Your coding agent works in development. It parses documents, generates code, runs it, and returns clean results. Then someone on sales asks it to analyze a production database. The database holds real customer data. The agent writes a query and executes it against a live system with no isolation. Now you're explaining to your CISO why a large language model (LLM) had unrestricted access to personally identifiable information (PII).
The gap between a working demo and a production-safe agent comes down to one layer: where and how generated code actually runs. Code execution APIs close that gap. They accept code from an agent, run it inside an isolated environment, and return structured output: stdout, stderr, exit codes, and file artifacts. The host system and neighboring tenants stay unexposed.
This article covers what a code execution API is, how coding agents use these APIs in production, which architecture and risk controls matter, how to evaluate platforms, and which options stand out today.
What is a code execution API?
A code execution API is a programmatic interface that accepts source code, executes it inside an isolated runtime, and returns structured output. The model writes code. The execution API runs it. These are two separate systems working in sequence.
The distinction from adjacent technologies matters. Code generation APIs (LLM inference endpoints) produce source code from natural language prompts. They don't run anything. CI/CD runners like GitHub Actions execute predefined workflows triggered by repository events.
An agent can't invoke them mid-reasoning or extend their capabilities at runtime. Hosted notebooks like Jupyter expose a browser UI designed for human-interactive exploration. They aren't built for concurrent, multi-tenant, programmatic invocation by autonomous agents.
A concrete example clarifies the loop. A coding agent receives a task: "analyze Q1 revenue trends from this CSV." The agent writes a Python script to load the data, compute aggregates, and generate a chart. It sends that script to a code execution API. The API spins up an isolated sandbox, runs the script, and returns the chart file and summary statistics.
The agent inspects the output and decides the analysis needs refinement. It writes an updated script and calls the API again. This closed-loop pattern separates agentic systems from single-shot code generation. The agent doesn't just write code. It runs code, reads the result, and acts on it.
How coding agents use code execution APIs in practice
Code execution APIs show up wherever an agent needs to move beyond generating code. The common thread is a closed loop: the agent writes code, the API runs it in isolation, and the output feeds the agent's next decision.
Enterprise use cases
Production deployments cluster around several recurring patterns:
- Data analysis and file transformation: Agents write and execute Python scripts to process files, run calculations, and generate charts. OpenAI's developer documentation confirms that models can rewrite and rerun failing code until it succeeds, enabling iterative data analysis workflows.
- Automated test writing and execution: GitHub has documented its engineers using Copilot for internal work. The agent generated pull requests that went through automated testing before human review.
- SQL queries via controlled connectors: LLM-powered agents translate natural language into SQL, execute queries through controlled database connectors, and return structured results. No raw credentials are exposed. Arbitrary writes are blocked.
- Agentic coding workflows: Coding agents create branches, write code from issue specifications, commit changes, and open PRs. Carvana's SVP of Engineering described the Copilot coding agent as converting specifications to production code in minutes.
- Incident response and DevOps automation: Monitoring agents launch sandboxed investigations when anomalies are detected. Robinhood runs AI agents that handle 65% of customer queries on AWS infrastructure.
Why this matters for engineering leadership
Every use case shares a structural requirement. Untrusted, LLM-generated code runs against real data in a controlled environment. Without a centralized execution layer, each team builds its own isolation mechanism. That means inconsistent security postures, fragmented audit trails, and no unified observability.
A managed code execution API provides three things. Observability: every execution is logged with inputs, outputs, and resource consumption. This produces the audit trail that SOC 2 and Health Insurance Portability and Accountability Act (HIPAA) assessments require. Reproducibility: the same code in the same sandbox produces the same result, which matters for debugging agent behavior and satisfying compliance reviews. Separation of concerns: the LLM never touches production infrastructure directly.
It calls an API that enforces isolation, permissions, and resource limits. That boundary separates a demo from a system you can defend to your security team. McKinsey's QuantumBlack Labs documented a multi-agent workflow automating credit memo drafting that increased analyst productivity by as much as 60%.
Architecture and risk controls behind a code execution API
A production stack includes the gateway, execution manager, sandbox runtime, persistence layer, and observability.
