Daytona Provider
Read this when you are:
- choosing
provider: daytona; - configuring Daytona API auth, snapshots, or SSH access;
- changing
internal/providers/daytona.
Daytona is an SSH-lease provider with a delegated execution path. run and warmup create the sandbox from a Daytona snapshot and drive sync and command execution through the Daytona SDK/toolbox APIs (archive upload, extraction, and process execution) — they do not run over SSH. crabbox ssh mints a short-lived Daytona SSH access token, then connects through the normal Crabbox SSH client.
#When to use
Use Daytona when the box image should come from a Daytona snapshot and command execution should stay inside Daytona's toolbox APIs. Reach for AWS, Hetzner, or the static ssh provider instead when you need a normal long-lived SSH lease for Actions hydration, desktop/VNC, or code workflows.
#Commands
crabbox warmup --provider daytona --daytona-snapshot crabbox-ready
crabbox run --provider daytona --daytona-snapshot crabbox-ready -- pnpm test
crabbox run --provider daytona --id swift-crab -- pnpm test:changed
crabbox ssh --provider daytona --id swift-crab
crabbox stop --provider daytona swift-crab
#Live Smoke
The shared live-smoke harness can validate Daytona without a coordinator:
CRABBOX_LIVE=1 CRABBOX_LIVE_PROVIDERS=daytona CRABBOX_LIVE_REPO=/path/to/my-app scripts/live-smoke.sh
The smoke requires a snapshot through CRABBOX_DAYTONA_SNAPSHOT, DAYTONA_SNAPSHOT, or daytona.snapshot. It exits before any Daytona run, list, warmup, or stop command when the snapshot is missing, so credentialless machines can verify the guard without mutating provider state. With a snapshot configured, the harness runs one delegated Daytona command and then lists normalized Daytona inventory.
#Auth
Crabbox reads the active Daytona CLI profile when no Daytona auth values are set in the environment or config:
daytona login --api-key ...
You can also supply explicit API-key auth:
export DAYTONA_API_KEY=...
or JWT auth:
export DAYTONA_JWT_TOKEN=...
export DAYTONA_ORGANIZATION_ID=...
DAYTONA_ORGANIZATION_ID is required with JWT auth. Explicit environment values (or Crabbox config values) override the Daytona CLI profile.
Each auth variable also has a CRABBOX_-prefixed form that takes precedence over the unprefixed one: CRABBOX_DAYTONA_API_KEY, CRABBOX_DAYTONA_JWT_TOKEN, CRABBOX_DAYTONA_ORGANIZATION_ID, and CRABBOX_DAYTONA_API_URL.
#Config
provider: daytona
target: linux
daytona:
apiUrl: https://app.daytona.io/api
snapshot: crabbox-ready
target: ""
user: daytona
workRoot: /home/daytona/crabbox
sshGatewayHost: ssh.app.daytona.io
sshAccessMinutes: 30
The values above are the built-in defaults except for snapshot and target, which are empty by default.
Provider flags:
--daytona-api-url
--daytona-snapshot
--daytona-target
--daytona-user
--daytona-work-root
--daytona-ssh-gateway-host
--daytona-ssh-access-minutes
The non-auth settings can also be set through environment variables: CRABBOX_DAYTONA_SNAPSHOT, CRABBOX_DAYTONA_TARGET, CRABBOX_DAYTONA_USER, CRABBOX_DAYTONA_WORK_ROOT, CRABBOX_DAYTONA_SSH_GATEWAY_HOST, and CRABBOX_DAYTONA_SSH_ACCESS_MINUTES.
#Lifecycle
- Create or resolve a Daytona sandbox from
daytona.snapshot. - Store Crabbox labels and a local repo claim for the lease.
- For
run, build the Crabbox sync manifest, stream a gzipped tar archive to - For
ssh, request short-lived SSH access (TTLdaytona.sshAccessMinutes), - Delete the sandbox on release unless the lease is kept.
the Daytona toolbox upload endpoint, extract it in the sandbox, and execute the command through the Daytona process APIs.
parse Daytona's sshCommand, and redact the token in normal output.
#Capabilities
- Provider kind: SSH-lease (Linux only).
- SSH: yes, via a short-lived Daytona SSH access token.
- Crabbox sync: yes, archive sync through the Daytona toolbox.
- Desktop / browser / code: no — Daytona has no Crabbox VNC or
codesurface. - Actions hydration: no.
- Coordinator (broker): no — Daytona always runs direct from the CLI.
#Gotchas
daytona.snapshot(or--daytona-snapshot) is required to create a sandbox.--classand--typeare rejected; size the sandbox through the snapshot.--id <sandbox-id-or-slug>is required to address an existing sandbox.- Daytona
runis delegated to the toolbox APIs; it is not core-over-SSH --actions-runneris rejected because it needs a normal SSH lease host.--keep-on-failurekeeps a newly created failed sandbox until Daytona
The snapshot owns CPU, memory, disk, and installed tooling.
execution. Because of that, the following run options are rejected: --sync-only, --checksum, --force-sync-large, --full-resync, --fresh-pr, --script / --script-stdin, --env-helper, --capture-stdout / --capture-stderr, --capture-on-fail, --download, --artifact-glob, --require-artifact, --emit-proof, and --stop-after.
auto-stop or an explicit crabbox stop.