Managed Agents — Environments & Resources
Environments
Creating a session requires an environment_id. Environments are reusable configuration templates for spinning up containers in Anthropic's infrastructure — you might create different environments for different use cases (e.g. data visualization vs web development, with different package sets). Anthropic handles scaling, container lifecycle, and work orchestration.
Environment names must be unique. Creating an environment with an existing name returns 409.
Networking
| Network Policy | Description |
|---|---|
unrestricted | Full egress (except legal blocklist) |
package_managers_and_custom | Package managers + custom allowed_hosts |
{
"networking": {
"type": "package_managers_and_custom",
"allowed_hosts": ["api.example.com"]
}
}MCP caveat: If using restricted networking, make sure allowed_hosts includes your MCP server domains. Otherwise the container can't reach them and tools silently fail.
Creating an environment
The SDK adds managed-agents-2026-04-01 automatically. TypeScript:
const env = await client.beta.environments.create({
name: "my_env",
config: {
type: "cloud",
networking: { type: "unrestricted" },
},
});Environment CRUD
| Operation | Method | Path | Notes |
|---|---|---|---|
| Create | POST | /v1/environments | |
| List | GET | /v1/environments | Paginated (limit, after_id, before_id) |
| Get | GET | /v1/environments/{id} | |
| Update | POST | /v1/environments/{id} | Changes apply only to new containers; existing sessions keep their original config |
| Delete | DELETE | /v1/environments/{id} | Returns 204. |
| Archive | POST | /v1/environments/{id}/archive | Makes it read-only; existing sessions continue, new sessions cannot reference it. No unarchive — terminal state. |
Resources
Attach files, GitHub repositories, and memory stores to a session. Session creation blocks until all resources are mounted — the container won't go running until every file and repo is in place. Max 999 file resources per session. Multiple GitHub repositories per session are supported. For type: "memory_store" resources (persistent cross-session memory — max 8 per session), see shared/managed-agents-memory.md.
File Uploads (input — host → agent)
Upload a file first via the Files API, then reference by file_id + mount_path:
// 1. Upload
const file = await client.beta.files.upload({
file: fs.createReadStream("data.csv"),
});
// 2. Attach as a session resource
const session = await client.beta.sessions.create({
agent: agent.id,
environment_id: envId,
resources: [
{ type: "file", file_id: file.id, mount_path: "/workspace/data.csv" }
],
});mount_path is required and must be absolute. Parent directories are created automatically. Agent working directory defaults to /workspace. Files are mounted read-only — the agent writes modified versions to new paths.
Session outputs (output — agent → host)
The agent can write files to /mnt/session/outputs/ during a session. These are automatically captured by the Files API and can be listed and downloaded afterwards:
// After the turn completes, list output files scoped to this session:
for await (const f of client.beta.files.list({
scope_id: session.id,
betas: ["managed-agents-2026-04-01"],
})) {
console.log(f.filename, f.size_bytes);
const resp = await client.beta.files.download(f.id);
const text = await resp.text();
}Requirements:
- The
writetool (orbash) must be enabled for the agent to create output files. - Session-scoped
files.list/files.downloadcaptures outputs written to/mnt/session/outputs/. - The filter parameter is
scope_id(REST query param?scope_id=<session_id>). The SDK's files resource auto-adds only thefiles-api-2025-04-14header, so passbetas: ["managed-agents-2026-04-01"]explicitly (or both headers on raw HTTP) — without it the API may rejectscope_idas an unknown field. Requires@anthropic-ai/sdk≥ 0.88.0 /anthropic(Python) ≥ 0.92.0 — older versions don't typescope_id. TheantCLI does not expose this flag yet; use the SDK or curl. - Pass the session ID returned by
sessions.create()verbatim (e.g.sesn_011CZx...) — the API validates the prefix. - There's a brief indexing lag (~1–3s) between
session.status_idleand output files appearing infiles.list. Retry once or twice if empty.
Fallback when
scope_idfiltering is unavailable (older SDK, or endpoint returns an error): send a follow-upuser.messageasking the agent toreadeach file under/mnt/session/outputs/and return the contents. The agent streams the file bodies back asagent.messagetext. This works for text files only and costs output tokens — use it to unblock, not as the primary path.
This gives you a bidirectional file bridge: upload reference data in, download agent artifacts out.
