sandboxes:exec permission to interact with sandboxes they did not create. Sandboxes are never reachable from workspaces other than the one they were created in.
Who can do what
| Caller | Default | With sandboxes:exec |
|---|---|---|
| Sandbox creator | ✅ All runtime actions | ✅ All runtime actions |
| Other workspace member | ❌ Denied | ✅ All runtime actions |
| Different workspace | ❌ Hidden (treated as not found) | ❌ Hidden (treated as not found) |
- Execute a command (
langsmith sandbox exec,SandboxClient.exec) - File operations (read, write, list paths inside the sandbox)
- Tunnel a TCP port back to your machine (
langsmith sandbox tunnel) - Proxy requests through a service URL
sandboxes:create / sandboxes:read / sandboxes:update / sandboxes:delete permissions. Those are unchanged.
Denied requests
When a request is denied, the sandbox returnsHTTP 403 with a body that names the rule that fired:
404 Not Found rather than 403, so the response does not reveal whether the sandbox exists elsewhere.
Sharing a sandbox
You have two ways to let teammates work with a sandbox you own:- Grant
sandboxes:execto a custom role and assign that role in the workspace. Anyone with the role can interact with every sandbox in the workspace. - Use a service URL for HTTP services running inside the sandbox. Service URLs use their own access tokens and do not require the recipient to be a workspace member.
sandboxes:exec when a teammate needs broad access to operate sandboxes they did not create.
Connect these docs to Claude, VSCode, and more via MCP for real-time answers.