modal.Sandbox

class Sandbox(modal.object.Object)

A Sandbox object lets you interact with a running sandbox. This API is similar to Python’s asyncio.subprocess.Process.

Refer to the guide on how to spawn and use sandboxes.

hydrate 

def hydrate(self, client: Optional[_Client] = None) -> Self:

Synchronize the local object with its identity on the Modal server.

It is rarely necessary to call this method explicitly, as most operations will lazily hydrate when needed. The main use case is when you need to access object metadata, such as its ID.

Added in v0.72.39: This method replaces the deprecated .resolve() method.

create 

@staticmethod
def create(
    *args: str,  # Set the CMD of the Sandbox, overriding any CMD of the container image.
    # Associate the sandbox with an app. Required unless creating from a container.
    app: Optional["modal.app._App"] = None,
    name: Optional[str] = None,  # Optionally give the sandbox a name. Unique within an app.
    tags: Optional[dict[str, str]] = None,  # Tags to attach to the Sandbox.
    image: Optional[_Image] = None,  # The image to run as the container for the sandbox.
    env: Optional[dict[str, Optional[str]]] = None,  # Environment variables to set in the Sandbox.
    secrets: Optional[Collection[_Secret]] = None,  # Secrets to inject into the Sandbox as environment variables.
    network_file_systems: dict[Union[str, os.PathLike], _NetworkFileSystem] = {},
    timeout: int = 300,  # Maximum lifetime of the sandbox in seconds.
    # The amount of time in seconds that a sandbox can be idle before being terminated.
    idle_timeout: Optional[int] = None,
    workdir: Optional[str] = None,  # Working directory of the sandbox.
    gpu: Optional[str] = None,
    cloud: Optional[str] = None,
    region: Optional[Union[str, Sequence[str]]] = None,  # Region or regions to run the sandbox on.
    # Specify, in fractional CPU cores, how many CPU cores to request.
    # Or, pass (request, limit) to additionally specify a hard limit in fractional CPU cores.
    # CPU throttling will prevent a container from exceeding its specified limit.
    cpu: Optional[Union[float, tuple[float, float]]] = None,
    # Specify, in MiB, a memory request which is the minimum memory required.
    # Or, pass (request, limit) to additionally specify a hard limit in MiB.
    memory: Optional[Union[int, tuple[int, int]]] = None,
    block_network: bool = False,  # Whether to block network access
    # List of CIDRs the sandbox is allowed to access. If None, all CIDRs are allowed.
    outbound_cidr_allowlist: Optional[Sequence[str]] = None,
    # List of CIDRs allowed to connect inbound to the sandbox (tunnels and connection tokens).
    inbound_cidr_allowlist: Optional[Sequence[str]] = None,
    volumes: dict[
        Union[str, os.PathLike], Union[_Volume, _CloudBucketMount]
    ] = {},  # Mount points for Modal Volumes and CloudBucketMounts
    # Enable a PTY for the Sandbox entrypoint command. When enabled, all output (stdout and stderr
    # from the process) is multiplexed into stdout, and the stderr stream is effectively empty.
    pty: bool = False,
    # List of ports to tunnel into the sandbox. Encrypted ports are tunneled with TLS.
    encrypted_ports: Sequence[int] = [],
    # List of encrypted ports to tunnel into the sandbox, using HTTP/2.
    h2_ports: Sequence[int] = [],
    # List of ports to tunnel into the sandbox without encryption.
    unencrypted_ports: Sequence[int] = [],
    # Allow connections to the Sandbox via a subdomain of this parent rather than a default Modal domain.
    custom_domain: Optional[str] = None,
    # Reference to a Modal Proxy to use in front of this Sandbox.
    proxy: Optional[_Proxy] = None,
    # If True, the sandbox will receive a MODAL_IDENTITY_TOKEN env var for OIDC-based auth.
    include_oidc_identity_token: bool = False,
    # Probe used to determine when the sandbox has become ready.
    readiness_probe: Optional[Probe] = None,
    # Enable verbose logging for sandbox operations.
    verbose: bool = False,
    experimental_options: Optional[dict[str, bool]] = None,
    # Enable memory snapshots.
    _experimental_enable_snapshot: bool = False,
    client: Optional[_Client] = None,
    environment_name: Optional[str] = None,  # *DEPRECATED* Optionally override the default environment
    pty_info: Optional[api_pb2.PTYInfo] = None,  # *DEPRECATED* Use `pty` instead. `pty` will override `pty_info`.
    cidr_allowlist: Optional[Sequence[str]] = None,  # *DEPRECATED* Use outbound_cidr_allowlist instead.
) -> "_Sandbox":

Create a new Sandbox to run untrusted, arbitrary code.

