# sandstorm-io/sandstorm

**Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/sandstorm-io-sandstorm).**

7,037 stars · 705 forks · JavaScript · NOASSERTION

## Links

- GitHub: https://github.com/sandstorm-io/sandstorm
- Homepage: https://sandstorm.org
- awesome-repositories: https://awesome-repositories.com/repository/sandstorm-io-sandstorm.md

## Topics

`capnproto` `decentralized` `hacktoberfest` `sandstorm` `seccomp` `self-hosted` `self-hosting`

## Description

Sandstorm is an open-source platform that packages and runs web applications in security-hardened sandboxes on a personal server, functioning as a self-hosted web app operating system. It provides a curated app store where users discover and install sandboxed web applications with one-click ease, while each application runs in an isolated container that uses Linux kernel security features to separate it from the host and other apps. The platform includes a centralized authentication layer so users sign in once and gain access to all installed applications without managing separate accounts per app.

The platform distinguishes itself through a capability-based security model where each app instance, called a grain, runs in its own sandbox and can only access resources explicitly granted through a system-level permission dialog known as the Powerbox. Every app grain receives a unique subdomain, enabling the reverse proxy to route requests to the correct container, while the platform automatically handles HTTPS provisioning, DNS updates, and backups. Applications are distributed as self-contained bundles that declare their dependencies and entry points in a manifest file, and the platform supports packaging any Linux-compatible web application into a secure, distributable bundle.

Sandstorm handles automated server administration including configuring HTTPS, DNS, backups, and email for a self-hosted server without manual intervention. It provides centralized user access control that manages login and permissions for all installed apps, with support for restricting access by role or user account and authenticating via external providers including Active Directory. The platform also enables inter-application communication through the Powerbox, allowing apps to share data by passing capability references through a system-level dialog that mediates access.

## Tags

### Business & Productivity Software

- [Self-Hosted Productivity App Hosting](https://awesome-repositories.com/f/business-productivity-software/self-hosted-productivity-app-hosting.md) — Installs and manages web apps like documents and spreadsheets on a self-hosted server with built-in login and access control. ([source](https://docs.sandstorm.org/administering/offline/))
- [Self-Hosted Productivity Suites](https://awesome-repositories.com/f/business-productivity-software/self-hosted-productivity-suites.md) — Hosts a collection of productivity tools like documents and spreadsheets on a personal server. ([source](https://docs.sandstorm.org/administering/demo/))
- [Internal Function Exposures](https://awesome-repositories.com/f/business-productivity-software/functional-api-endpoints/internal-function-exposures.md) — Exposes internal web app functions as HTTP endpoints for programmatic access by external services. ([source](https://docs.sandstorm.org/developing/http-apis/))

