# Secured access - Documentation

> For the complete documentation index, see [llms.txt](/llms.txt). Markdown is available with `Accept: text/markdown` and `.md` URL variants.

Source: /docs/guides/sandbox-secured-access

# Secured access

Secure access provides authentication for communication between the SDK and the sandbox controller.
The sandbox controller runs inside each sandbox, and it exposes the management interface used by the SDK, including file-system operations, command execution, and other sandbox control capabilities. When secure access is disabled, possession of a sandbox ID is sufficient to invoke these interfaces, which may allow unauthorized control of the sandbox from within the environment.

Starting with SDK version `v2.0.0`, secure access is turned on automatically whenever a sandbox is created. Older custom templates might not support this, in which case a rebuild may be required.

##

[​](#migration-path)

Migration path

For custom templates created with envd earlier than `v0.2.0`, secure access is available only after the template is rebuilt
You can set `secure` to `false` to temporarily turn off secure access during sandbox creation, but disabling secure access is not recommended for production use because of security risks.
Use `novita-sandbox-cli template list` to check the template `Envd version`. You can also inspect templates in the dashboard.

##

[​](#supported-versions)

Supported versions

Sandboxes created from templates with envd `v0.2.0` or later support secure access without any additional configuration.
In JavaScript and Python SDK, secure access was available as an optional configuration starting from `v1.5.0`.
As of SDK `v2.0.0`, sandboxes are provisioned with secure access turned on by default.

##

[​](#access-sandbox-api-directly)

Access sandbox API directly

When you interact with a sandbox without using one of the SDKs, you can send requests directly to the sandbox controller URL.
For sandboxes running with secure access, direct API requests are accepted only if they include the access token generated at creation time. When using the SDK, secure access is handled automatically; `X-Access-Token` is only needed when calling sandbox controller APIs directly without the SDK.
Include this token in the `X-Access-Token` header for all direct sandbox controller requests.
[Upload](/docs/guides/sandbox-filesystem-upload#upload-with-pre-signed-url) and [download](/docs/guides/sandbox-filesystem-download#download-with-pre-signed-url) operations by URLs require pre-signed URLs. We recommend using the SDK to generate them.

##

[​](#disable-secure-access)

Disable secure access

Disabling secure access is not recommended because it may expose the sandbox to security risks.

JavaScript & TypeScript

Python

```
import { Sandbox } from 'novita-sandbox/code-interpreter'

const sandbox = await Sandbox.create({ secure: false }) // Explicitly disable
```

Last modified on June 24, 2026