The Sandbox’s corresponding container will be created asynchronously.

Usage

app = modal.App.lookup('sandbox-hello-world', create_if_missing=True)
sandbox = modal.Sandbox.create("echo", "hello world", app=app)
print(sandbox.stdout.read())
sandbox.wait()

detach 

def detach(self):

Disconnects your client from the sandbox and cleans up resources assoicated with the connection.

Be sure to only call detach when you are done interacting with the sandbox. After calling detach, any operation using the Sandbox object is not guaranteed to work anymore. If you want to continue interacting with a running sandbox, use Sandbox.from_id to get a new Sandbox object.

from_name 

@staticmethod
def from_name(
    app_name: str,
    name: str,
    *,
    environment_name: Optional[str] = None,
    client: Optional[_Client] = None,
) -> "_Sandbox":

Get a running Sandbox by name from a deployed App.

Raises a modal.exception.NotFoundError if no running sandbox is found with the given name. A Sandbox’s name is the name argument passed to Sandbox.create.

from_id 

@staticmethod
def from_id(sandbox_id: str, client: Optional[_Client] = None) -> "_Sandbox":

Construct a Sandbox from an id and look up the Sandbox result.

The ID of a Sandbox object can be accessed using .object_id.

get_tags 

def get_tags(self) -> dict[str, str]:

Fetches any tags (key-value pairs) currently attached to this Sandbox from the server.

set_tags 

def set_tags(self, tags: dict[str, str], *, client: Optional[_Client] = None) -> None:

Set tags (key-value pairs) on the Sandbox. Tags can be used to filter results in Sandbox.list.

snapshot_filesystem 

def snapshot_filesystem(self, timeout: int = 55) -> _Image:

Snapshot the filesystem of the Sandbox.

Returns an Image object which can be used to spawn a new Sandbox with the same filesystem.

timeout If the snapshot does not return within that window, the call is cancelled and modal.exception.TimeoutError is raised.

mount_image 

def mount_image(self, path: Union[PurePosixPath, str], image: _Image):

Mount an Image at a specified path in a running Sandbox.

path should be a directory that is not the root path (/). If the path doesn’t exist it will be created. If it exists and contains data, the previous directory will be replaced by the mount.

The image argument supports any Image that has an object ID, including:

• Images built using image.build()
• Images referenced by ID, e.g. Image.from_id(...)
• Filesystem/directory snapshots, e.g. created by .snapshot_directory() or .snapshot_filesystem()
• Empty images created with Image.from_scratch()

Usage:

user_project_snapshot: Image = sandbox_session_1.snapshot_directory("/user_project")

# You can later mount this snapshot to another Sandbox:
sandbox_session_2 = modal.Sandbox.create(...)
sandbox_session_2.mount_image("/user_project", user_project_snapshot)
sandbox_session_2.ls("/user_project")

unmount_image 

def unmount_image(self, path: Union[PurePosixPath, str]):

Unmount a previously mounted Image from a running Sandbox.

path must be the exact mount point that was passed to .mount_image(). After unmounting, the underlying Sandbox filesystem at that path becomes visible again.

snapshot_directory 

def snapshot_directory(self, path: Union[PurePosixPath, str]) -> _Image:

Snapshot a directory in a running Sandbox, creating a new Image with its content.

Directory snapshots are currently persisted for 30 days after they were created.

Usage:

user_project_snapshot: Image = sandbox_session_1.snapshot_directory("/user_project")

# You can later mount this snapshot to another Sandbox:
sandbox_session_2 = modal.Sandbox.create(...)
sandbox_session_2.mount_image("/user_project", user_project_snapshot)
sandbox_session_2.ls("/user_project")

wait 

def wait(self, raise_on_termination: bool = True):

Wait for the Sandbox to finish running.

wait_until_ready 

def wait_until_ready(self, *, timeout: int = 300) -> None:

Wait for the Sandbox readiness probe to report that the Sandbox is ready.

The Sandbox must be configured with a readiness_probe in order to use this method.

