sandboxes:exec permission to interact with sandboxes they did not create. Sandboxes are never reachable from workspaces other than the one they were created in.
Who can do what
“Runtime actions” covers the four ways you interact with a running sandbox after creation:
- Execute a command (
langsmith sandbox exec,SandboxClient.exec) - File operations (read, write, list paths inside the sandbox)
- Tunnel a TCP port back to your machine (
langsmith sandbox tunnel) - Proxy requests through a service URL
sandboxes:create / sandboxes:read / sandboxes:update / sandboxes:delete permissions. Those are unchanged.
Denied requests
When a request is denied, the sandbox returnsHTTP 403 with a body that names the rule that fired:
404 Not Found rather than 403, so the response does not reveal whether the sandbox exists elsewhere.
Sharing a sandbox
You have two ways to let teammates work with a sandbox you own:- Grant
sandboxes:execto a custom role and assign that role in the workspace. Anyone with the role can interact with every sandbox in the workspace. - Use a service URL for HTTP services running inside the sandbox. Service URLs use their own access tokens and do not require the recipient to be a workspace member.
sandboxes:exec when a teammate needs broad access to operate sandboxes they did not create.
Connect these docs to Claude, VSCode, and more via MCP for real-time answers.

