NodeOps
UK
NodeOps

Egress

Egress rules control which external hosts a sandbox can reach. By default (empty rule list) all outbound traffic is allowed. Once you set any rules, only the listed destinations pass — everything else is dropped in-kernel.

Rules apply live with no sandbox restart required.

Get your API key from https://createos.nodeops.network/profile. Pass it as X-Api-Key: <token> on every request.

Base URL: https://api.sb.createos.sh

At a glance

  • Base URL: https://api.sb.createos.sh
  • Auth: X-Api-Key: <token> header — get a token
  • Response envelope: JSend — {"status": "...", "data": ...}

Rule formats

Each rule is a string in one of these forms:

FormatExampleEffect
hostpypi.orgAllow all ports to that hostname.
host:portgithub.com:443Allow only that port.
*.host*.pythonhosted.orgWildcard subdomain match.
ip1.1.1.1Allow all ports to that IP.
ip:port1.1.1.1:53Allow only that port.
cidr10.0.0.0/8Allow all ports to that CIDR block.
cidr:port10.0.0.0/8:8080Allow only that port in the block.
**Allow all destinations (same as empty list).

Empty list / null / ["*"] — all outbound traffic is allowed (no iptables chain installed).

There is no denylist token. To block one destination you must list all destinations you do want.

GET /v1/sandboxes/{id}/egress

Read the current egress allowlist for a sandbox.

Auth required: Yes

Path parameters

ParameterDescription
idSandbox id.

Example

Bash
1curl https://api.sb.createos.sh/v1/sandboxes/sb_01K.../egress \
2  -H "X-Api-Key: $CREATEOS_API_KEY"

Success response 200

JSON
1{
2  "status": "success",
3  "data": {
4    "id": "sb_01K…",
5    "egress": [
6      "pypi.org",
7      "*.pythonhosted.org",
8      "github.com:443"
9    ]
10  }
11}

Notable errors: 404 — sandbox not found or not owned by caller.

PUT /v1/sandboxes/{id}/egress

Replace the egress allowlist atomically. The new rules take effect immediately — the in-kernel iptables chain is flushed and rebuilt in a single update.

Auth required: Yes

Path parameters

ParameterDescription
idSandbox id.

Request body

FieldTypeRequiredDescription
egressarray of stringsNoFull replacement allowlist. null, missing, [], or ["*"] all mean allow-all.

Example — restrict to PyPI and GitHub

Bash
1curl -X PUT https://api.sb.createos.sh/v1/sandboxes/sb_01K.../egress \
2  -H "X-Api-Key: $CREATEOS_API_KEY" \
3  -H "Content-Type: application/json" \
4  -d '{
5    "egress": [
6      "pypi.org",
7      "*.pythonhosted.org",
8      "github.com:443",
9      "1.1.1.1:53"
10    ]
11  }'

Success response 200

JSON
1{
2  "status": "success",
3  "data": {
4    "id": "sb_01K…",
5    "egress": [
6      "pypi.org",
7      "*.pythonhosted.org",
8      "github.com:443",
9      "1.1.1.1:53"
10    ]
11  }
12}

Example — restore allow-all

Bash
1curl -X PUT https://api.sb.createos.sh/v1/sandboxes/sb_01K.../egress \
2  -H "X-Api-Key: $CREATEOS_API_KEY" \
3  -H "Content-Type: application/json" \
4  -d '{"egress": []}'

Notable errors: 404 — sandbox not found.

Setting egress at sandbox creation

You can also supply the initial egress list when creating a sandbox. Pass egress in the POST /v1/sandboxes body:

JSON
1{
2  "shape": "s-1vcpu-256mb",
3  "egress": ["pypi.org", "github.com:443"]
4}

See /createos/docs/Sandbox/REST-API/Sandboxes for the full create request shape.

100,000+ Builders. One Workspace.

Get product updates, builder stories, and early access to features that help you ship faster.

CreateOS is a unified intelligent workspace where ideas move seamlessly from concept to live deployment, eliminating context-switching across tools, infrastructure, and workflows with the opportunity to monetize ideas immediately on the CreateOS Marketplace.