Usage:

app = modal.App.lookup('sandbox-wait-until-ready', create_if_missing=True)
sandbox = modal.Sandbox.create(
    "python3", "-m", "http.server", "8080",
    readiness_probe=modal.Probe.with_tcp(8080),
    app=app,
)
sandbox.wait_until_ready()

tunnels 

def tunnels(self, timeout: int = 50) -> dict[int, Tunnel]:

Get Tunnel metadata for the sandbox.

Raises SandboxTimeoutError if the tunnels are not available after the timeout.

Returns a dictionary of Tunnel objects which are keyed by the container port.

NOTE: Previous to client v0.64.153, this returned a list of TunnelData objects.

create_connect_token 

def create_connect_token(
    self, user_metadata: Optional[Union[str, dict[str, Any]]] = None
) -> SandboxConnectCredentials:

Create a token for making HTTP connections to the Sandbox.

Also accepts an optional user_metadata string or dict to associate with the token. This metadata will be added to the headers by the proxy when forwarding requests to the Sandbox.

reload_volumes 

def reload_volumes(self) -> None:

Reload all Volumes mounted in the Sandbox.

Added in v1.1.0.

terminate 

def terminate(
    self,
    *,
    wait: bool = False,  # wait for terminate to complete and return the exit code.
) -> int | None:

Terminate Sandbox execution.

This is a no-op if the Sandbox has already finished running.

poll 

def poll(self) -> Optional[int]:

Check if the Sandbox has finished running.

Returns None if the Sandbox is still running, else returns the exit code.

exec 

def exec(
    self,
    *args: str,
    stdout: StreamType = StreamType.PIPE,
    stderr: StreamType = StreamType.PIPE,
    timeout: Optional[int] = None,
    workdir: Optional[str] = None,
    env: Optional[dict[str, Optional[str]]] = None,  # Environment variables to set during command execution.
    secrets: Optional[
        Collection[_Secret]
    ] = None,  # Secrets to inject as environment variables during command execution.
    # Encode output as text.
    text: bool = True,
    # Control line-buffered output.
    # -1 means unbuffered, 1 means line-buffered (only available if `text=True`).
    bufsize: Literal[-1, 1] = -1,
    # Enable a PTY for the command. When enabled, all output (stdout and stderr from the
    # process) is multiplexed into stdout, and the stderr stream is effectively empty.
    pty: bool = False,
    _pty_info: Optional[api_pb2.PTYInfo] = None,  # *DEPRECATED* Use `pty` instead. `pty` will override `pty_info`.
    pty_info: Optional[api_pb2.PTYInfo] = None,  # *DEPRECATED* Use `pty` instead. `pty` will override `pty_info`.
):

Execute a command in the Sandbox and return a ContainerProcess handle.

See the ContainerProcess docs for more information.

Usage

process = sandbox.exec("bash", "-c", "for i in $(seq 1 3); do echo foo $i; sleep 0.1; done")
for line in process.stdout:
    print(line)

filesystem 

filesystem: SandboxFilesystem

Namespace for Sandbox filesystem APIs.

filesystem.copy_from_local 

async def copy_from_local(self, local_path: Union[str, os.PathLike], remote_path: str) -> None:

Copy a local file into the Sandbox.

remote_path must be an absolute path to a file in the Sandbox. Parent directories for remote_path are created if needed. The remote file is overwritten if it already exists.

Raises

• SandboxFilesystemNotADirectoryError: a parent path component of remote_path is not a directory.
• SandboxFilesystemIsADirectoryError: remote_path points to a directory.
• SandboxFilesystemPermissionError: write permission is denied in the Sandbox.
• SandboxFilesystemError: the command fails for any other reason.
• FileNotFoundError: local_path does not exist.
• IsADirectoryError: local_path is a directory.
• PermissionError: reading local_path is not permitted.

Usage

import tempfile
from pathlib import Path

local_path = Path(tempfile.mktemp())
local_path.write_text("Hello, world!\n")
sandbox.filesystem.copy_from_local(local_path, "/tmp/hello.txt")

filesystem.copy_to_local 

async def copy_to_local(self, remote_path: str, local_path: Union[str, os.PathLike]) -> None:

Copy a file from the Sandbox to a local path.

remote_path must be an absolute path to a file in the Sandbox. Parent directories for local_path are created if needed. The local file is overwritten if it already exists.

Raises

• SandboxFilesystemNotFoundError: the remote path does not exist.
• SandboxFilesystemIsADirectoryError: the remote path points to a directory.
• SandboxFilesystemPermissionError: read permission is denied in the Sandbox.
• SandboxFilesystemError: the command fails for any other reason.
• IsADirectoryError: local_path points to a directory.
• NotADirectoryError: a component of the local_path parent is not a directory.
• PermissionError: writing local_path is not permitted.