Core architecture components
The core components of a code execution API include:
- The API gateway and authentication layer is the single enforcement point for all inbound requests. Authentication happens before any execution environment is provisioned. Allocating compute prior to validation wastes resources and opens a window for unauthorized code to run. AWS API Gateway supports both WebSocket and HTTP/REST APIs with IAM policies, Lambda authorizers, and Cognito user pools.
- The execution manager handles lifecycle management, session routing, and resource scheduling. From the Firecracker design document, each Firecracker process encapsulates one microVM. Firecracker isolates each microVM in its own process, though isolation depends on the host, kernel, and underlying hardware.
- Sandboxed runtimes are the isolation layer where code executes. The dominant options are microVMs (hardware-level isolation with a dedicated kernel per sandbox) and containers (process-level isolation with a shared host kernel).
- The persistence layer pairs ephemeral compute with durable object storage. AWS AgentCore supports referencing files in S3 for large datasets, keeping the sandbox stateless while artifacts persist.
- Observability completes the stack. AWS AgentCore emits two spans per tool call, capturing execution status, latency, error type, and tool name within a trace.
One foundational design decision cuts across the stack: stateless versus stateful sessions. Stateless sessions provision a fresh environment per request, eliminating session affinity and leak risk. Stateful sessions persist across invocations.
For teams building full agent stacks rather than isolated runtimes, adjacent infrastructure matters too. Co-locating the agent service with the sandbox reduces network round-trip latency. Parallel or background execution needs a separate compute layer.
Dynamic tool execution through the Model Context Protocol (MCP) requires its own hosting. LLM routing and token cost controls sit in a gateway layer separate from sandbox execution. Those components don't replace a code execution API, but they shape the overall latency and governance model around it.
Why unmanaged code execution creates enterprise risk
The Open Worldwide Application Security Project (OWASP) identifies Tool Misuse and Exploitation as a major AI agent threat category. Documented failure modes include:
- Sandbox escape via unsanitized execution: CVE-2025-59528 (CVSS 10.0) documented active exploitation of the Flowise AI workflow platform. User input passed directly to a Function() constructor ran with full Node.js runtime privileges, including child_process and fs access.
- Container escape via kernel privilege escalation: The GameOver(lay) CVEs (CVE-2023-2640 / CVE-2023-32629) allowed non-root users in containers to gain root privileges through OverlayFS operations in Kubernetes environments.
- Supply chain exfiltration: Claude Code shipped a 59.8MB source map to a public registry. The publish process lacked a content check and bypassed data loss prevention (DLP) controls.
Containers share the host kernel. An ACM peer-reviewed study identified flawed system call handling as a vulnerability category in containerized environments. MicroVMs address this by running a separate kernel per workload via Linux KVM. Firecracker launches a microVM in 125 milliseconds with about 5 MiB of memory overhead.
A 2025 preprint reports that microVMs deliver I/O performance comparable to containers while retaining the strong isolation of dedicated kernels.
For multi-tenant or regulated environments running untrusted generated code, the required controls typically include hardware-enforced isolation between tenants, least-privilege permissions per agent, data residency enforcement, immutable audit trails, and resource quotas. Teams evaluating any execution platform should verify the isolation primitive: container namespace, user-space kernel like gVisor, or hardware-level microVM.
How to evaluate a code execution API for enterprise use
Evaluation criteria are split into three areas: runtime capability, isolation and compliance posture, and total cost of ownership.
1. Audit language support, latency profiles, and session models
Python and JavaScript/TypeScript are the minimum viable set. Verify native runtime support. Custom container images per language add operational complexity. One engineering leader described evaluation tooling that required 25 containers running a custom Kubernetes operator for a single function.
Cold start latency is the most visible variable for interactive agents. Coding agents issue many shell commands per task, and extra latency per command compounds across a workflow. Ask vendors for p50/p95/p99 cold start data by runtime. AWS Lambda SnapStart with invoke priming achieves a p99.9 cold start of 781.68 milliseconds for Java. Optimized Rust runtimes achieve sub-15 millisecond cold starts with warm execution as low as 1.6 milliseconds.
