Box Basics - Upstash Documentation

Every Upstash Box is a durable execution environment for AI workloads. Each box is an isolated container with its own filesystem, shell, network stack, and optional coding agent. You send prompts or commands, the box executes them, and you get back structured results without managing infrastructure. Boxes are billed per active CPU time (not idle time), state persists across runs, and you can choose from Node, Python, Go or other runtimes. Unlike other sandboxing services, our boxes do not have a maximum session duration, you can resume them days or even weeks later.

Architecture

Every box is a self-contained environment with five capabilities:

Module	Description
Agent	Run a coding agent (Claude Code or Codex)
Git	Clone repos, inspect diffs, and open pull requests
Shell	Execute OS-level commands directly
Filesystem	Upload, write, read, list, and download files inside the box
Snapshots	Capture box state and restore new boxes from it

The agent has full access to the shell, filesystem, and git inside its box. It can install packages, write files, run tests, and interact with the network.

Lifecycle

1. Created

When you create a box, Upstash provisions a new isolated container with its own filesystem, shell, and network stack. You can start from a fresh box or restore from a snapshot. Once provisioning finishes, the box is ready to receive commands.

2. Running

The box automatically enters Running state after creation. Your agent can run bash commands, read and write files, interact with git, and make outbound network requests. stdout and stderr stream back in real-time. If the box sits idle with no active commands, it automatically transitions to Paused after 30 minutes.

3. Paused

While a box is paused, it releases its compute resources but preserves the filesystem and environment. You can resume it explicitly or simply send new work to wake it back up. Boxes are only billed on active CPU time, so a box does not incur any costs while paused.

4. Snapshot

Snapshots capture the full workspace state of a box at a point in time. They let you checkpoint a working environment and later create a new box from that exact state. Learn more in Snapshots.

5. Deleted

Deleting a box permanently destroys the live box and its current state. This is irreversible, so take a snapshot first if you may need to restore the environment later. Any existing snapshots taken from the box are not affected by deletion.

API

Use the main Box APIs to create, reconnect, inspect, pause, snapshot, and delete boxes. For work inside a box, use the dedicated Shell, Filesystem, Git, and Agent APIs.

Create or reconnect a box

Most apps need three entry points: start a new box, show the boxes that already exist, or reopen one from a saved ID.

const box = await Box.create({ runtime: "node" })
const boxes = await Box.list()

// 👇 later, or in another serverless function
const sameBox = await Box.get(box.id)

This is the core lifecycle entrypoint for dashboards, background workers, and apps that persist a box ID between requests.

Check status and inspect activity

const { status } = await box.getStatus()
const logs = await box.logs()
const runs = await box.listRuns()

These APIs are useful when you are building monitoring, history, or debugging views.

Pause or resume

Pausing is useful when work arrives in bursts and you want to keep the environment intact without paying for active compute the whole time.

await box.pause()
await box.resume()

Paused boxes do not accrue active CPU charges.

Snapshot and restore

Snapshots are the best way to turn a prepared environment into a reusable starting point, especially installing dependencies.

const snapshot = await box.snapshot({ name: "after-setup" })
const restored = await Box.fromSnapshot(snapshot.id)

This is useful for reusable base environments, checkpoints before risky work, and branching multiple boxes from the same setup state. For detailed snapshot workflows, see Snapshots.

Delete

Once a run is finished, delete the live box if you don’t need it anymore:

await box.delete()

Deleting a box is irreversible, so snapshot first if you may want to recreate the same environment later.

Security & Isolation

Every box runs as its own Docker container with an independent filesystem, process tree, and network stack. Boxes cannot communicate with or observe each other. There is no shared state between them.

Your app makes SDK calls to the Upstash API gateway, which authenticates the request and routes it to the correct box. Each box has a unique ID, and all communication between your app and the box is encrypted in transit. Inside a box, the agent, shell, filesystem, and git all share the same isolated environment. The agent can install packages, write files, spawn processes, and make outbound HTTP requests, but only within its own container boundary. It cannot access the host, other boxes, or any Upstash-internal infrastructure.

Boundary	Guarantee
Filesystem	Each box has its own filesystem. No shared volumes between boxes.
Processes	Process trees are fully isolated. One box cannot signal or inspect another’s processes.
Network	Boxes can make outbound requests (HTTP, DNS) but cannot reach other boxes.

Networking

Every box has full outbound network access. HTTP, HTTPS, DNS, WebSockets, and raw TCP are all available. Agents can call external APIs, download packages, pull container images, and interact with any public endpoint. Boxes run on AWS infrastructure with 22.5 Gbps network bandwidth per host. This means large file transfers, dataset downloads, and parallel API calls are fast by default. Because boxes run on fast AWS infrastructure, they have single-digit ms to major cloud services (S3, GitHub, etc.).

Compute & Billing

Compute is billed separately from persisted storage. CPU is only metered while a box is actively executing commands or agent steps, so paused or idle boxes do not accrue compute charges.

Resource	Pricing
CPU	$0.10 per active vCPU-hour
Memory	Included at no extra cost
Storage	$0.10 per GB-month for all persisted storage, including disks and snapshots

Boxes are currently available in one size with 2 vCPU, 2GB of memory and 10GB disk space.

Agent

Every Upstash Box comes with built-in coding agent harnesses. You don’t need to bring your own agent framework or wire up tool calls. The box already knows how to give an agent access to its shell, filesystem, and git, and how to stream output back to you. We currently support Claude Code and Codex as native agents inside of a box. You choose a model when creating a box. For more details, see the Agent page.

Each iteration builds on the last. If a test fails, the agent sees the error output and corrects. If a file is missing, it discovers that during the read phase and adapts. The loop continues until the task is complete or the agent determines it cannot make further progress. You control what goes in (the prompt) and what comes out (raw text or a structured response). The agent handles reasoning and tool selection within its box, using the same shell, filesystem, and git available to you through the SDK. A box retains its full state between runs (files, installed packages, git history, etc.). You can send multiple prompts to the same box and the agent picks up exactly where it left off.

Box

​Architecture

​Lifecycle

​1. Created

​2. Running

​3. Paused

​4. Snapshot

​5. Deleted

​API

​Create or reconnect a box

​Check status and inspect activity

​Pause or resume

​Snapshot and restore

​Delete

​Security & Isolation

​Networking

​Compute & Billing

​Agent