GitHub Repositories
Clones a GitHub repository into the session container during initialization, before the agent begins execution. The agent can read, edit, commit, and push via bash (git). Multiple repositories per session are supported — add one resources entry per repo. Repositories are cached, so future sessions that use the same repository start faster.
Repositories are attached for the lifetime of the session — to change which repositories are mounted, create a new session. You can rotate a repository's authorization_token on a running session via client.beta.sessions.resources.update(resource_id, {session_id, authorization_token}); the resource id is returned at session creation and by resources.list().
Fields:
| Field | Required | Notes |
|---|---|---|
type | ✅ | "github_repository" |
url | ✅ | The GitHub repository URL |
authorization_token | ✅ | GitHub Personal Access Token with repository access. Never echoed in API responses. |
mount_path | ❌ | Path where the repository will be cloned. Defaults to /workspace/<repo-name>. |
checkout | ❌ | {type: "branch", name: "..."} or {type: "commit", sha: "..."}. Defaults to the repo's default branch. |
Token permission levels (fine-grained PATs):
Contents: Read— clone onlyContents: Read and write— push changes and create pull requests
How auth works: authorization_token is never placed inside the container. git pull / git push and GitHub REST calls against the attached repository are routed through an Anthropic-side git proxy that injects the token after the request leaves the sandbox. Code running in the container — including anything the agent writes — cannot read or exfiltrate it.
‼️ To generate pull requests you also need GitHub MCP server access — the
github_repositoryresource gives filesystem + git access only. Seeshared/managed-agents-tools.md→ MCP Servers. The PR workflow is: edit files in the mounted repo → push branch viabash(authenticated via the git proxy usingauthorization_token) → create PR via the MCPcreate_pull_requesttool (authenticated via the vault).
TypeScript:
// 1. Create the agent — declare GitHub MCP (no auth here)
const agent = await client.beta.agents.create(
{
name: 'GitHub Agent',
model: 'claude-opus-4-7',
mcp_servers: [
{ type: 'url', name: 'github', url: 'https://api.githubcopilot.com/mcp/' },
],
tools: [
{ type: 'agent_toolset_20260401', default_config: { enabled: true } },
{ type: 'mcp_toolset', mcp_server_name: 'github' },
],
},
);
// 2. Start a session — attach vault for MCP auth + mount the repo
const session = await client.beta.sessions.create({
agent: agent.id,
environment_id: envId,
vault_ids: [vaultId], // vault contains the GitHub MCP OAuth credential
resources: [
{
type: 'github_repository',
url: 'https://github.com/owner/repo',
authorization_token: process.env.GITHUB_TOKEN, // repo clone token (≠ MCP auth)
checkout: { type: 'branch', name: 'main' },
},
],
});Python:
import os
agent = client.beta.agents.create(
name="GitHub Agent",
model="claude-opus-4-7",
mcp_servers=[{
"type": "url",
"name": "github",
"url": "https://api.githubcopilot.com/mcp/",
}],
tools=[
{"type": "agent_toolset_20260401", "default_config": {"enabled": True}},
{"type": "mcp_toolset", "mcp_server_name": "github"},
],
)
session = client.beta.sessions.create(
agent=agent.id,
environment_id=env_id,
vault_ids=[vault_id], # vault contains the GitHub MCP OAuth credential
resources=[{
"type": "github_repository",
"url": "https://github.com/owner/repo",
"authorization_token": os.environ["GITHUB_TOKEN"], # repo clone token (≠ MCP auth)
"checkout": {"type": "branch", "name": "main"},
}],
)Files API
Upload and manage files for use as session resources, and download files the agent wrote to /mnt/session/outputs/.
| Operation | Method | Path | SDK |
|---|---|---|---|
| Upload | POST | /v1/files | client.beta.files.upload({ file }) |
| List | GET | /v1/files?scope_id=... | client.beta.files.list({ scope_id, betas: ["managed-agents-2026-04-01"] }) |
| Get Metadata | GET | /v1/files/{id} | client.beta.files.retrieveMetadata(id) |
| Download | GET | /v1/files/{id}/content | client.beta.files.download(id) → Response |
| Delete | DELETE | /v1/files/{id} | client.beta.files.delete(id) |
The scope_id filter on List scopes the results to files written to /mnt/session/outputs/ by that session. Without the filter, you get all files uploaded to your account.