### DevOps & Infrastructure

- [Self-Hosted Web App Platforms](https://awesome-repositories.com/f/devops-infrastructure/self-hosted-paas-platforms/self-hosted-plugin-platforms/self-hosted-web-app-platforms.md) — An open-source platform that packages and runs web applications in security-hardened sandboxes with built-in user management.
- [App Store](https://awesome-repositories.com/f/devops-infrastructure/cloud-agent-orchestration/cloud-agent-deployers/one-click-deployments/app-store.md) — Installs web applications from a curated catalog onto a self-hosted server with one-click ease.
- [Linux Web App Runtimes](https://awesome-repositories.com/f/devops-infrastructure/linux-deployment-tools/any-workload-deployments/linux-web-app-runtimes.md) — Runs any Linux-compatible web application with optional sandbox modifications. ([source](https://docs.sandstorm.org/developing/raw-packaging-guide/))
- [Personal Server](https://awesome-repositories.com/f/devops-infrastructure/microservices-deployments/sandboxed-deployments/personal-server.md) — Packages any Linux web app into a secure, isolated container that runs on a personal server.
- [Personal Server Operations](https://awesome-repositories.com/f/devops-infrastructure/personal-server-operations.md) — Operates a personal server that hosts productivity applications, giving the owner full control over data and infrastructure. ([source](https://docs.sandstorm.org/administering/))
- [Personal Server Platforms](https://awesome-repositories.com/f/devops-infrastructure/personal-server-platforms.md) — Hosts a self-contained server that runs productivity applications and handles all server-side operations. ([source](https://docs.sandstorm.org/guided-tour/))
- [Security-Hardened Sandboxes](https://awesome-repositories.com/f/devops-infrastructure/platform-as-a-service/containerized-web-app-hosting/security-hardened-sandboxes.md) — Provides security-hardened sandboxes that isolate each web application from the host and other apps using Linux kernel features. ([source](https://docs.sandstorm.org/developing/path/))
- [Curated App Installers](https://awesome-repositories.com/f/devops-infrastructure/self-hosted-platform-as-a-service/curated-app-installers.md) — Installs web productivity apps from a curated package manager onto a self-hosted server as easily as installing apps on a phone. ([source](https://docs.sandstorm.org/administering/hosting-provider/))
- [Wildcard DNS Domain Configurations](https://awesome-repositories.com/f/devops-infrastructure/subdomain-mapping/wildcard-subdomain-resolution/wildcard-dns-domain-configurations.md) — Maps a wildcard DNS domain to the server so each app grain receives its own subdomain for isolated access. ([source](https://docs.sandstorm.org/administering/wildcard/))
- [Subdomain Routing](https://awesome-repositories.com/f/devops-infrastructure/subdomain-routing.md) — Assigns each app grain a unique subdomain so the reverse proxy routes requests to the correct container.
- [Dynamic DNS](https://awesome-repositories.com/f/devops-infrastructure/subdomain-registries/subdomain-claims/dynamic-dns.md) — Claims a free, human-readable subdomain under a dynamic DNS service for a self-hosted server with automatic DNS updates. ([source](https://docs.sandstorm.org/administering/sandcats/))

### Part of an Awesome List

- [One-Click Web App Installers](https://awesome-repositories.com/f/awesome-lists/devtools/app-installation/one-click-web-app-installers.md) — Installs and runs web applications on a personal server with one-click ease like a mobile app store. ([source](https://docs.sandstorm.org/administering/install-script/))
- [Personal Server App Installers](https://awesome-repositories.com/f/awesome-lists/devtools/app-installation/personal-server-app-installers.md) — Installs web productivity apps on a personal Linux server with one-click ease. ([source](https://cdn.jsdelivr.net/gh/sandstorm-io/sandstorm@master/README.md))
- [Productivity App Package Managers](https://awesome-repositories.com/f/awesome-lists/devtools/app-installation/productivity-app-package-managers.md) — Installs productivity apps from a curated catalog with one-click ease. ([source](https://docs.sandstorm.org/developing/auth/))
- [Curated App Marketplaces](https://awesome-repositories.com/f/awesome-lists/media/anime-and-manga/self-hosted-servers/curated-app-marketplaces.md) — Provides a curated marketplace where users discover and install sandboxed web applications on personal servers.
- [Centralized App Authentication Layers](https://awesome-repositories.com/f/awesome-lists/security/authentication-and-permissions/centralized-app-authentication-layers.md) — Provides a single login system that handles authentication and permission checks for all installed apps.

### Data & Databases

- [Inter-Grain Data Sharing](https://awesome-repositories.com/f/data-databases/inter-grain-data-sharing.md) — Passes references to documents between app grains so they can collaborate on the same content. ([source](https://docs.sandstorm.org/developing/powerbox/))
- [Server Backup Snapshots](https://awesome-repositories.com/f/data-databases/server-backup-snapshots.md) — Creates full snapshots of server app data and configuration for restoration after failure. ([source](https://docs.sandstorm.org/administering/backups/))

### Development Tools & Productivity

- [Self-Contained App Manifests](https://awesome-repositories.com/f/development-tools-productivity/package-manifests/self-contained-app-manifests.md) — Distributes apps as self-contained bundles declaring dependencies and entry points in a manifest file.
- [Self-Hosted](https://awesome-repositories.com/f/development-tools-productivity/productivity-suites/self-hosted.md) — Provides a collection of web productivity tools like documents and spreadsheets that runs on a user's own server with centralized access control.