Match the session model to your workload. Ephemeral sessions require a rehydrating state on every invocation. Long-lived sessions preserve variables, libraries, and intermediate results across calls. A coding agent building an application over multiple turns needs a persistent state.
A translation agent making quick API calls does not. If low-latency agent execution is part of the same design, ask whether the provider supports agent hosting co-located with the sandbox. If the workload includes parallel fan-out, evaluate whether the platform offers a batch compute layer.
2. Verify isolation technology and compliance posture
The isolation primitive determines your blast radius. Containers share the host kernel, so a single kernel vulnerability can expose every tenant on the same host. gVisor intercepts syscalls in user space but adds 100 to 200% overhead on random I/O. MicroVMs provide a dedicated kernel per sandbox through hardware virtualization with I/O performance comparable to containers.
Beyond isolation, check for per-tenant secret management, role-based access control at the API key level, and audit log exportability. Confirm SOC 2 Type II attestation (not just Type I). Check whether a HIPAA BAA is available. Verify whether the architecture logs execution content to third-party systems.
3. Calculate the total cost of ownership
Building in-house requires dedicated engineering time. The Bureau of Labor Statistics reports a median annual wage of $133,080 for software developers in May 2024. A Forrester TEI study uses a fully burdened rate of $84/hour for DevOps staff, annualizing to roughly $174,720 before infrastructure or compliance costs.
Watch for pricing traps. Minimum billing periods create hidden costs at high invocation volumes. Provisioned concurrency incurs continuous charges during idle periods.
A Forrester TEI study on managed services documented that a 25% productivity uplift in cloud infrastructure management yields $128,700 per year in avoided labor cost.
For most teams, the breakeven point favors a managed service at production volumes. The cost of building open-source infrastructure, measured in engineer time and maintenance, typically warrants transition to a managed service once you're beyond prototyping.
Leading code execution options for coding agents
The market segments into managed cloud services, specialized sandbox platforms, and perpetual sandbox platforms with durable standby and co-located hosting.
Managed cloud and inference services
Vertex AI / Gemini code execution operates in two modes. The Gemini inline tool enforces a 30-second maximum per execution. The Vertex AI Agent Engine is priced at $0.0864 per vCPU-hour and $0.0090 per GB-hour. Tight coupling to Google Cloud limits cross-provider flexibility.
Claude code execution provides sandboxed Python and Bash execution within the Anthropic API, with later versions adding REPL state persistence and in-sandbox tool calling. Billing varies: no additional charge when paired with web search or web fetch, otherwise billed by execution time. The Claude Code CLI uses Bubblewrap (Linux) and Seatbelt (macOS) for local isolation, which differs from Anthropic's hosted API runtime. CVE-2026-25725 exposed a TOCTOU flaw that allowed persistent hook injection with host privileges.
Together AI Code Interpreter offers sandboxed code execution, while Together Code Sandbox provides VM-based sandboxes with snapshot and restore behavior. Teams should verify pricing and boot-time specifics directly in vendor documentation.
These services work well within their ecosystems but constrain teams needing cross-provider model routing or persistent state beyond the provider's session model.
Vertical sandbox platforms
E2B uses Firecracker microVMs with Python and JavaScript out of the box, plus Ruby and C++ via custom runtimes. E2B offers self-hosting for enterprises requiring complete control over their infrastructure. Session durations cap at 24 hours. Sandboxes are deleted after 30 days, requiring teams to rebuild state from scratch for longer-running projects.
Modal offers GPU options with gVisor-based isolation. The gVisor model imposes higher overhead on I/O-heavy workloads than Firecracker. Sandbox snapshots’ retention is capped at 7 days (feature in alpha as of April 2026).
Daytona uses containerized sandboxes (open-source, AGPL-3.0) with configurable lifecycle policies and a 15-minute default billing period (1-minute minimum). Docker's default isolation shares the host kernel, which provides weaker tenant boundaries than microVM-based approaches. Sandboxes are archived after 30 days, requiring slow restoration.
