Architecture & Security

Under the Hood

How Dasher isolates your workspaces, encrypts your tokens, and proxies every API call — so agents never touch your secrets.

The Request Journey

Every request is authenticated, routed, and sandboxed before a single line of code runs.

User

Telegram / Slack

Bot Service

Message polling

Gateway

Orchestration

Auth & DB

JWT + encrypted tokens

Sandbox

Ephemeral container

Web

Search / fetch

User

Telegram / Slack

Bot Service

Message polling

Auth & DB

JWT + encrypted tokens

Gateway

Orchestration

Sandbox

Ephemeral container

Web

Search / fetch

The Infrastructure

Three layers of services, each with its own responsibility and isolation boundary.

User Layer

Bot API

Slack

Events API

Web App

Next.js on Vercel

Orchestration Layer

Gateway

FastAPI on Railway

Auth & Database

PostgreSQL + Encrypted Tokens

Execution Layer

Ephemeral Sandboxes

Modal Containers

Persistent Volumes

Modal Volumes at /data

The Vault

Encrypted at Rest

Your API tokens are encrypted at rest and never enter the sandbox. The agent only ever sees proxy credentials.

Encrypted Token Store

Encryption at Rest

Gateway Only

Your API Token

Encrypted at rest — only decrypted in Gateway memory when needed

Encrypted at rest

Your API tokens are stored encrypted at rest. They are never written to disk in plaintext.

Never in the sandbox

Real tokens never enter the sandbox environment. The agent only receives proxy credentials it cannot use outside Dasher.

Gateway-only decryption

Plaintext tokens exist only in Gateway process memory during an active API call — then discarded.

The Proxy

HMAC Gateway Model

Sandboxes never hold real tokens. Every external API call is proxied through the Gateway using HMAC-signed credentials.

Sandbox

Agent sends an HMAC-signed credential — never the real token:

Authorization: HMAC-SHA256

credential=user_id:timestamp

signature=a1b2c3d4...

capability=github:repo

No real tokens in sandbox memory

Gateway

1Verify HMAC signature

2Check expiry window

3Validate capabilities

4Decrypt real token

5Make API call

Sandbox cannot reach APIs directly

External APIs

GitHub API

Repos, PRs, Actions

Google APIs

Calendar, Gmail

Data-only response

No direct sandbox access

Ephemeral by Design

Sandbox Lifecycle

Every request gets a fresh container. Your workspace persists — the execution environment doesn't.

Request 1

Create

Fresh container spins up

Execute

Claude CLI processes prompt

Stream

JSON lines → Gateway → User

Destroy

Container terminated

Persistent Volume

/data — conversation context, workspace files, and settings survive across requests

Per-user isolated

Request 2

Create

New container, same volume

Execute

Claude CLI processes prompt

Stream

JSON lines → Gateway → User

Destroy

Container terminated

Fresh sandbox, persistent state

Every request gets a clean container — no leftover processes, no stale state. But your conversation context and workspace files persist on the volume, so Claude picks up right where you left off.

Ready to ship from anywhere?

Secure sandboxes. Encrypted at rest. Never in the sandbox.

Get Started