Read when:
- choosing
provider: daytona; - configuring Daytona authentication, snapshots, or SSH access;
- understanding how the Daytona backend differs from a plain SSH-lease provider.
provider: daytona provisions Daytona sandboxes and
supports Linux targets exclusively. Direct mode is hybrid: warmup, run,
list, status, and stop drive Daytona's SDK and toolbox APIs, while ssh
mints a short-lived SSH token. Brokered mode keeps the API key in the
coordinator, returns an expiring SSH identity to the authorized client, and
uses Crabbox's normal SSH/rsync run path.
Crabbox accepts credentials from two sources, in precedence order:
- Explicit Crabbox config or environment variables (highest priority).
- The active Daytona CLI profile (used only when no explicit token is set).
Log in with the Daytona CLI to populate a profile:
daytona loginCrabbox reads the active profile's API key and active organization ID from the Daytona CLI config when no explicit token is provided.
To set credentials directly, provide an API key:
export DAYTONA_API_KEY=...or a JWT plus organization ID:
export DAYTONA_JWT_TOKEN=...
export DAYTONA_ORGANIZATION_ID=...DAYTONA_ORGANIZATION_ID is required whenever JWT auth is used. If no API key,
JWT token, or authenticated CLI profile is found, lease operations fail with a
configuration error.
Each variable also has a CRABBOX_-prefixed form that takes precedence over the
bare Daytona name (useful when other tooling already owns the unprefixed
variable):
| Crabbox-prefixed | Daytona name | Config key |
|---|---|---|
CRABBOX_DAYTONA_API_KEY |
DAYTONA_API_KEY |
daytona.apiKey |
CRABBOX_DAYTONA_JWT_TOKEN |
DAYTONA_JWT_TOKEN |
daytona.jwtToken |
CRABBOX_DAYTONA_ORGANIZATION_ID |
DAYTONA_ORGANIZATION_ID |
daytona.organizationId |
CRABBOX_DAYTONA_API_URL |
DAYTONA_API_URL |
daytona.apiUrl |
The API URL defaults to https://app.daytona.io/api.
For brokered mode, configure the coordinator instead of client auth:
DAYTONA_CRABBOX_KEY # required secret
CRABBOX_DAYTONA_SNAPSHOT # optional shared snapshot
CRABBOX_DAYTONA_TARGET # optional compute target
CRABBOX_DAYTONA_SSH_ACCESS_MINUTES # minimum token TTL; default 120
The coordinator accepts no Daytona API credential from lease requests.
The Daytona integration is snapshot-first: the snapshot owns CPU, memory, disk,
and installed tooling. Crabbox does not expose Daytona resource flags, so
--class and --type are rejected for provider=daytona — size the sandbox in
the snapshot instead.
provider: daytona
target: linux
daytona:
snapshot: my-app-ready
target: "" # optional Daytona compute target
user: daytona
workRoot: /home/daytona/crabbox
sshGatewayHost: ssh.app.daytona.io # fallback when the API omits an SSH command
sshAccessMinutes: 30 # SSH access token TTL| Config key | Flag | Default |
|---|---|---|
daytona.snapshot |
--daytona-snapshot |
(required) |
daytona.target |
--daytona-target |
(empty) |
daytona.user |
--daytona-user |
daytona |
daytona.workRoot |
--daytona-work-root |
/home/daytona/crabbox |
daytona.sshGatewayHost |
--daytona-ssh-gateway-host |
ssh.app.daytona.io |
daytona.sshAccessMinutes |
--daytona-ssh-access-minutes |
30 |
daytona.apiUrl |
--daytona-api-url |
https://app.daytona.io/api |
A snapshot is required; warmup/run fail without --daytona-snapshot or
daytona.snapshot.
# Lease a sandbox from a snapshot and keep it warm.
crabbox warmup --provider daytona --daytona-snapshot my-app-ready
# Sync the local checkout into an existing lease and run a command.
crabbox run --provider daytona --id swift-crab -- pnpm test
# Open an interactive shell (mints a short-lived SSH token).
crabbox ssh --provider daytona --id swift-crab
# End the lease.
crabbox stop --provider daytona swift-crabwarmupcreates a Daytona sandbox fromdaytona.snapshot, waits for it to become ready, records Crabbox labels, then prints a normal Crabbox lease ID and slug.run --idresolves a Daytona sandbox, uploads a Crabbox sync-manifest archive through Daytona toolbox file APIs, extracts it in the sandbox, and executes the command through Daytona toolbox process APIs. The command transport is Daytona's SDK — not direct SSH.listandstatusdiscover sandboxes only when Daytona labels bind them to the Daytona provider and a canonical Crabbox lease. Direct IDs with missing or mismatched ownership labels are rejected.run --id,ssh, andstopadditionally require a local claim that binds the exact Daytona sandbox ID to that lease. A legacy labelled sandbox with an unbound claim must be adopted explicitly with--reclaimfrom its owning repository before it can be reused or deleted.sshmints a fresh Daytona SSH access token (TTLdaytona.sshAccessMinutes, default 30 minutes), parses the host and port from Daytona's returned SSH command (falling back todaytona.sshGatewayHostand port 22), and prints the token redacted as<token>unless--show-secretis passed.
Daytona is a hybrid backend: core rendering, lease labels, sync manifests, and
repo claim checks stay Crabbox-owned, while the run transport is the Daytona
SDK/toolbox. Actions runner hydration is not supported, because it requires a
long-lived, directly SSH-reachable runner host.
In brokered mode the Worker creates and deletes the sandbox, verifies exact lease labels before destructive cleanup, refreshes the SSH token before expiry, and redacts that token from the portal. Workspaces and ready pools are disabled because they persist an SSH endpoint beyond the rotating credential.
See providers.md for the full provider matrix and capabilities.md for opt-in lease features.