### Mobile Development

- [Capability-Mediated App Sharing](https://awesome-repositories.com/f/mobile-development/inter-app-data-sharing/capability-mediated-app-sharing.md) — Shares data between apps by passing capability references through a system-level permission dialog.

### Networking & Communication

- [Reverse Proxy Configurations](https://awesome-repositories.com/f/networking-communication/proxy-servers/reverse-proxy-configurations.md) — Routes incoming web traffic through an intermediary server that forwards requests to the application. ([source](https://docs.sandstorm.org/administering/reverse-proxy/))
- [DNS Record Updaters](https://awesome-repositories.com/f/networking-communication/dns-record-updaters.md) — Keeps the server's DNS record current by periodically updating the IP address with the dynamic DNS provider. ([source](https://docs.sandstorm.org/administering/sandcats/))
- [Dynamic DNS Clients](https://awesome-repositories.com/f/networking-communication/network-infrastructure-routing/network-infrastructure-configuration/network-management/dns-connectivity-management/dynamic-dns-clients.md) — Includes a built-in dynamic DNS client that automatically updates DNS records for user-friendly subdomains.
- [Port Sharing Mechanisms](https://awesome-repositories.com/f/networking-communication/network-port-configuration/port-sharing-mechanisms.md) — Routes multiple web apps through a single HTTPS port by inspecting the Host header and proxying each request to the correct backend. ([source](https://docs.sandstorm.org/administering/sniproxy/))

### Operating Systems & Systems Programming

- [Linux Sandboxes](https://awesome-repositories.com/f/operating-systems-systems-programming/linux-sandboxes.md) — Executes any Linux-compatible web application inside a security-hardened sandbox to isolate it from the host system. ([source](https://docs.sandstorm.org/administering/hosting-provider/))
- [Web App Sandbox Runtimes](https://awesome-repositories.com/f/operating-systems-systems-programming/linux-sandboxes/web-app-sandbox-runtimes.md) — Runs Linux web applications inside security sandboxes with optional modifications. ([source](https://docs.sandstorm.org/administering/install-troubleshooting/))

### Security & Cryptography

- [Access Control Centralization](https://awesome-repositories.com/f/security-cryptography/access-control-centralization.md) — Provides a single authentication layer that manages login and permissions for all installed apps.
- [TLS Certificate Management](https://awesome-repositories.com/f/security-cryptography/governance-policy-frameworks/security-infrastructure/tls-certificate-management.md) — Obtains and renews TLS certificates from a certificate authority for a custom domain automatically. ([source](https://docs.sandstorm.org/administering/sandcats-https/))
- [Powerbox Identity Requests](https://awesome-repositories.com/f/security-cryptography/identity-authentication/user-identity-verification/powerbox-identity-requests.md) — Provides a system-level dialog for apps to request the user's verified identity without handling credentials. ([source](https://docs.sandstorm.org/developing/powerbox/))
- [Application Sandbox Runtimes](https://awesome-repositories.com/f/security-cryptography/security/infrastructure-and-hardware/infrastructure-system-hardening/linux-security-hardening/application-sandbox-runtimes.md) — Provides a container runtime that isolates each web application from the host and other apps using Linux kernel security features.
- [Capability-Based Security](https://awesome-repositories.com/f/security-cryptography/security/policies/capability-authorization/capability-based-security.md) — Implements a capability-based security model where each app grain accesses only explicitly granted resources.
- [Third-Party Authentication Providers](https://awesome-repositories.com/f/security-cryptography/third-party-authentication-providers.md) — Integrates with third-party identity services so users can log in without a local account. ([source](https://docs.sandstorm.org/developing/auth/))
- [User Access Controls](https://awesome-repositories.com/f/security-cryptography/user-access-controls.md) — Manages login and permissions for every installed app so each user sees only their own data and sessions. ([source](https://docs.sandstorm.org/developing/web-publishing/))
- [User Access Management](https://awesome-repositories.com/f/security-cryptography/user-access-management.md) — Controls who can log in and which apps each user can access through a built-in authentication and permission system. ([source](https://docs.sandstorm.org/))
- [Per-Application Access Management](https://awesome-repositories.com/f/security-cryptography/user-access-management/per-application-access-management.md) — Controls which users can log into each installed app and manages their permissions without the app handling authentication itself. ([source](https://docs.sandstorm.org/developing/raw-ruby-on-rails/))
- [Role-Based Access Control](https://awesome-repositories.com/f/security-cryptography/role-based-access-control.md) — Checks a user's assigned permissions on each request and blocks actions the role is not allowed to perform. ([source](https://docs.sandstorm.org/developing/auth/))
- [Directory Service Authenticators](https://awesome-repositories.com/f/security-cryptography/user-authentication-systems/directory-service-authenticators.md) — Validates user credentials against an Active Directory server to control access to the platform. ([source](https://docs.sandstorm.org/administering/active-directory/))

