Ultimate Guide To Dev Containers Daytona

Gombloh

-Apr 9, 2026, 12:11 PM

ultimate guide to dev containers daytona

Loading... Loading... Menu - .vscode/launch.json - apps/api/.env - apps/api/src/app.module.ts - apps/api/src/auth/api-key.strategy.ts - apps/api/src/auth/combined-auth.guard.ts - apps/api/src/auth/constants/jwt-regex.constant.ts - apps/api/src/config/configuration.ts - apps/api/src/config/typed-config.service.ts - apps/api/src/main.ts - apps/dashboard/src/components/ui/skeleton.tsx - apps/dashboard/src/components/ui/table.tsx - apps/dashboard/src/hooks/queries/queryKeys.ts - apps/dashboard/src/index.css - apps/dashboard/src/lib/utils/index.ts - apps/proxy/.env - apps/proxy/cmd/proxy/config/config.go - apps/proxy/cmd/proxy/main.go - apps/proxy/pkg/proxy/auth.go - apps/proxy/pkg/proxy/auth_callback.go - apps/proxy/pkg/proxy/get_sandbox_build_target.go - apps/proxy/pkg/proxy/get_sandbox_target.go - apps/proxy/pkg/proxy/get_snapshot_target.go - apps/proxy/pkg/proxy/proxy.go - apps/proxy/pkg/proxy/warning_page.go - libs/common-go/pkg/cache/redis_cache.go - libs/common-go/pkg/errors/convert_openapi_error.go - libs/common-go/pkg/proxy/conn_monitor.go - package.json - yarn.lock This page describes the various authentication mechanisms supported by Daytona for different access patterns.

It covers the core authentication methods and their implementation, but does not detail API key management, proxy-specific authentication flows, or SSH access configuration. For those topics, see API Keys and Scopes, Preview URLs and Proxy Authentication, and SSH Access. Daytona implements multiple authentication methods to support different types of clients and use cases: All authentication methods are implemented through a guard-based architecture in the API service, with authentication context propagated through the request pipeline.

Sources: apps/api/src/config/configuration.ts36-47 apps/proxy/pkg/proxy/proxy.go35-40 apps/api/src/sandbox/guards/sandbox-access.guard.ts8-12 Sources: apps/api/src/sandbox/guards/sandbox-access.guard.ts8-12 apps/api/src/auth/combined-auth.guard.ts apps/proxy/pkg/proxy/proxy.go35-40 API keys are bearer tokens used for programmatic access to the Daytona API. They are scoped to a specific organization and can have granular permissions. API keys are validated through the CombinedAuthGuard which accepts bearer tokens in the Authorization header: Authorization: Bearer <api-key> The OpenAPI specification defines the bearer security scheme: libs/api-client-go/api/openapi.yaml50-52 API keys are cached in Redis for performance, with configurable TTL values: API keys can be restricted to specific permission scopes, which are a subset of organization role permissions.

Common scopes include: write:sandboxes - Create and modify sandboxesdelete:sandboxes - Delete sandboxeswrite:snapshots - Create and modify snapshotsread:volumes - Read volume informationwrite:volumes - Create and modify volumes Sources: apps/api/src/config/configuration.ts245-248 libs/api-client-go/api/openapi.yaml50-56 OAuth2/OIDC authentication enables user login through external identity providers like Dex, Auth0, or any OIDC-compliant provider. The API service requires the following OIDC configuration: The configuration distinguishes between internal and public issuer URLs to support scenarios where the API service communicates with the OIDC provider on an internal network, while users access it via a public URL.

The API requires the following OAuth2 scopes for user authentication: openid - Core OpenID Connect authenticationprofile - User profile informationemail - User email address These scopes are declared in the OpenAPI specification: libs/api-client-go/api/openapi.yaml51-55 For advanced OIDC provider integration, Daytona supports a management API: This enables features like programmatic user management and custom authentication flows. Sources: apps/api/src/config/configuration.ts36-47 apps/api/.env12-19 apps/docs/src/content/docs/en/oss-deployment.mdx119-124 Runner tokens authenticate service-to-service communication between the API service and runner instances. Each runner has a unique API key configured during registration.

Each runner is configured with: Default runner configuration from environment: apps/api/src/config/configuration.ts151-167 Runner tokens grant access to runner-specific API endpoints: PUT /sandbox/{id}/state - Update sandbox stateGET /sandbox/for-runner - List sandboxes assigned to runner- Snapshot synchronization endpoints - Backup state updates These endpoints are protected by @UseGuards(RunnerAuthGuard) decorator: apps/api/src/sandbox/controllers/sandbox.controller.ts542-543 Sources: apps/api/src/config/configuration.ts151-167 apps/api/src/sandbox/controllers/sandbox.controller.ts542-543 apps/api/src/sandbox/guards/sandbox-access.guard.ts29-36 Proxy tokens enable browser-based access to sandbox preview URLs without requiring full user authentication for public sandboxes.

