Skip to main content
E2B is the default sandbox provider for Dari. Each session gets its own E2B sandbox, built from a template derived from your agent’s prepared runtime.

Configuration

You can omit the entire sandbox block to use Dari-managed E2B defaults. Add a sandbox block when you want runtimes, packages, setup scripts, internet access, resources, or a custom Dockerfile. provider defaults to e2b when omitted. 
sandbox:
  provider: e2b
  provider_api_key_secret: E2B_API_KEY
FieldRequiredNotes
providernoMust be e2b when set.
provider_api_key_secretnoName of a stored org credential holding your E2B API key. Omit to use Dari-managed E2B. If present, the credential must exist when you publish. Never put the raw key here.
internet_accessnoBoolean. Defaults to false; set to true to allow public internet access from execution sandboxes.
When provider_api_key_secret is present, that credential is resolved at publish and session start. When the field is omitted, or when the whole sandbox block is omitted, Dari uses its managed E2B key. Execution sandboxes do not get public internet access by default. Set internet_access: true only when the agent needs outbound internet access while handling sessions.

Managed Runtime

If you omit sandbox.dockerfile in dari.yml, Dari uses its managed E2B runtime. Dari infers runtimes required by your harness and tools, materializes source for managed resources under the session workspace, and lets you request more with sandbox.runtimes, sandbox.packages, and sandbox.setup: 
sandbox:
  runtimes:
    node: "20"
    python: "3.13"
  packages:
    apt:
      - ripgrep
  setup:
    script: scripts/setup.sh
The setup.script value is repo-relative in your bundle; at build time, that file is available under /bundle and runs from /bundle as root after Dari installs the requested apt packages and managed runtimes. For example, this manifest asks Dari for Node and Go, installs the standard download tools needed by the setup hook, then runs scripts/setup-sandbox.sh:
dari.yml
sandbox:
  provider: e2b
  runtimes:
    node: "20"
    go: "1.23.4"
  packages:
    apt:
      - ca-certificates
      - curl
      - tar
      - gzip
  setup:
    script: scripts/setup-sandbox.sh
scripts/setup-sandbox.sh
#!/usr/bin/env bash
set -euo pipefail

YQ_VERSION="v4.44.6"
TMP_DIR="$(mktemp -d)"
trap 'rm -rf "$TMP_DIR"' EXIT

curl -fsSL \
  "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64.tar.gz" \
  -o "$TMP_DIR/yq.tar.gz"
tar -xzf "$TMP_DIR/yq.tar.gz" -C "$TMP_DIR"
install -m 0755 "$TMP_DIR/yq_linux_amd64" /usr/local/bin/yq

yq --version
Use a Dockerfile only when you need full image control. Add it at the repo root, copy your project into /workspace, and reference it from the sandbox block: 
FROM node:20-bookworm
WORKDIR /workspace
COPY . /workspace

sandbox:
  provider: e2b
  dockerfile: Dockerfile
sandbox.dockerfile cannot be combined with sandbox.runtimes, sandbox.packages, or sandbox.setup. See the manifest reference for the full contract.

Resource Limits

sandbox.resources lets you override the E2B template’s CPU and memory allocation for every session spawned from your agent: 
sandbox:
  provider: e2b
  resources:
    cpu: 4
    memory_mb: 8192
Both fields are optional; E2B defaults apply when they are omitted (2 CPUs, 1024 MB).

Getting An API Key

  1. Sign up at e2b.dev.
  2. Create an API key from your E2B dashboard.
  3. Store it as an org credential named E2B_API_KEY (or any ^[A-Z_][A-Z0-9_]*$ name you prefer) and reference it with sandbox.provider_api_key_secret.