Perpetual sandbox platforms
Perpetual sandbox platforms like Blaxel address the gaps that emerge when teams need sandboxes that persist beyond fixed time limits. Blaxel sandboxes stay in standby indefinitely with sub-25ms resume and zero compute cost while idle. Storage still applies for standby snapshots and volumes. After a few seconds of network inactivity, sandboxes transition to standby automatically.
Isolation uses microVMs inspired by the open-source Firecracker technology behind AWS Lambda, not containers or gVisor. A compromised workload can't reach the host OS or neighboring sandboxes. Blaxel holds SOC 2 Type II certification, ISO 27001 certification, and HIPAA support is available via BAA add-on.
Beyond sandboxes, the platform includes co-located Agents Hosting that eliminates network roundtrips between agent and sandbox, Batch Jobs for parallel and background execution, MCP Servers Hosting for standardized tool access via Model Context Protocol (MCP), and Model Gateway for LLM routing and token cost control.
Comparison snapshot
The table below maps each platform across the dimensions that most affect production readiness. Match your team's profile to the "Best for" column. Teams committed to a cloud provider should start with managed services. Teams building model-agnostic agent infrastructure should evaluate the specialized and perpetual sandbox platforms.
Note that "session model" and "standby" are distinct concepts. The session model describes whether the state carries across API calls within an active session. Standby describes what happens when the sandbox goes idle. A platform can offer stateful sessions but still delete the sandbox after a timeout.
| Platform | Isolation model | Languages | Session model | Standby / persistence | Best for |
|---|---|---|---|---|---|
| Vertex AI Agent Engine | Managed runtime | Python-based frameworks | Product-dependent | Product-dependent | Teams on GCP |
| Claude code execution | Hosted API sandbox | Python, Bash | Session-scoped | Session-scoped | Anthropic-native pipelines |
| Together AI / CodeSandbox | VM-based | Varies | Session-oriented | Snapshot / restore | Snapshot-heavy workflows |
| E2B | Firecracker microVM | Python, JavaScript | Stateful with runtime limits | Deleted after 30 days | Self-hosted OSS |
| Modal | gVisor | Varies | Runtime-dependent | 7-day standby (alpha) | GPU-intensive workloads |
| Daytona | Container-based | Multiple (Docker) | Configurable lifecycle | 30-day archive limit | Short-lived ephemeral sandbox workloads |
| Blaxel | MicroVM (Firecracker-based) | Python, TypeScript, Go SDK | Stateful with perpetual standby | Indefinite standby, sub-25ms resume | Agents that code, AI data analysis, persistent workloads |
How to integrate code execution APIs with LLM agents
Three integration patterns cover the spectrum from full agent autonomy to strict human oversight. The right choice depends on your risk tolerance and compliance requirements.
1. Expose the API as a tool call in your agent framework
Register the execution sandbox as a named tool with a defined schema. The LLM emits a structured tool_call when it determines execution is needed. The host application performs the invocation, not the model. OpenAI's documentation confirms that the model decides which tools to call while the runtime executes them.
This pattern works best for autonomous iteration. The agent writes code, runs it, observes the result, and refines. Frameworks like CrewAI, the Vercel AI SDK, and LangGraph support it natively or through graph-based building blocks.
Guardrail tip: filter dangerous imports (os, subprocess, child_process) before code reaches the sandbox. Cap execution calls per session. Route operations touching production data or credentials to a review queue. When tool execution expands beyond a single sandbox call, standardized tool discovery through MCP becomes relevant for connecting agents to databases, APIs, and other services.
2. Route execution through a deterministic orchestrator
The orchestrator controls when and how code executes, not the LLM. The model generates code within a constrained option set. The orchestrator validates it against predefined rules, then invokes the execution API. The model never talks to the sandbox directly.
This pattern provides the strongest compliance properties. Research on deterministic code generation found that deterministic execution eliminates output variance and achieves full auditability. Every decision traces to a specific line of code. Databricks recommends starting with a deterministic chain and adding tool calling only as complexity grows. In practice, many production systems combine both approaches.
