use-cases / per-customer-sandboxes-fleet-scale / hero

CONTAINERS · MULTI-TENANT SAAS · FLEET SCALE

Per-customer sandboxes at fleet scale

Eight hundred isolated containers across three bare-metal servers. Each customer gets their own filesystem, their own URL, their own kernel namespace — one flat-rate server bill, no per-tenant meter. The honest architecture is no longer the expensive one.

Read the fleet docs

fleet.containers.hoody.com

https://fleet.containers.hoody.com/tenantslive

TENANTS812

SERVERS3

TOTAL / MONTHflat rate

TENANTS · 24H ACTIVITY47 of 812 shown

HOTACTIVEWARMIDLE

server-eu-1

FRANKFURT

28747% UTIL

server-us-1

NEW YORK

30452% UTIL

server-ap-1

SINGAPORE

22138% UTIL

PER TENANT / MONTHper server812 ACTIVE ACCOUNTS · BLENDED

ELSEWHEREper tenantFARGATE / NAMESPACE / DEDICATED POD

fleet ops dashboard · 812 tenants on 3 bare-metal nodes · one flat-rate bill, no per-tenant meter

use-cases / per-customer-sandboxes-fleet-scale / mechanism

How a signup turns into one of 812 sandboxes

Your billing webhook hits a Hoody Exec script. The script copies a fresh-customer container from the template snapshot, the new tenant lands on its own URL, and the fleet dashboard increments by one. Three HTTP calls, no orchestrator.

01 · WEBHOOK

Stripe calls your exec endpoint

POST /api/v1/exec/scripts/1/webhooks/signup

A serverless V8 isolate. The webhook URL is just a TypeScript file in scripts/1/. No Express, no server config, no container of its own.

02 · COPY

Script clones the customer template

POST /api/v1/containers/$TEMPLATE/copy

BTRFS copy-on-write — each new container consumes only the delta from the template on the rented server. Firewall and network rules clone with the snapshot. Lands on whichever fleet server has headroom.

03 · ROUTE

New URL handed back to the user

https://$PROJECT-$CID-...containers.hoody.com

The signed authorize endpoint mints a one-hour container_claim. Your app redirects the customer into their own sandbox. Total signup time: under sixty seconds.

The whole pipeline is three HTTP calls. No Kubernetes operator, no namespace YAML, no cluster admin. The fleet adds tenants the same way a hash table adds entries — except every entry is a real Linux container.

use-cases / per-customer-sandboxes-fleet-scale / economics

The math that makes fleet-scale isolation cheap

Their billing model charges per tenant. Hoody bills per server. Once the billing unit swaps from tenant to box, the per-tenant figure shrinks as you add density — and the curve flattens as you grow.

FLEET LEDGER · 812 TENANTS

# three bare-metal nodes, marketplace pricing3 flat-rate servers · one monthly bill# blended across eu-1, us-1, ap-1812 tenants (287 + 304 + 221)# the cost-per-tenant collapsesbill ÷ 812 = cost shrinks as density grows

Adding the next hundred tenants doesn't change the bill — it changes the divisor. KSM dedups identical memory pages across containers; BTRFS copy-on-write keeps base-image bytes shared on the server. Each new container uses only the delta from the template; billing stays at the flat-rate server.

PER TENANT · OTHER STACKS

AWS FARGATE PER TENANTvCPU + memory billed per task, even idle
$8–25
K8S NAMESPACE PER TENANTCluster overhead amortized across namespaces
$3–10
DEDICATED TENANT PODReserved RAM + CPU, paid hot or cold
$5–15
HOODY · CONTAINER PER TENANTone server price ÷ tenant density — bound by the box, not the count
flat rate

Hoody server pricing is marketplace-driven and varies by region, spec, and vendor. The example fleet uses three nodes; marketplace servers start at $29/month and vary by region, spec, and duration; competitor estimates are illustrative ranges from public pricing for comparable per-tenant compute. Density assumes typical SaaS workloads — tenants that idle most of the day. Heavy databases or AI workloads need more headroom per container.

use-cases / per-customer-sandboxes-fleet-scale / powers

What container-per-tenant unlocks at this price

Once isolation is cheap, the architecture stops compromising. The features your CFO used to veto become defaults.

ONBOARDING

Every new customer is a `cp` away

Stripe webhook → Hoody Exec → POST /containers/$TEMPLATE/copy. The new tenant boots from the same snapshot every other tenant booted from. Identical baseline, isolated future. No tenant_id columns to thread, no shared row to forget.

OFFBOARDING

GDPR delete is one HTTP call

DELETE /api/v1/containers/$CID. The filesystem goes, the SQLite goes, the cron jobs go, the audit log goes — because they all lived in one place. No "DELETE … WHERE tenant_id … plus 12 other tables you forgot."

BLAST RADIUS

One tenant's bug stays inside one tenant

A customer's runaway script hits its container's CPU and RAM quotas. The 811 other containers on the fleet don't notice. No noisy-neighbor audits, no shared lock table, no shared connection pool — kernel namespaces do the isolation work the application layer used to fake.

use-cases / per-customer-sandboxes-fleet-scale / punchline

Per-tenant isolation used to cost per-tenant. Now it costs per-server.

