> ## Documentation Index
> Fetch the complete documentation index at: https://novita.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Secured access

export const SandboxConfigHint = () => {
  if (typeof document === "undefined") {
    return null;
  } else {
    return <Note>Before running the example code in this document, please ensure you have properly configured environment variables. For details, please refer to <a href="/guides/sandbox-your-first-agent-sandbox#configure-environment-variables">Configure Environment Variables</a>.</Note>;
  }
};

Secure access provides authentication for communication between the SDK and the sandbox controller.

The sandbox controller runs inside each sandbox, and it exposes the management interface used by the SDK, including file-system operations, command execution, and other sandbox control capabilities. When secure access is disabled, possession of a sandbox ID is sufficient to invoke these interfaces, which may allow unauthorized control of the sandbox from within the environment.

<Note>
  Starting with SDK version `v2.0.0`, secure access is turned on automatically whenever a sandbox is created. Older custom templates might not support this, in which case a rebuild may be required.
</Note>

<SandboxConfigHint />

## Migration path

For custom templates created with envd earlier than `v0.2.0`, secure access is available only after the template is rebuilt
You can set `secure` to `false` to temporarily turn off secure access during sandbox creation, but disabling secure access is not recommended for production use because of security risks.

Use `novita-sandbox-cli template list` to check the template `Envd version`. You can also inspect templates in the dashboard.

## Supported versions

Sandboxes created from templates with envd `v0.2.0` or later support secure access without any additional configuration.

In JavaScript and Python SDK, secure access was available as an optional configuration starting from `v1.5.0`.
As of SDK `v2.0.0`, sandboxes are provisioned with secure access turned on by default.

## Access sandbox API directly

When you interact with a sandbox without using one of the SDKs, you can send requests directly to the sandbox controller URL.
For sandboxes running with secure access, direct API requests are accepted only if they include the access token generated at creation time. When using the SDK, secure access is handled automatically; `X-Access-Token` is only needed when calling sandbox controller APIs directly without the SDK.

Include this token in the `X-Access-Token` header for all direct sandbox controller requests.

[Upload](/guides/sandbox-filesystem-upload#upload-with-pre-signed-url) and [download](/guides/sandbox-filesystem-download#download-with-pre-signed-url) operations by URLs require pre-signed URLs. We recommend using the SDK to generate them.

## Disable secure access

Disabling secure access is not recommended because it may expose the sandbox to security risks.

<CodeGroup>
  ```js JavaScript & TypeScript icon="js" theme={"system"}
  import { Sandbox } from 'novita-sandbox/code-interpreter'

  const sandbox = await Sandbox.create({ secure: false }) // Explicitly disable
  ```

  ```python Python icon="python" theme={"system"}
  from novita_sandbox.code_interpreter import Sandbox

  sandbox = Sandbox.create(secure=False)  # Explicitly disable
  ```
</CodeGroup>