Tip: normalize the output schema from the execution API. A standardized schema (exit code, stdout, stderr, artifacts) prevents brittle integrations regardless of runtime. If the orchestrator also manages model selection, fallback behavior, or cost controls across multiple providers, that function sits adjacent to code execution rather than inside it.
3. Add human-in-the-loop approval for high-risk executions
Route low-risk operations (read-only queries, deterministic calculations) directly to the sandbox. Pause high-risk operations for human approval. Database writes, credential access, and production modifications all require review. LangGraph supports human-in-the-loop as a first-class capability.
Define risk tiers with practical criteria. Does the operation exceed a cost threshold? Does it touch PII or regulated data? Can the action be undone? For example, a coding agent analyzing sales data writes a read-only Python script. The orchestrator routes it directly to the sandbox. The same agent later generates an SQL UPDATE against the customer database. The orchestrator pauses, sends it for approval, and logs the approval ID when an engineer clears it.
Start evaluating code execution APIs for your coding agents
Code execution is the layer where AI agents cross from generating text to affecting real systems. Every uncontrolled execution creates a potential incident: leaked credentials, unauthorized data access, or a container escape that exposes neighboring tenants.
Teams that treat this layer as an afterthought end up with fragmented security postures across projects, inconsistent audit trails that fail compliance reviews, and no centralized observability over what their agents actually run. The longer those gaps persist, the harder they are to close without re-architecting.
Centralizing code execution through a managed API gives engineering leaders one enforcement point for isolation, permissions, and audit logging. That matters whether your agents analyze customer data, review pull requests, or generate production code. The choice of platform determines your blast radius during a security incident, your agent's ability to maintain state across sessions, and your total infrastructure cost.
Perpetual sandbox platforms like Blaxel combine microVM isolation with sandboxes that stay in standby indefinitely, resuming in under 25ms with zero compute cost while idle. Co-located
Agents Hosting eliminates network round-trips between the agent and the sandbox. Batch Jobs handles parallel execution. MCP Servers Hosting provides standardized tool access. Model Gateway centralizes LLM routing and token cost control. Blaxel holds SOC 2 Type II certification and ISO 27001 certification, with HIPAA BAA available as an add-on.
Book a demo to see how it fits your stack, or start building for free.
Add isolated code execution to your AI agent
MicroVM sandboxes with sub-25ms resume, structured output capture, and co-located agent hosting. Run untrusted code safely at production scale.
FAQ
What is the difference between a code execution API and an LLM API?
An LLM API generates text, including source code, from natural language prompts. It doesn't run anything. A code execution API accepts that generated code, executes it inside an isolated runtime, and returns structured results: stdout, stderr, exit codes, and file artifacts. The two systems work in sequence. The model writes code, and the execution API runs it.
Why do coding agents need a code execution API?
Coding agents operate in a closed loop. They generate code, run it, inspect the output, and refine their next step based on what they observe. Without an execution layer, the agent can only propose code. It can't verify whether the code works, catch errors, or iterate toward a correct result. That loop is what separates agentic systems from single-shot code generation.
What isolation technology should teams use for running LLM-generated code?
For multi-tenant or regulated production environments, microVMs provide the strongest isolation. Each workload runs its own kernel via hardware virtualization, so an exploit in one sandbox can't reach the host or neighboring tenants. Perpetual sandbox platforms like Blaxel use microVM isolation inspired by the technology behind AWS Lambda, combining hardware-enforced tenant separation with sub-25ms resume from standby.
When do stateful sandboxes matter?
Stateful sandboxes matter when an agent needs to preserve variables, imported libraries, filesystem contents, or intermediate results across multiple turns. That's common in coding agents that build or debug software over longer sessions. Without state persistence, each invocation starts from scratch, forcing the agent to repeat expensive setup operations like cloning repositories or loading datasets every time.
What should enterprises evaluate first?
Start with three criteria: isolation model, session persistence, and total cost of ownership. The isolation primitive determines your blast radius during a security incident. Session persistence determines whether your agent can maintain context across interactions. Total cost of ownership reveals whether a managed service saves more than building in-house when you factor in engineering time, compliance, and maintenance.
