AnchorPreview
Anchor. Secure
agent runtime,
by default.
Ephemeral Micro VMs that boot in 1.3 seconds. Every sandbox is disposable, policy-scoped, and backed by Noekl's delegated identity.
Most agent runtimes give you a process and call it a sandbox. That isn't enough. Anchor is real compute with identity, integrations, and audit attached to every workload. Not a sandbox. A governed execution platform.
Full SDK lifecycle
Create a sandbox, run code, and expose a preview URL in one script. Integration credentials flow transparently through Noekl.
import { AnchorClient } from '@mistrive/anchor';
const anchor = new AnchorClient({ token: 'sk_...' });
// Spin up a sandbox with GitHub integration access
const sandbox = await anchor.createSandbox({
sandbox: {
resources: { vcpus: 2, memoryMb: 2048, nvmeScratchMb: 4096 },
maxDuration: '600s',
},
integrations: [
{ provider: 'github' }
],
});
// Run code. GitHub requests transparently route through Noekl.
const result = await anchor.execCodeRun({
name: sandbox.name!,
language: 'python',
code: 'import requests; print(requests.get("https://api.github.com/user/repos").json())',
});
// Expose a running service via preview URL
const preview = await anchor.getPreviewUrl({
name: sandbox.name!,
sandboxPort: 8080,
accessMode: 'PUBLIC',
});Run anything.
Cloud Hypervisor VMs, sub-200ms warm start, and full Linux environments.
Agents act safely.
Every sandbox runs as a user or service account. Integrations are delegated. Credentials stay out of the guest.
Work does not disappear. Coming soon
NVMe speed, S3 durability, snapshots, and resume. Agents can build stateful work without becoming infrastructure.
Anything that needs real execution.
From AI coding agents to data workflows, internal tools, and operations.
Clone, edit, test, and open pull requests from isolated workspaces.
Reach real systems through delegated identity instead of copied secrets.
Run scripts, transform files, and persist outputs without provisioning hosts.
Give operators terminal, file, and preview surfaces backed by real compute.
No tokens inside the sandbox. Ever.
Credentials are injected at runtime as short-lived tokens and audited per request. The sandbox can use integrations. It never owns secrets.
Short-lived tokens.
Credentials are injected only when a request is allowed and expire quickly.
Delegated access.
The sandbox can use tools. It never becomes the owner of long-lived secrets.
Audited per request.
Credential use, commands, outputs, and integrations produce a reviewable trail.
How integrations flow into sandboxes
Guest code never touches a credential. Anchor intercepts the request, asks Noekl for delegation, and injects a short-lived token on the way through.
Sandbox
calls github.com
Anchor TLS gateway
intercepts and injects
Noekldelegation
github.com
authenticated
Sandbox
calls github.com
Anchor TLS gateway
intercepts and injects
github.com
authenticated
Anchor runs. Interlock routes. Noekl controls.
Anchor spins up sandboxes for agents to act in. Interlock routes their inference. Noekl is the control plane that tracks who, what, and how much. Three planes, one platform.