Sandbox Authentication
Pass a workspace or repo token to sandboxed environments via the GITHOSTED_TOKEN environment variable. The SDK auto-reads it.
Quickstart
Section titled “Quickstart”// Your orchestrator codeimport { Client } from "@githosted/sdk";
const client = new Client();const token = "gw_your_workspace_token"; // or create a scoped repo token
// Pass to your sandbox platformsandbox.create({ env: { GITHOSTED_TOKEN: token } });Inside the sandbox:
import { Client } from "@githosted/sdk";
// Auto-reads GITHOSTED_TOKEN from env — no config neededconst client = new Client();const repo = client.repo("my-project");const files = await repo.ls("/");Platform Examples
Section titled “Platform Examples”import modal
sandbox = modal.Sandbox.create( secrets=[modal.Secret.from_dict({"GITHOSTED_TOKEN": "gw_xxx"})], image=modal.Image.debian_slim().pip_install("githosted"),)Vercel AI SDK
Section titled “Vercel AI SDK”const sandbox = await Sandbox.create({ env: { GITHOSTED_TOKEN: "gw_xxx" },});Daytona
Section titled “Daytona”sandbox = daytona.create(env_vars={"GITHOSTED_TOKEN": "gw_xxx"})Least-Privilege Tokens
Section titled “Least-Privilege Tokens”For sandboxes, prefer repo-scoped tokens (gr_) over workspace tokens (gw_). If a sandbox is compromised, the attacker gets access to only the specific repos you scoped — not your entire workspace.
Repo tokens can be created via the API with a short TTL:
import { Client } from "@githosted/sdk";
const client = new Client(); // workspace token (gw_)
// Create a 2-hour read-write token scoped to one repoconst result = await client.createToken({ name: "sandbox-run-42", kind: "repo", permission: "write", repoAllowlist: ["my-repo"], ttlHours: 2,});
sandbox.create({ env: { GITHOSTED_TOKEN: result.token } });