Usage

sandbox.filesystem.write_text("Hello, world!\n", "/tmp/hello.txt")
sandbox.filesystem.copy_to_local("/tmp/hello.txt", "/tmp/local-hello.txt")

filesystem.list_files 

async def list_files(self, remote_path: str) -> list[FileInfo]:

List files and directories in a Sandbox directory.

remote_path must be an absolute path to a directory in the Sandbox. Returns a list of FileInfo objects describing each entry.

Raises

• SandboxFilesystemNotFoundError: the path does not exist.
• SandboxFilesystemNotADirectoryError: the path is not a directory.
• SandboxFilesystemPermissionError: read permission is denied.
• SandboxFilesystemError: the command fails for any other reason.

Usage

entries = sandbox.filesystem.list_files("/tmp")
for entry in entries:
    print(entry.name, entry.type, entry.size)

filesystem.make_directory 

async def make_directory(self, remote_path: str, *, create_parents: bool = True) -> None:

Create a new directory in the Sandbox.

remote_path must be an absolute path in the Sandbox.

When create_parents is True (the default), any missing parent directories are created and the call is idempotent (succeeds silently if the directory already exists). When create_parents is False, the immediate parent directory must already exist and the path must not already exist.

Raises

• SandboxFilesystemNotFoundError: the parent directory does not exist and create_parents is False.
• SandboxFilesystemPathAlreadyExistsError: the path already exists.
• SandboxFilesystemNotADirectoryError: a path component is not a directory.
• SandboxFilesystemPermissionError: creation is not permitted.
• InvalidError: the operation is not supported by the mount.
• SandboxFilesystemError: the command fails for any other reason.

Usage

sandbox.filesystem.make_directory("/tmp/a/b/c")

filesystem.read_bytes 

async def read_bytes(self, remote_path: str) -> bytes:

Read a file from the Sandbox and return its contents as bytes.

remote_path must be an absolute path to a file in the Sandbox.

Raises

• SandboxFilesystemNotFoundError: the path does not exist.
• SandboxFilesystemIsADirectoryError: the path points to a directory.
• SandboxFilesystemPermissionError: read permission is denied.
• SandboxFilesystemError: the command fails for any other reason.

Usage

sandbox.filesystem.write_bytes(b"Hello, world!\n", "/tmp/hello.bin")
contents = sandbox.filesystem.read_bytes("/tmp/hello.bin")
print(contents.decode("utf-8"))

filesystem.read_text 

async def read_text(self, remote_path: str) -> str:

Read a file from the Sandbox and return its contents as a UTF-8 string.

remote_path must be an absolute path to a file in the Sandbox.

Raises

• SandboxFilesystemNotFoundError: the path does not exist.
• SandboxFilesystemIsADirectoryError: the path points to a directory.
• SandboxFilesystemPermissionError: read permission is denied.
• SandboxFilesystemError: the command fails for any other reason.

Usage

sandbox.filesystem.write_text("Hello, world!\n", "/tmp/hello.txt")
contents = sandbox.filesystem.read_text("/tmp/hello.txt")
print(contents)

filesystem.remove 

async def remove(self, remote_path: str, *, recursive: bool = False) -> None:

Remove a file or directory in the Sandbox.

remote_path must be an absolute path in the Sandbox.

When remote_path is a directory and recursive is False (the default), removes it only if it is empty. When recursive is True, removes the directory and all its contents.

Recursive directory removal is not supported on all mounts. In particular, CloudBucketMount does not support it. An InvalidError is raised in that case.

Raises

• SandboxFilesystemNotFoundError: the path does not exist.
• SandboxFilesystemDirectoryNotEmptyError: recursive is False and the directory is not empty.
• SandboxFilesystemPermissionError: removal is not permitted.
• InvalidError: the operation is not supported by the mount.
• SandboxFilesystemError: the command fails for any other reason.

Usage

To remove a file:

sandbox.filesystem.write_bytes(b"Hello, world!\n", "/tmp/hello.bin")
sandbox.filesystem.remove("/tmp/hello.bin")

To remove a directory and all its contents:

sandbox.filesystem.make_directory("/tmp/mydir/subdir")
sandbox.filesystem.remove("/tmp/mydir", recursive=True)

filesystem.stat 

async def stat(self, remote_path: str) -> FileInfo:

Return metadata for a single file, directory, or symlink in the Sandbox.

remote_path must be an absolute path in the Sandbox. If remote_path is a symlink, the returned FileInfo object describes the symlink, not the target it points to.

