables
Copy files
Expose ports
Set an entrypoint
Add users
Add labels and build arguments
Add local files
Copy files and directories from your local machine into the image:COPY-ed into the image. You can optionally provide a contextName (TypeScript) / context_name (Python) parameter to control the filename in the build context.
Build and deploy
Basic build
Build with all options
build() method automatically:
- Injects the Blaxel sandbox API binary
- Sets a default entrypoint if none was specified
- Packages the Dockerfile and local files into a ZIP archive
- Uploads and deploys the image as a sandbox
- Polls until the sandbox reaches
DEPLOYEDorFAILEDstatus
Inspect the generated Dockerfile
You can preview the Dockerfile without building:Write to disk
You can also write the image to a folder for manual inspection or use withbl deploy:
Understand immutability and branching
Each method returns a newImageInstance, leaving the original unchanged. This lets you create base images and branch from them:
Example script
A complete example building a Node.js / Python development sandbox:API reference
Methods
| Method | Description |
|---|---|
fromRegistry / from_registry | Create an image from a Docker registry base image |
runCommands / run_commands | Run shell commands (RUN) |
workdir | Set working directory (WORKDIR) |
env | Set environment variables (ENV) |
copy | Copy from build context (COPY) |
addLocalFile / add_local_file | Add a local file to build context and image |
addLocalDir / add_local_dir | Add a local directory to build context and image |
expose | Expose ports (EXPOSE) |
entrypoint | Set container entrypoint (ENTRYPOINT) |
user | Set the user (USER) |
label | Add labels (LABEL) |
arg | Define build arguments (ARG) |
pipInstall / pip_install | Install Python packages with pip |
uvInstall / uv_install | Install Python packages with uv |
pipxInstall / pipx_install | Install Python CLI apps with pipx |
aptInstall / apt_install | Install Debian/Ubuntu packages |
apkAdd / apk_add | Install Alpine packages |
npmInstall / npm_install | Install Node.js packages (npm/yarn/pnpm/bun) |
gemInstall / gem_install | Install Ruby gems |
cargoInstall / cargo_install | Install Rust crates |
goInstall / go_install | Install Go packages |
composerInstall / composer_install | Install PHP packages |
build | Build and deploy as a sandbox |
write | Write image to a folder |
writeTemp / write_temp | Write image to a temporary folder |
Properties
| Property | Description |
|---|---|
dockerfile | Generated Dockerfile content |
hash | 12-character SHA256 hash of the image configuration |
baseImage / base_image | Base image tag |
Blaxel API
Although less common, it is also possible to create a sandbox image and sandbox by directly interacting with the Blaxel API. Ensure that you have the following:- A Blaxel API key
- The workspace name, found at the bottom left corner of the Blaxel Console or via
bl workspaces
1. Create a ZIP archive
Create a directory with the following project contents:Dockerfile(required) - Defines your custom sandbox image and must includesandbox-api- Any custom scripts (e.g.,
entrypoint.shfor initialization logic) - Configuration files or data files as needed
- Additional dependencies or binaries your sandbox requires
- The Dockerfile is the heart of your image. It defines what will be available in your sandbox environment. See an example.
- The
entrypoint.shscript runs when a sandbox is created from this image. See an example.
2. Create a sandbox resource
Set your Blaxel API key and workspace as environment variables:upload=true query parameter in the request, which indicates intent to upload custom code.
The Blaxel API returns a JSON response. The response contains an x-blaxel-upload-url response header, containing the target URL to use when uploading your image. The URL is in the response headers, not the JSON body.
Example response:
3. Upload ZIP archive
Use an HTTP PUT request to upload the ZIP file to the upload URL. Replace the placeholder URL in the command below with the value of thex-blaxel-upload-url response header received earlier.
200 OK status code.
4. Monitor deployment status
After uploading, poll the sandbox status endpoint to track the build and deployment progress. Make a GET request tohttps://api.blaxel.ai/v0/sandboxes/<SANDBOX-NAME>, where SANDBOX-NAME is the metadata.name specified in the initial POST request.
status field of the response will progress through these values:
| Status | Description |
|---|---|
UPLOADING | Code archive is being uploaded |
BUILDING | Docker image is being built |
DEPLOYING | Container is being deployed to the cluster |
DEPLOYED | Sandbox is ready to use |
FAILED | Deployment failed (check build logs) |
DEACTIVATED | Sandbox has been deactivated |
DEPLOYED or FAILED.
A first sandbox from that image is automatically created on Blaxel once deployment succeeds. You can safely delete the sandbox and keep using the image for new sandboxes.
Example script
Here’s a complete example script that performs all the steps above:mytemplate with your custom Dockerfile and entrypoint script:
deploy-sandbox.sh (Shell), index.ts (TypeScript) or main.py (Python):
Deploy from a private registry
Instead of building from source, you can pointblaxel.toml directly at an image in a private registry:
bl push or bl deploy as usual.