The proxy service supports three authentication methods in priority order: apps/proxy/pkg/proxy/proxy.go35-40 These constants define: SANDBOX_AUTH_KEY_HEADER : Header name for auth tokensSANDBOX_AUTH_KEY_QUERY_PARAM : Query parameter name for auth tokensSANDBOX_AUTH_COOKIE_NAME : Cookie prefix for persisting auth tokensTERMINAL_PORT : Port requiring authentication (22222)TOOLBOX_PORT : Port requiring authentication (2280) The proxy validates tokens by calling the API service: - Check if sandbox is public (cached 1 hour) - If not public or accessing restricted ports, validate token - Cache validation result for 2 minutes - Fall back to OIDC authentication if no valid token apps/proxy/pkg/proxy/get_target.go55-76 The proxy uses secure cookies to persist authentication across requests: apps/proxy/pkg/proxy/proxy.go59-66 The cookie domain is configurable via COOKIE_DOMAIN environment variable or derived from PROXY_DOMAIN .

Sources: apps/proxy/pkg/proxy/proxy.go35-66 apps/proxy/pkg/proxy/get_target.go55-76 apps/proxy/pkg/proxy/auth.go SSH gateway tokens authenticate SSH access to sandboxes through the SSH gateway service. The SSH gateway uses its API key to authenticate with the API service when validating user SSH tokens.

Users generate time-limited SSH access tokens through the API: POST /sandbox/{sandboxIdOrName}/ssh-access This returns a token that can be used as the username in the SSH command: The SSH gateway is authenticated using the SshGatewayGuard : apps/api/src/sandbox/guards/sandbox-access.guard.ts39-40 When the SSH gateway context is detected, resource-level access checks are bypassed since the gateway has already validated the user's token.

Sources: apps/api/src/config/configuration.ts142-146 apps/docs/src/content/docs/en/oss-deployment.mdx186 apps/api/src/sandbox/guards/sandbox-access.guard.ts39-40 Daytona uses a multi-layered guard architecture to enforce authentication and authorization: Controllers apply guards using decorators: apps/api/src/sandbox/controllers/sandbox.controller.ts82-83 This applies: CombinedAuthGuard - Validates API key or OAuth tokenOrganizationResourceActionGuard - Checks organization permissionsAuthenticatedRateLimitGuard - Applies rate limiting Specific operations may add additional guards: apps/api/src/sandbox/controllers/sandbox.controller.ts366-367 This adds SandboxAccessGuard to verify the user has access to the specific sandbox.

Each authentication method creates a specific context type: The SandboxAccessGuard handles all context types appropriately: apps/api/src/sandbox/guards/sandbox-access.guard.ts28-52 Sources: apps/api/src/sandbox/controllers/sandbox.controller.ts82-83 apps/api/src/sandbox/guards/sandbox-access.guard.ts28-52 The following table shows how different authentication methods map to HTTP headers and their validators: Additional headers used in authentication flows: X-Forwarded-Host : Preserved by proxy for origin trackingX-Daytona-Skip-Last-Activity-Update : Skip activity timestamp updateX-Daytona-Disable-CORS : Disable CORS for specific requests Sources: apps/proxy/pkg/proxy/proxy.go35-40 apps/proxy/pkg/proxy/get_target.go100-103 apps/api/src/common/constants/header.constants.ts For user and API key authentication, the OrganizationAccessGuard loads the organization context with Redis caching: The guard caches the organization-user relationship for 10 seconds to reduce database load: apps/api/src/organization/guards/organization-access.guard.ts50-80 This caching strategy balances performance with consistency for organization membership changes.

Sources: apps/api/src/organization/guards/organization-access.guard.ts26-80 Refresh this wiki - Authentication Methods - Overview - Authentication Method Types - API Key Authentication - Implementation - API Key Scopes - OAuth2/OIDC Authentication - OIDC Configuration - OAuth2 Scopes - OIDC Management API (Optional) - Runner Token Authentication - Runner Authentication Flow - Runner Token Configuration - Runner-Specific Operations - Proxy Token Authentication - Proxy Authentication Methods - Proxy Token Constants - Proxy Token Validation - Secure Cookie Configuration - SSH Gateway Token Authentication - SSH Gateway Configuration - SSH Access Token Generation - SSH Token Validation Flow - SSH Gateway Guard - Authentication Guard Chain - Guard Application Example - Authentication Context Types - Authentication Header Mapping - Special Authentication Headers - Organization Context Loading

Ultimate Guide To Dev Containers Daytona

People Also Asked

Guides - Daytona?

Getting Started with Daytona: A Beginner's Guide to Development ...?

Devcontainer Support | daytonaio/daytona | DeepWiki?

Using Daytona to maintain a Development Environment?

Dev Containers: Guide to Containerized Development?