Written by
Perplexity Team
Published on
Agentic workflows frequently require deterministic execution. When an agent needs to run a statistical analysis, generate a chart, validate a calculation, or transform a dataset, it needs deterministic execution with exact outputs. The agent reasons about what to compute. The sandbox computes it.
Built for Perplexity, now available as a service
We built the Sandbox to support this pattern internally. Perplexity Computer, our Finance Agent, and Deep Research all execute code inside sandboxed environments. Computer runs thousands of sessions per minute. The Finance Agent uses Sandbox for live market data calculations. Deep Research uses it for file generation, data processing, and format conversion mid-workflow. Sandbox API makes the same execution environment available as a standalone service.
Stateful sessions with persistent filesystems
Each session runs in its own isolated Kubernetes pod. The developer manages none of the underlying infrastructure: we handle provisioning, networking, and cleanup. Supported languages are Python, JavaScript, and SQL, with runtime package installation available per session.
Sessions are stateful. A persistent filesystem is mounted via FUSE. The FUSE daemon intercepts file operations and translates them for the agent: read, write, list files, and track modifications since session creation. Files created in one step are available in subsequent steps. Long-running workflows can pause, resume hours later, and pick up with full state intact. Each session supports up to five background processes.
Zero-trust by default
The security architecture assumes untrusted code by default. Sandboxes have no direct network access. When outbound connectivity is required, traffic routes through an egress proxy running outside the sandbox. The proxy matches outbound requests by destination domain and injects the appropriate credentials. Code executing inside the sandbox never has access to raw API keys or secrets. Built-in timeouts and resource limits enforce execution boundaries.
Agent API as the orchestration layer
Sandbox API will be available as a tool within Agent API, allowing the orchestration runtime to delegate to deterministic code execution mid-workflow. The agent decides what to compute, dispatches to Sandbox, observes the output, and continues its reasoning loop. Same API key, same set of credits.
Sandbox API is coming soon. We will open a private beta shortly, with documentation at docs.perplexity.ai
Agentic workflows frequently require deterministic execution. When an agent needs to run a statistical analysis, generate a chart, validate a calculation, or transform a dataset, it needs deterministic execution with exact outputs. The agent reasons about what to compute. The sandbox computes it.
Built for Perplexity, now available as a service
We built the Sandbox to support this pattern internally. Perplexity Computer, our Finance Agent, and Deep Research all execute code inside sandboxed environments. Computer runs thousands of sessions per minute. The Finance Agent uses Sandbox for live market data calculations. Deep Research uses it for file generation, data processing, and format conversion mid-workflow. Sandbox API makes the same execution environment available as a standalone service.
Stateful sessions with persistent filesystems
Each session runs in its own isolated Kubernetes pod. The developer manages none of the underlying infrastructure: we handle provisioning, networking, and cleanup. Supported languages are Python, JavaScript, and SQL, with runtime package installation available per session.
Sessions are stateful. A persistent filesystem is mounted via FUSE. The FUSE daemon intercepts file operations and translates them for the agent: read, write, list files, and track modifications since session creation. Files created in one step are available in subsequent steps. Long-running workflows can pause, resume hours later, and pick up with full state intact. Each session supports up to five background processes.
Zero-trust by default
The security architecture assumes untrusted code by default. Sandboxes have no direct network access. When outbound connectivity is required, traffic routes through an egress proxy running outside the sandbox. The proxy matches outbound requests by destination domain and injects the appropriate credentials. Code executing inside the sandbox never has access to raw API keys or secrets. Built-in timeouts and resource limits enforce execution boundaries.
Agent API as the orchestration layer
Sandbox API will be available as a tool within Agent API, allowing the orchestration runtime to delegate to deterministic code execution mid-workflow. The agent decides what to compute, dispatches to Sandbox, observes the output, and continues its reasoning loop. Same API key, same set of credits.
Sandbox API is coming soon. We will open a private beta shortly, with documentation at docs.perplexity.ai
Share this article