Raises

• SandboxFilesystemNotFoundError: the path does not exist.
• SandboxFilesystemNotADirectoryError: a non-leaf component of the path is not a directory.
• SandboxFilesystemPermissionError: a component of the path is not searchable.
• SandboxFilesystemError: the command fails for any other reason.

Usage

sandbox.filesystem.write_text("Hello, world!\n", "/tmp/hello.txt")
info = sandbox.filesystem.stat("/tmp/hello.txt")
print(info.size, info.permissions, info.modified_time)

filesystem.write_bytes 

async def write_bytes(self, data: Union[bytes, bytearray, memoryview], remote_path: str) -> None:

Write binary content to a file in the Sandbox.

remote_path must be an absolute path to a file in the Sandbox. Parent directories for remote_path are created if needed. The remote file is overwritten if it already exists.

Raises

• SandboxFilesystemNotADirectoryError: a parent path component is not a directory.
• SandboxFilesystemIsADirectoryError: remote_path points to a directory.
• SandboxFilesystemPermissionError: write permission is denied.
• SandboxFilesystemError: the command fails for any other reason.

Usage

sandbox.filesystem.write_bytes(b"Hello, world!\n", "/tmp/hello.bin")

filesystem.write_text 

async def write_text(self, data: str, remote_path: str) -> None:

Write UTF-8 text to a file in the Sandbox.

remote_path must be an absolute path to a file in the Sandbox. Parent directories for remote_path are created if needed. The remote file is overwritten if it already exists.

Raises

• SandboxFilesystemNotADirectoryError: a parent path component is not a directory.
• SandboxFilesystemIsADirectoryError: remote_path points to a directory.
• SandboxFilesystemPermissionError: write permission is denied.
• SandboxFilesystemError: the command fails for any other reason.

Usage

sandbox.filesystem.write_text("Hello, world!\n", "/tmp/hello.txt")

open 

def open(
    self,
    path: str,
    mode: Union["_typeshed.OpenTextMode", "_typeshed.OpenBinaryMode"] = "r",
):

[Alpha] Open a file in the Sandbox and return a FileIO handle.

Deprecated (2026-03-09): Use the Sandbox.filesystem APIs instead.

See the FileIO docs for more information.

Usage

sb = modal.Sandbox.create(app=sb_app)
f = sb.open("/test.txt", "w")
f.write("hello")
f.close()

ls 

def ls(self, path: str) -> builtins.list[str]:

[Alpha] List the contents of a directory in the Sandbox.

Deprecated (2026-04-15): Use Sandbox.filesystem.list_files() instead.

mkdir 

def mkdir(self, path: str, parents: bool = False) -> None:

[Alpha] Create a new directory in the Sandbox.

Deprecated (2026-04-15): Use Sandbox.filesystem.make_directory() instead.

rm 

def rm(self, path: str, recursive: bool = False) -> None:

[Alpha] Remove a file or directory in the Sandbox.

Deprecated (2026-04-15): Use Sandbox.filesystem.remove() instead.

watch 

def watch(
    self,
    path: str,
    filter: Optional[builtins.list[FileWatchEventType]] = None,
    recursive: Optional[bool] = None,
    timeout: Optional[int] = None,
) -> Iterator[FileWatchEvent]:

[Alpha] Watch a file or directory in the Sandbox for changes.

stdout 

@property
def stdout(self) -> _StreamReader[str]:

StreamReader for the sandbox’s stdout stream.

stderr 

@property
def stderr(self) -> _StreamReader[str]:

StreamReader for the Sandbox’s stderr stream.

stdin 

@property
def stdin(self) -> _StreamWriter:

StreamWriter for the Sandbox’s stdin stream.

returncode 

@property
def returncode(self) -> Optional[int]:

Return code of the Sandbox process if it has finished running, else None.

list 

@staticmethod
def list(
    *, app_id: Optional[str] = None, tags: Optional[dict[str, str]] = None, client: Optional[_Client] = None
) -> AsyncGenerator["_Sandbox", None]:

List all Sandboxes for the current Environment or App ID (if specified). If tags are specified, only Sandboxes that have at least those tags are returned. Returns an iterator over Sandbox objects.