v0.1 · Apache 2.0 · self-hostable

Hardware-isolated sandboxes
for AI agents.

One Cloud Hypervisor microVM per sandbox. Stock kernel, KVM-backed, no containers. 14 ms warm-start, 4 ms exec roundtrip. Drop-in for the E2B and Daytona SDKs.

Open dashboard Quick start ↗ Source on GitHub

Warm start P50

14 ms

Cold spawn P50

98 ms

exec roundtrip

4 ms

Fork (snapshot + clone)

66 ms

Scaleway PAR2 EM-B130E · 6c EPYC 4245P (SMT off) · 60 GB RAM · reproducible via verify/perf-quick.sh

spawn.ts

TypeScript

import { DaytoNah } from "@daytonah/sdk";

const dn = new DaytoNah({
  url:   process.env.DNAH_API_URL,
  token: process.env.DNAH_TOKEN,
});

// claim a warm pool VM — ~14 ms P50
const sbx = await dn.sandboxes.create({
  template: "dnah-base",
  ram_mb:   256,
  auto_stop_minutes: 30,
});

// exec over vsock — ~4 ms inside the guest
const { stdout } = await sbx.exec(["uname", "-a"]);

// snapshot + clone in one call — ~66 ms
const twin = await sbx.fork();

E2B drop-in: set E2B_API_URL + E2B_API_KEY — upstream SDKs work unchanged.

Why DaytoNah

▸ Real isolation

One Cloud Hypervisor microVM per sandbox. KVM is the boundary — kernel CVE blast radius stops at the VM. Not gVisor. Not Firecracker-in-a-container. Not a chroot.

▸ vsock-only guest

The in-VM agent listens on AF_VSOCK only. A compromised sandbox can't reach its neighbour's /exec — no TCP, no shared L2.

▸ No kernel mods

Stock distro kernel. No DKMS, no out-of-tree drivers, no signed-module dance. You can boot the host with Secure Boot on.

▸ Cross-host by default

Pause in PAR1, resume in PAR2. Archive offloads to S3-compatible storage; the scheduler re-picks a host on resume. Continuous backup with a 4 ms pause window.

▸ API parity

Drop-in for E2B and Daytona SDKs. We accept E2B's templateID body shape, expose /pause, /resume, /files/watch, etc.

▸ Agent-native

MCP server, llms.txt, OpenAPI 3.1, agent skill (npx skills add). Drops into Claude Code, Cursor, Windsurf in one line.

Performance

Path	What's happening	P50	P95
Warm allocation	Pool claim — Postgres row flip, no spawn	14 ms	24 ms
Cold spawn	Reflink rootfs · TAP · CH boot · vsock RPC up	98 ms	313 ms
First exec (warm)	create → exec returning exit 0	22 ms	39 ms
/exec roundtrip	Framed-JSON RPC over vsock	4 ms	5 ms
Resume paused	Memory + disk restore	104 ms	104 ms
Fork	Snapshot + clone in one call	66 ms	—
Sequential throughput	100× create+delete, pool refills	26.3 /s	—

Architecture

┌───────────────────────────── CP box ───────────────────────────────┐
│  Caddy :443  ──TLS──▶  Bun control plane :3000                     │
│                        ├─ scheduler · warm pool · reconciler       │
│                        ├─ billing · audit · webhooks               │
│                        └─ Postgres                                 │
└──────────────────────┬─────────────────────────────────────────────┘
                       │ HTTPS · mTLS · bearer · nft IP-allowlist
┌──────────────────────▼───────────────────────── sandbox host(s) ───┐
│  edge-proxy :80   <port>-<sbx>.<host>.nip.io → guest port (HMAC)   │
│                                                                    │
│  host-agent (Go, root)                                             │
│   ├─ spawns cloud-hypervisor per sandbox                           │
│   ├─ TAP/IP allocator on dnah-br0 (10.42.0.0/16)                   │
│   ├─ archive/backup to S3-compatible storage                       │
│   └─ vsock-rpc proxy :18048 (TLS + mTLS + bearer)                  │
│                                                                    │
│  cloud-hypervisor → AF_VSOCK :18047 → invm-agent (PID 1)         │
│                                       exec · PTY · files · snap   │
└────────────────────────────────────────────────────────────────────┘

Hardware-isolated sandboxes for AI agents.

Why DaytoNah

Performance

Architecture

Hardware-isolated sandboxes
for AI agents.