Code Execution Sandbox for Agents on Heroku
- Last Updated: February 17, 2026
Large language models are good at writing code. Data from Anthropic shows that allowing Claude to execute scripts, rather than relying on sequential tool calls, reduces token consumption by an average of 37%, with some use cases seeing reductions as high as 98%.
Untrusted code needs a secure and isolated place to execute. We solved this with code execution sandboxes (powered by one-off dynos), launched alongside Heroku Managed Inference and Agents in May 2025.
You can leverage these sandboxes in two ways:
- Built-in tools, within our Managed Inference and Agents API
- MCP tool, by deploying our open-source Model Context Protocol (MCP) servers to connect the sandbox to any client, including Agentforce, Claude Desktop, or Cursor
How agents improve with code execution tools
Every tool definition and intermediate output is forced through the model’s context window. This is highly inefficient. For example, if you analyze a 10MB log file, the entire file consumes your context even if you only need a brief summary of the errors.
The better pattern, which Anthropic calls programmatic tool calling, lets the model write code that orchestrates everything.
If you’re using Salesforce and want to ask Agentforce to find at-risk deals in your Q1 pipeline, the agent writes a script that queries thousands of opportunities, cross-references activity history, filters for deals with no recent engagement, and returns just the 12 that need attention. The tool execution and reasoning and analysis can happen in the Heroku sandbox and only the summary hits the model’s context.
Isolation via one-off dynos
To execute untrusted code safely, we use one-off dynos. This is the same infrastructure that has been used for administrative or maintenance tasks on Heroku for over a decade. Because these dynos are spun up on demand and terminate after use, they provide a naturally isolated, cost-effective, and secure environment, which means the blast radius of LLM generated code is limited to an ephemeral container.
How to use the built-in tools
If you’re using the Managed Inference and Agents API, include code_exec_python (or code_exec_ruby, code_exec_node, code_exec_go) in your tool list:
curl "$INFERENCE\_URL/v1/agents/heroku" \\
-H "Content-Type: application/json" \\
-H "Authorization: Bearer $INFERENCE\_KEY" \\
-d '{
"model": "claude-4-sonnet",
"messages": [
{
"role": "user",
"content": "Calculate the standard deviation of [23, 45, 67, 12, 89, 34, 56, 78, 90, 11]"
}
],
"tools": [
{
"type": "heroku_tool",
"name": "code_exec_python"
}
]
}'
The agent writes Python, we execute it in a dyno, and stream back the result:
{
"choices": [
{
"message": {
"role": "assistant",
"content": "The standard deviation is 30.19. Here's what I calculated:\n\nMean: 50.5\nVariance: 911.39\nStd Dev: 30.19\n\nThe data has fairly high spread - values range from 11 to 90."
}
}
]
}
You can pass runtime_params with max_calls to limit how many times the tool runs during a single agent loop.
Deploying your own code execution MCP server
For Agentforce, Claude Desktop, Cursor, or custom frameworks, deploy the MCP server directly:
git clone https://github.com/heroku/mcp-code-exec-python
cd mcp-code-exec-python
heroku create my-sandbox
heroku config:set API_KEY=$(openssl rand -hex 32)
git push heroku main
The server implements the Model Context Protocol. Point your client at it and you get the same sandboxed execution. We have implementations for Python, Ruby, Node, and Go. Each repo has a deploy button if you prefer one-click setup.
Start building more powerful, efficient AI agents by trying out our code execution sandboxes today.
- Originally Published:
- Heroku AIManaged Inference and AgentsMCP On Heroku
