The Open Source, Identity-Based, Secretless Sandbox Platform

A unified platform for developers and AI agents to run reproducible sandboxes with identity-based, policy-driven, secretless access to infrastructure resources while eliminating credential sprawl.

Get started What is Cordium?GitHub Repo

One Platform for Sandboxed Execution and Secretless Infrastructure Access

Developer

Web terminal · SSH · CLI

$ cordium run --repository https://github.com/myorg/api-service --branch develop

$ cordium exec abc -w /workspace/repo -- make test

$ cordium ssh abc -L 5432:localhost:5432

Cordium

Reproducible Sandbox

Workspace Identity

Infrastructure Access

Real-Time Visibility

Access

PostgreSQL

postgres-prod.databases

Postgres

K8s

SSH

API

Secretless access

No database password in the Workspace

A unified, open source, scalable sandbox platform for developers and AI agents.

Accessible via browser terminal, SSH, CLI, and gRPC APIs.

Identity-based, secretless, policy-as-code-driven access to infrastructure resources that eliminates sharing credentials

Isolated, Reproducible Sandboxes for Any Workload

Documentation↗

Scalable platform built on standard Kubernetes. Full root capability inside the sandbox. No bare-metal, no hypervisors, no specialized hardware required.

Build sandboxes from OCI images, Dockerfiles, Git repositories, or Devcontainer spec using declarative YAML.

Enforce per-Workspace resource limits. Prebuild Templates for reuse. Persistent/ephemeral pluggable CSI Kubernetes-native storage.

AI agent ready. Designed equally for long-lived coding sessions and short-lived automated workloads.

100% free and open source. Dedicated for self-hosting. No SaaS. No vendor lock-in.

cordium cli

cordium run

Create and run a Workspace from a YAML spec

◆workspace.yaml

1spec:

2 image:

3 registry:

4 url: node:20-bookworm

5 repository:

6 url: github.com/myorg/api

7 cloneOptions:

8 branch: main

9 runtime:

10 envVars:

11 - key: NODE_ENV

12 value: development

13 - key: DATABASE_URL

14 fromSecret: dev-db-url

15 tasks:

16 - name: install

17 run: npm ci

18 type: ON_CREATE

19 - name: dev-server

20 run: npm run dev

21 type: POST_START

22 isBackground: true

23 applications:

24 - name: web

25 port: 3000

26 isDefault: true

❯

Every Workspace Is a Zero-Trust Identity

Documentation↗

Identity-based secure access to remote and SaaS infrastructure that is governed by per-request, L7-aware access control with policy-as-code.

Access remote and SaaS databases, APIs, Kubernetes, SSH, and mTLS resources without exposing secrets to the sandbox.

Continuous authentication for humans via OpenID Connect or SAML 2.0 identity providers, GitHub OAuth2, native FIDO2/WebAuthn, TOTP, and TPM 2.0.

Workload identity federation via OIDC assertions, OAuth2 client-credentials, and bearer authentication for agents and workloads.

OpenTelemetry-native, identity-based, L7-aware, structured visibility in real-time.

access logs · live

ALLOWEDPOSTGRESAI AgentAI agent database query — secretless3.2ms

useragent-01→sessionagent-01-7x2k9a→serviceprod-db.default14:02:33

01entry.common.userRef.nameagent-01

02entry.common.sessionRef.nameagent-01-7x2k9a

03entry.common.serviceRef.nameprod-db.default

04entry.common.statusALLOWED

05entry.info.postgres.typeQUERY

06entry.info.postgres.query

SELECT count(*) FROM orders WHERE status = 'pending' AND created_at > NOW() - INTERVAL '24h'

07entry.info.postgres.upstream.credentialinjected at gateway

08entry.common.reason.typePOLICY_MATCH

09entry.common.reason.policyworkspace-agent-db-access

Cordium is 100% Free and Open Source

Start where it fits your work.

A modern, scalable, open source, identity-based sandbox platform for humans and AI agents.

Enterprise

Unified identity-based, open source sandbox platform that achieves compliance without vendor lock-in.

AI Agents

Scalable sandbox platform with Identity-based, secretless access to infrastructure and AI providers.

What is Cordium?

Developer

FOSS Self-hosted platform for reproducible remote development environments, CI/CD jobs, and general-purpose sandboxes.

Quick Install