Use Cases

Sandboxes

Sandboxes give you on-demand, isolated execution environments for any workload. Spin up a microVM in milliseconds to run short-lived tasks such as executing code, processing data, or responding to an event. Then let it vanish automatically.

Or keep a sandbox running in the background for as long as a job requires. Either way, every sandbox runs in its own dedicated microVM: hardware-isolated, minimal, and ready for the job.

With Unikraft Cloud, you get the instant startup speed of containers together with the strong isolation guarantees of hardware virtualization—not one or the other.

Why run sandboxes on Unikraft Cloud

⚡ Instant startup, every time

Sandboxes need to be ready the moment a task arrives. Unikraft Cloud instances boot in milliseconds:

Ephemeral sandboxes spin up and complete tasks before cold starts are even noticeable.
Long-running sandboxes resume instantly from stateful scale-to-zero snapshots.
No pre-warming pools or reserved capacity needed.

🔒 True hardware isolation

Running arbitrary or untrusted workloads such as user-submitted code, AI agent tool calls, third-party plugins, test payloads, etc. demands more than container-level isolation.

Every sandbox on Unikraft Cloud runs in its own microVM:

No shared kernel between tenants. Each sandbox has its own.
Hardware-enforced boundaries reduce the risk of container escape.
A minimal OS footprint reduces the attack surface for every run.

💸 Pay only for execution

Sandboxes are inherently bursty. Some complete in milliseconds while others run for hours. Unikraft Cloud's pricing model fits:

You pay only for the actual execution time of ephemeral sandboxes.
Long-running sandboxes scale-to-zero when idle and resume instantly when needed.
No idle infrastructure, no wasted capacity between runs.

Getting started

A great example of sandboxes in action is OpenClaw, an autonomous AI agent framework that runs in an isolated microVM on Unikraft Cloud.

This guide explains how to create and deploy your own OpenClaw gateway on Unikraft Cloud. To run this example, follow these steps:

Install the CLI and a container runtime engine (for example, Docker). Use the unikraft CLI or the legacy kraft CLI. You need a BuildKit builder. The easiest way to get one is via Docker. You could also directly set up and use BuildKit, see the quick start.
Clone the examples repository and cd into the examples/openclaw directory:

Code
git clone https://github.com/unikraft-cloud/examples
cd examples/openclaw/

Make sure to log into Unikraft Cloud and pick a metro close to you. This guide uses fra (Frankfurt, 🇩🇪):

The UKC_TOKEN and UKC_METRO environment variables are only supported by the legacy CLI.

When done, you may create the OpenClaw Unikraft Cloud image and deploy an instance from it like so:

Make sure to replace <my-org> with your username / org-name and to set your SSH public key as the PUBKEY environment variable above.

The output shows the instance address and other details:

In this case, the instance name is openclaw-8tosm and the address is divine-flower-bxsaapup.fra0-demo.unikraft.app. These will be different for each run.

You can now SSH into this instance and run the OpenClaw onboarding process.

To SSH, you need to set up a tunnel that handles the TLS connection to the Unikraft Cloud instance. This way, you have a non-TLS port that your SSH client can connect to:

Code
socat TCP-LISTEN:2222,reuseaddr,fork OPENSSL:divine-flower-bxsaapup.fra0-demo.unikraft.app:2222,verify=0

Then connect to the instance via SSH using:

Code
ssh -l root localhost -p 2222

You can list information about the instance by running:

When done, you can remove the instance using:

OpenClaw Setup

Once you have SSH'd into your instance, you may run:

Code
openclaw onboard

This will set up your OpenClaw gateway on the instance. You will have to provide your LLM's API key here.

Once done, make note of your gateway.auth.token (henceforth referenced as <token>) from ~/.openclaw/openclaw.json

Code
cat ~/.openclaw/openclaw.json

Set gateway.controlUi.allowedOrigins in ~/.openclaw/openclaw.json:


Code
...
  "gateway": {
    ...
    "controlUi": {
      "allowedOrigins": [
        "https://proud-smoke-cjf0wro8.fra0-demo.unikraft.app:18789"
      ]
    },
    ...
  },
...

Replace the address above with the address of your instance (noted earlier).

Run the gateway:

Code
openclaw gateway run --bind lan

You may now access the web dashboard at the following address:

Code
https://<address>:18789?token=<token>

Where <address> is your above noted address and <token> is your above noted token.

For security reasons, you will have to manually approve your web "device" to start using the web dashboard. Create a new SSH connection to your OpenClaw instance:

Code
ssh -l root localhost -p 2222

First, find your device ID:

Code
openclaw devices list

Look under the Request column. Device IDs look like cabd915e-137a-4bc4-b640-d0e507684d65

Finally, approve your device with:

Code
openclaw devices approve <device-id>

Once you approve your device, refresh your OpenClaw web dashboard.

You now have full access to your own OpenClaw deployment on Unikraft Cloud!

Learn more

Use the --help option for detailed information on using Unikraft Cloud:

Or visit the CLI Reference or the legacy CLI reference.

Edit this page

Last modified on May 15, 2026

Instance Forking Headless Browsers