### Software Engineering & Architecture

- [Web App Catalog Installers](https://awesome-repositories.com/f/software-engineering-architecture/integration-extensibility/extensibility/plugin-architectures/plugin-installation-utilities/plugin-installation-and-management/plugin-catalog-installers/web-app-catalog-installers.md) — Installs third-party web applications from a curated catalog with a single click. ([source](https://docs.sandstorm.org/))
- [Per-Instance Container Isolations](https://awesome-repositories.com/f/software-engineering-architecture/process-isolation-architectures/per-instance-container-isolations.md) — Runs every app instance as an isolated Linux process in its own container with a dedicated subdomain.

### System Administration & Monitoring

- [Home Server Operating Systems](https://awesome-repositories.com/f/system-administration-monitoring/home-server-orchestration/home-server-operating-systems.md) — Operates as an operating system for personal servers that installs and manages web productivity apps with one-click ease.
- [Automated Server Configurations](https://awesome-repositories.com/f/system-administration-monitoring/server-administration/automated-server-configurations.md) — Configures HTTPS, DNS, backups, and email for a self-hosted server without manual intervention.

### Web Development

- [App Store Bundles](https://awesome-repositories.com/f/web-development/local-web-app-hosting/packaged-app-distributions/app-store-bundles.md) — Packages web apps into secure, distributable bundles for installation through the platform's app store. ([source](https://cdn.jsdelivr.net/gh/sandstorm-io/sandstorm@master/README.md))
- [App Store Submissions](https://awesome-repositories.com/f/web-development/local-web-app-hosting/packaged-app-distributions/app-store-submissions.md) — Packages web apps into distributable bundles and submits them to a public app store for installation. ([source](https://docs.sandstorm.org/developing/publishing-apps/))
- [Personal Server Sandbox Bundles](https://awesome-repositories.com/f/web-development/local-web-app-hosting/packaged-app-distributions/personal-server-sandbox-bundles.md) — Packages Linux web apps into self-contained bundles for sandboxed hosting on personal servers. ([source](https://docs.sandstorm.org/developing/raw-ruby-on-rails/))
- [Sandboxed App Bundles](https://awesome-repositories.com/f/web-development/local-web-app-hosting/packaged-app-distributions/sandboxed-app-bundles.md) — Packages Linux web apps into self-contained bundles that run inside security-hardened sandboxes. ([source](https://docs.sandstorm.org/developing/raw-pure-client-apps/))
- [Sandboxed Web App Distributions](https://awesome-repositories.com/f/web-development/local-web-app-hosting/packaged-app-distributions/sandboxed-web-app-distributions.md) — Bundles Linux web apps into isolated containers and distributes them through a curated app store.
- [Self-Hosted App Bundles](https://awesome-repositories.com/f/web-development/local-web-app-hosting/packaged-app-distributions/self-hosted-app-bundles.md) — Packages Linux web apps into self-contained bundles for installation and running on personal servers. ([source](https://docs.sandstorm.org/developing/web-publishing/))
- [Capability Request Dialogs](https://awesome-repositories.com/f/web-development/progressive-web-app-capabilities/capability-request-dialogs.md) — Provides a system-level permission dialog for apps to request capabilities from other apps or user accounts. ([source](https://docs.sandstorm.org/developing/powerbox/))
- [HTTPS Servers](https://awesome-repositories.com/f/web-development/web-servers/https-servers.md) — Sets up TLS certificates and encryption so all traffic between users and the server is secured. ([source](https://docs.sandstorm.org/administering/ssl/))
