This tutorial explains how to run code-server inside a Blaxel sandbox and expose it securely using sandbox preview URLs.
Prerequisites
Before starting, ensure you have:
Create a base sandbox image
Dockerfile
entrypoint.sh
The critical step is configuring code-server to bind on the correct address and trust all origins. This is required because sandbox preview traffic is proxied through Blaxel’s infrastructure.
Create an entrypoint script that creates the configuration file and starts the sandbox API and code-server:
The key configuration settings here are:
bind-addr: [::]:8081 - listens on all interfaces over both IPv4 and IPv6 on port 8081 (bracket syntax is required for IPv6 addresses in host:port form), the port exposed via the sandbox preview
auth: none - disables password auth (access will be gated using a private preview URL and token, discussed below)
cert: false - disables TLS termination (handled upstream by Blaxel)
trusted-origins: ["*"] - required to allow requests coming from the sandbox proxy origin; without this, code-server will reject WebSocket connections
blaxel.toml
Create a blaxel.toml file in the same directory as your Dockerfile:
Deploy the sandbox image
Deploy the image by running:
Create or reuse a sandbox
Create a sandbox from the base image:
Create the preview URL
code-server runs on port 8081, so we expose that port via a preview URL:
Generate a preview token
To securely access the preview, a token is required:
Start the server
The entrypoint starts code-server automatically. The following function can be used as a fallback to restart it if the process is not running:
Access the application
Once everything is running, code-server will be available at https://<PREVIEW-URL>?bl_preview_token=<TOKEN>
Complete example
Here is a full example combining all the steps:
Last modified on July 10, 2026