To configure registry credentials, you have three options (listed in priority order):
-
Pass the credentials inline to
bl pushorbl deploywith the--registry-credflag -
Pass the credentials from a different configuration file to
bl pushorbl deploywith the--docker-configflag -
Place a
.docker/config.jsonin your project directory using the standard Docker config format (you can copy your existing~/.docker/config.json). The file will be automatically detected and used bybl pushorbl deploy.
- Docker Hub
- GitHub Container Registry
- Google Artifact Registry
- Amazon ECR
- Any private registry which supports Basic auth
Use a custom image
Once an image is successfully pushed, you can spawn new sandboxes instantly by using its image ID. Use the following command to retrieve the image ID of the most recently pushed image:Update a custom image
To update an existing custom image:- Modify your Dockerfile or configuration
- Rebuild locally to test changes
- Push the new version:
Share images across workspaces and accounts
Once you have a custom image, you can share it with other workspaces in the same account, or with other accounts - for example, to promote an image fromdevelopment to production without rebuilding or re-pushing, or to share an image between different teams. Only the metadata record is copied to the target workspace or account; the underlying storage stays in the source.
When you share an image:
- The metadata is copied to the target workspace or account, pointing to the same underlying data in the source.
- The target workspace or account can use the shared image to create sandboxes, just like a locally-owned image.
- Storage billing stays with the source workspace or account.
- New tags pushed to the source image are automatically propagated to all workspaces and accounts it is shared with.
sourceWorkspace field. In the Blaxel Console, they are marked with a badge showing the source workspace or account name.
Prerequisites
- When sharing between workspaces or accounts, you must be an administrator of the source workspace. When sharing between accounts, your share request will be completed only when it receives approval from an administrator of the target account.
- The image must be locally owned in the source workspace or account. You cannot re-share an image that was shared to you from elsewhere.
Share an image
Blaxel Console
To share with another workspace in the same account:- Navigate to the Images page in the source workspace.
- Click the actions menu (three dots) on the image you want to share.
- Select Share.
- In the dialog, select the Same account tab.
- Select the target workspace from the dropdown.
-
Click Share to confirm.

- Navigate to the Images page in the source workspace.
- Click the actions menu (three dots) on the image you want to share.
- Select Share.
- In the dialog, select the Different account tab.
- Select the target account from the dropdown.
-
Click Share to confirm.

Blaxel CLI
Currently, the Blaxel CLI only supports image sharing across workspaces. To share images across accounts, use the Blaxel Console or the Management API instead.
bl share image command:
Sharing applies to the entire image (all tags). Tag-qualified references like
sandbox/my-template:v1.0 are not accepted.Management API
For sharing between workspaces in the same account:List shared images
Blaxel Console
On the image detail page in the Blaxel Console, images shared across workspaces or accounts are listed with the option to revoke sharing for each workspace or account individually.Management API
Unshare an image
Unsharing removes the metadata record from the target workspace or account. The image data in the source workspace is not affected. You cannot delete an image (or individual tags) while it is shared. You must unshare from all connected workspaces or accounts first.Blaxel Console
- Navigate to the Images page in the source workspace.
- Open the image detail page.
- In the shared workspaces list, click Unshare next to the target workspace or account you want to revoke.
Blaxel CLI
Use thebl unshare image command:
Management API
Billing
Storage billing is tied to the source workspace. Metering and costs remain with the workspace that originally pushed the image, regardless of how many workspaces or accounts it is shared with. The consuming workspace or account pays nothing for image storage of shared images.Constraints and limitations
- No re-sharing: A shared image cannot be re-shared from the consuming workspace to a third workspace or account. Only the original owner can share.
- Deletion protection: You cannot delete an image (or individual tags) while it is shared with other workspaces or accounts. You must unshare from all target workspaces first.
- Whole image only: Sharing applies to the entire image with all its tags. You cannot share individual tags.
- Admin-only: Both sharing and unsharing require administrator permissions.
Best practices
1. Optimize for cold starts
- Use smaller base images (Alpine when possible)
- Minimize layers in Dockerfile
- Pre-install only essential packages
- Defer optional installations to runtime
2. Cache dependencies
3. Security considerations
- Don’t include secrets in images
- Use Blaxel’s secrets management for sensitive data
- Keep base images updated
- Scan for vulnerabilities regularly
4. Resource optimization
Choose appropriate resources for your use case:| Use Case | Memory |
|---|---|
| Light development | 2GB |
| Small web application | 4GB |
| Full-stack web | 8GB |
Volume templates
Pre-populate volumes with files for faster environment setup.
Workspace access control
Understand accounts, workspaces, and admin permissions.
