Platform for securly running Agents with incredible devX
Nightshift is a platform that gives each user the ability to provision isolated, general purpose, SSH-accessible Linux machines.
These machines are called chicklets. Chicklets are long-lived, persistent, and accessible over a single public IP.
After setting up Nightshift users are able to create and connect to their own chicklets with the chicklet CLI tool:
# create an account and login
chicklet login
# create a chicklet
chicklet create dev
# You can pass in a size of your chicklet
chicklet create dev --tier medium
# connect to your chicklet
chicklet console -s dev
# execute a command in your chicklet
chicklet exec -s dev -- echo "Hello from one chicklet to another!"
A chicklet is essentially a container with some extra features that make it useful for running agents or having them talk to your infrastructure.
You can have nightshift create chicklets using either Kata Container or plain containers.
The VM option provides hard multi-tenancy which means that chicklets are fully isolated at the hypervisor level.
Chicklets come preinstalled with Claude Code and know how to interact with the Nightshift API.
Create a chicklet and use it as your agent coding environment you can access from anywhere. Give agents the ability to spawn and manage their own chicklets based on their needs.
If you need help with Nightshift visit Nightshift, you can join our community Slack channel.
- Usage
- REST API
- Operator Guide — Setting up Nightshift on your own infrastructure
- Networking — How pod networking, port exposure, and HTTPS URLs work
- Admin Guide — Day-to-day administration, networking, and troubleshooting
- Billing Setup — Configuring Stripe billing for chicklet-as-a-service
You can get the latest CLI binary at chicklet.io
curl -fsSL https://chicklet.io/install.sh | shchicklet login On login, an API key is saved to ~/.chicklet/config.json. All subsequent commands use it automatically.
Your local SSH public key (~/.ssh/id_ed25519.pub or ~/.ssh/id_rsa.pub) is automatically detected and registered on first login. No manual key setup is needed.
chicklet create mychicklet # Interactive console session
chicklet console -s mychicklet Run a single command in a chicklet without starting an interactive session:
chicklet exec -s mychicklet -- ls -la /tmp
chicklet exec -s mychicklet -- cat /etc/os-releaseSSH keys are registered per-user. Your keys are automatically added to all chicklets you have access to (your own chicklets + org chicklets where you're a member).
# Auto-detects ~/.ssh/id_ed25519.pub or ~/.ssh/id_rsa.pub
chicklet ssh-key add
# Or specify explicitly
chicklet ssh-key add --name laptop --key-file ~/.ssh/id_ed25519.pub
# List keys
chicklet ssh-key list
# Remove a key by ID
chicklet ssh-key remove 3When you add or remove a key, all your chicklets (and org chicklets you belong to) are updated automatically. The change takes effect on running chicklets within ~90 seconds without a restart.
Stopping a chicklet deletes the pod but keeps your persistent data:
chicklet chicklet stop mychicklet
chicklet chicklet start mychicklet The entire filesystem persists across stop/start cycles via OverlayFS. The SSH port stays the same across stop/start.
To make a service running inside your chicklet accessible from the internet:
# Expose port 8080 from the chicklet
chicklet cl ports mychicklet --add 8080
# See assigned NodePorts
chicklet cl ports dev
# PORT NODEPORT
# 8080 31217The service is then accessible at http://YOUR_SERVER_IP:31217. NodePorts are assigned from the 30000-32767 range.
Remember that you'll need to configure your security group to allow access to your host machine on that port range.
Port configuration persists across stop/start cycles.
Organizations let you group chicklets under a shared namespace. All org members can SSH into org chicklets — their SSH keys are automatically added.
# Create an org
chicklet org create "My Team" --slug myteam
# List your orgs
chicklet org list
# Manage members
chicklet org add-member myteam --email colleague@example.com
chicklet org members myteam
chicklet org remove-member myteam 42 # by user ID
# Delete an org (must have no chicklets first)
chicklet org delete myteamOnly the org owner can delete the org or remove members. Any member can add new members and create chicklets within the org.
When a member is added to an org, their SSH keys are automatically added to all org chicklets. When a member is removed, their keys are removed.
Every chicklet gets a public HTTPS URL automatically:
chicklet create myapp --org myteam
# Chicklet "myapp" created (tier: small). URL: https://myapp-org-myteam.chicklet.io/ ...The URL format is https://<chicklet-name>-<namespace>.chicklet.io/. Requests to this URL are routed through Caddy (TLS) and Traefik (K8s Ingress) to the first exposed port on the chicklet.
Example: deploy a public web server
# Create an org and a chicklet
chicklet org create demo --slug demo
chicklet create web --org demo
# SSH in and start a server on port 3000
chicklet console -s web
# (inside the chicklet)
cat > server.js << 'EOF'
const http = require("http");
http.createServer((req, res) => {
res.end("Hello from chicklet!");
}).listen(3000, "0.0.0.0");
EOF
node server.js &
exit
# Expose port 3000 so the URL has a backend to proxy to
chicklet cl ports web --add 3000
# Make the URL publicly accessible (default is authenticated)
chicklet cl url web --auth publicYour server is now live at https://web-org-demo.chicklet.io/.
Managing URLs:
# Show URL and current auth mode
chicklet cl url myapp
# URL: https://myapp-org-myteam.chicklet.io/
# Auth: chicklet
# Make public (no auth required)
chicklet cl url myapp --auth public
# Revert to authenticated (requires API key in Authorization header)
chicklet cl url myapp --auth chickletAll chicklets get a URL — personal chicklets use the format https://<name>-user-<id>.chicklet.io/ and org chicklets use https://<name>-org-<slug>.chicklet.io/.
Note: Chicklet URLs require the operator to have DNS, Caddy, and Traefik configured. See the Operator Guide for setup instructions.
chicklet chicklet delete devThis removes the pod, persistent volume, SSH service, DNS record (if any), and all associated resources.
Documentation for the REST API endpoints is automatically generated from the Go code comments.
You can view it at http://YOUR_SERVER_IP:8080/ when the API server is running.