New

Claude Managed Agents.
On your box.

Anthropic runs the agent loop, model, and skills. Every tool call -- bash, read, write, edit, glob, grep -- executes inside an isolated OmniRun Firecracker microVM on your own infrastructure.

Get Free API KeyRead the setup guideSelf-host on GitHub

The brain stays at Anthropic

Anthropic hosts the model, runs the agent loop, and decides which tools to call. You don't run inference or manage the orchestration. Nothing about the agent itself changes.

The hands run in your microVM

Each tool call lands in a fresh OmniRun Firecracker microVM on your own box -- its own kernel, the same model AWS Lambda and Fargate use. Your code never leaves your perimeter.

Why it matters

Isolation, inside your own perimeter.

One microVM per tool call.

Every bash, read, write, edit, glob, and grep runs in its own Firecracker microVM with its own Linux kernel. A kernel exploit in one call cannot reach another. Hardware-level isolation enforced by KVM, not process boundaries.

Own kernelPer tool callLike Lambda / Fargate

Egress you control

internet: false is a genuine L3 air-gap. Need outbound but not wide open? Lock it to an allowlist of hosts with the opt-in SNI proxy.

Runs on your own box

The worker and every microVM run on infrastructure you control. EU-hosted on Hetzner if you use ours.

Run the worker

One worker. That's the whole integration.

Create a self_hosted environment, point the worker at it, and start polling. The worker picks up tool calls from Anthropic's queue and runs each one in a fresh OmniRun microVM. Agent sandboxes restore from snapshot in a few seconds (sub-5s).

Full setup guide
run-worker.sh
# Install Anthropic's worker CLI (ant)
$ curl -fsSL https://github.com/anthropics/anthropic-cli/releases/download/v1.10.0/ant_1.10.0_linux_amd64.tar.gz \
    | tar -xz -C /usr/local/bin ant

# Point it at your self_hosted environment
# (key generated once in the Console)
$ export ANTHROPIC_ENVIRONMENT_KEY=sk-ant-oat01-...
$ export ANTHROPIC_ENVIRONMENT_ID=env_...

# Poll the queue. Each claimed session runs
# in a fresh OmniRun microVM (via spawn.sh)
$ ant beta:worker poll --on-work ./omnirun-spawn.sh
✓ Connected to Anthropic work queue
✓ Each session runs in your microVMs

Compliance posture

Built for regulated workloads.

EU-hosted

Run on Hetzner data centers in the EU, or on your own hardware. Where your sandboxes run is an infrastructure choice you make.

ZDR / HIPAA-BAA eligible

The architecture supports Anthropic's Zero Data Retention and HIPAA-BAA programs. Eligibility is configured on the Anthropic side.

Your data, your perimeter

Tool calls touch files and run commands inside VMs you control. The repositories and data never have to leave your infrastructure.

Honest limitations

What it does not do (yet).

  • Persistent Memory is not yet available with self-hosted sandboxes. Each tool call starts from a clean snapshot.
  • Anthropic runs the model. The prompt and conversation still flow through Anthropic's API. Self-hosting moves the tool execution, not the inference.

Keep the hands at home.

Get an API key, run the worker, and point a Claude session at your self-hosted environment. Free tier includes 25 sandbox-hours per month.

Get Free API KeySelf-host on GitHub