Skip to main content

[ GUIDE / PRODUCTION ]

Production / TLS

Out of the box, sandboxd serves plain HTTP on *.preview.localhost — zero DNS, zero certificates, perfect for local development. For a public deployment on a real wildcard domain:

  1. Point *.preview.yourdomain.com at the host.

  2. In traefik/traefik.yml, enable the websecure entrypoint and add a certificate resolver (Let's Encrypt DNS-01 is ideal — one wildcard cert covers every preview host, so you never hit per-host ACME limits).

  3. In .env:

    PREVIEW_DOMAIN=yourdomain.com
    PREVIEW_ENTRYPOINT=websecure
    PREVIEW_TLS=true
    # enable auth — never expose the API unauthenticated
    SANDBOXD_API_AUTH_DISABLED=false
    SANDBOXD_API_TOKENS=name:secret

  4. docker compose up -d.

Preview URLs become:

https://s-<id>-3000.preview.yourdomain.com

Authenticated API calls

With SANDBOXD_API_AUTH_DISABLED=false + SANDBOXD_API_TOKENS=name:secret, send a bearer token on every request:

curl -s -XPOST $API/sandbox \
  -H "Authorization: Bearer secret" \
  -H 'content-type: application/json' \
  -d '{"ports":[3000]}'
caution

API auth is off by default for local use. In production, turn it on and never expose the API port unauthenticated. See Hardening for the full pre-scale checklist.