Skip to main content
This tutorial explains how to run code-server inside a Blaxel sandbox and expose it securely using sandbox preview URLs.

Prerequisites

Before starting, ensure you have:
  • Blaxel CLI installed and authenticated (bl login)

Create a base sandbox image

Dockerfile

entrypoint.sh

The critical step is configuring code-server to bind on the correct address and trust all origins. This is required because sandbox preview traffic is proxied through Blaxel’s infrastructure. Create an entrypoint script that creates the configuration file and starts the sandbox API and code-server:
The key configuration settings here are:
  • bind-addr: [::]:8081 - listens on all interfaces over both IPv4 and IPv6 on port 8081 (bracket syntax is required for IPv6 addresses in host:port form), the port exposed via the sandbox preview
  • auth: none - disables password auth (access will be gated using a private preview URL and token, discussed below)
  • cert: false - disables TLS termination (handled upstream by Blaxel)
  • trusted-origins: ["*"] - required to allow requests coming from the sandbox proxy origin; without this, code-server will reject WebSocket connections

blaxel.toml

Create a blaxel.toml file in the same directory as your Dockerfile:

Deploy the sandbox image

Deploy the image by running:

Create or reuse a sandbox

Create a sandbox from the base image:

Create the preview URL

code-server runs on port 8081, so we expose that port via a preview URL:

Generate a preview token

To securely access the preview, a token is required:

Start the server

The entrypoint starts code-server automatically. The following function can be used as a fallback to restart it if the process is not running:

Access the application

Once everything is running, code-server will be available at https://<PREVIEW-URL>?bl_preview_token=<TOKEN>

Complete example

Here is a full example combining all the steps:
Last modified on July 10, 2026