Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.superserve.ai/llms.txt

Use this file to discover all available pages before exploring further.

By default, a sandbox can reach any public IP on the internet. The platform always blocks egress to private, link-local, and loopback ranges regardless of your allow rules. Use network rules to narrow the allowlist further.

Allow specific destinations

allowOut / allow_out accepts a mix of CIDRs and domain patterns. Combine it with denyOut: ["0.0.0.0/0"] to build a strict allowlist - deny everything, then add exceptions. 
const sandbox = await Sandbox.create({
  name: "restricted",
  network: {
    allowOut: ["api.openai.com", "*.github.com", "140.82.112.0/20"],
    denyOut: ["0.0.0.0/0"],
  },
})

Rule format

FieldAcceptsNotes
allowOut / allow_outCIDRs + domainsDomains support wildcards (*.example.com).
denyOut / deny_outCIDRs onlyUse 0.0.0.0/0 to deny the entire internet and rely on allowOut for exceptions.
Deny rules take precedence over allow rules when they overlap.

Update rules on a running sandbox

Networking can be updated after creation - changes apply immediately to new connections. 
await sandbox.update({
  network: {
    allowOut: ["api.anthropic.com", "api.openai.com"],
    denyOut: ["0.0.0.0/0"],
  },
})
Blocking *.superserve.ai will break the SDK’s ability to communicate with the sandbox.