USED TO BE$3–25 / tenantfargate, namespace, or dedicated pod

NOWone flat bill812 sandboxes, 3 bare-metal boxes, no per-tenant meter

Read the container copy docs

use-cases / per-customer-sandboxes-fleet-scale / replaces

What this replaces

Per-tenant isolation has historically meant either a clever WHERE clause or a per-tenant bill. Container-per-customer at fleet scale displaces both:

AWS Fargate per tenantvCPU + RAM billed per task, hot or cold
Kubernetes per-namespaceCluster + control plane overhead per tenant
Shared multi-tenancy with tenant_id filteringOne forgotten WHERE leaks customer data
Postgres row-level security overheadPolicy on every table, audit on every query
Dedicated tenant podsReserved compute paid whether used or not

use-cases / per-customer-sandboxes-fleet-scale / cta

Eight hundred isolated tenants on the same servers your laptop replaces. The honest architecture is finally the affordable one.

Read the container guide

use-cases / per-customer-sandboxes-fleet-scale / related

Read the others

Sixty containers on one server

One bare-metal box runs dozens to hundreds of Hoody containers. KSM and BTRFS dedup make the marginal cost near zero.

Containers·Snapshots

Onboard a developer with one link

A new engineer joins on Monday. You send one URL. They open it on whatever laptop they have and they're in a fresh container cloned from your developer-baseline snapshot — code, deps, env, seed data, VSCode-in-browser. Writing code in five minutes, not setting up.

Snapshots·Containers·Terminal·Files

API endpoints that materialize on demand

A wildcard exec script catches the call, asks an LLM to write the handler, runs it in a V8 sandbox, and saves the route. The next call is native.

Exec·Agent·Code·Files

Branch computers like Git

Snapshot a running container — files, processes, memory. Restore in seconds. Fork via /copy. Branching, but for the entire machine.

Snapshots·Containers

Real VS Code on your phone

The Code Orchestrator spawns a VS Code instance on the container and serves the editor over a normal HTTPS URL. Any device with a browser can open it. The work lives in the container, not on the device.

Display·Terminal·Files·Containers+1

AI agents that spawn other AI agents

A research agent posts to /api/v1/projects/$PID/containers to start a child container, then calls the child's agent URL like any other HTTP service. Sub-agents spawn their own sub-agents the same way. No orchestrator framework, just URLs.

Agent·Exec·Containers

One sandbox per customer, automatically

An exec script catches your signup webhook, copies a fresh-customer container, and hands the new tenant their own URL. Isolation is the operating system, not a tenant_id column.

Containers·Snapshots·Exec·Files

Wake up to a finished prototype

Hand the agent a paragraph at midnight. It spawns its own containers, snapshots before risky steps, and posts to your notification webhook at sunrise.

Agent·Snapshots·Containers·Browser+2

Emergency production fix from your phone

PagerDuty wakes you. Open the terminal URL on your phone. PATCH the snapshot from before the bad deploy. Production is back. No bastion, no VPN, no laptop.

Terminal·Snapshots·Network

Tail production logs to a URL anyone can curl

One pipe URL. Up to 256 readers. Three engineers tail the same incident at once with no bastion, no Datadog seat, no log forwarder.

Pipe

Push one build to thirty CI workers at once

The build container streams the tarball to a pipe path with ?n=30. All thirty test workers curl the same URL. Bytes go through once, fanned out.

Pipe

Watch your agent think from the coffee shop

Your agent runs at home. You're at a café. Pipe each event of the loop through Hoody Pipe and curl the same path from your phone — the trace lands character by character. No SSH, no dashboard, no upload.

Pipe·Agent

Move 200GB between clouds with two curls

pg_dump | gzip | curl from Frankfurt. curl | gunzip | psql in Singapore. Bytes flow through the pipe with zero disk in the middle.

Pipe

Send a teammate a database state in one line

pg_dump streams straight into their psql. No file uploaded, no link shared, no download. The pipe routes the bytes through.

Pipe

Stream LLM tokens to anything that reads HTTP

Step 3 streams tokens with curl -T -. Step 4 curls the same path. Tokens move generator to consumer at line speed. No SSE plumbing, no broker.

Pipe·Agent

A progress bar your boss can spectate without joining

Append ?progress to the pipe URL. Anyone who opens it gets a live HTML dashboard — bytes, speed, ETA, state. Up to fifty spectators, none consuming a receiver slot, none touching the stream.

Pipe

The webhook fan-out you didn't have to build

Stripe POSTs to a pipe path with ?n=12. Twelve subscribers curl the receiver URL with ?n=12. The pipe holds the event until everyone is connected.

Pipe·Exec

A CI cache that's just two curl commands

tar | zstd | curl puts node_modules into a pipe. Twenty downstream jobs curl | zstd -d | tar x. No S3 bucket, no cache action, no egress bill.

Pipe·Containers

Drag-drop uploads into your script

hoody-pipe serves a web upload form at every path. Drag a file onto the page, your script reads the bytes from stdin. Zero upload code, no S3 bucket, no presigned URLs.

Pipe·Exec

Broadcast a workshop to 200 viewers from your laptop

ffmpeg streams your screen to a pipe path with ?n=200. Each attendee curls the URL into a browser tab. No platform, no logins, no upload.

Pipe

Inter-container IPC without the message broker

Container A writes to a pipe path. Container B reads from the same path. Backpressure is the connection. No Redis, no queue, no broker.

Pipe·Containers

Tail your agent on the train, get pinged when it lands

The agent streams its trace to a pipe path you can curl from your phone. When it finishes, its last act hits hoody-notifications and your phone buzzes. Two URLs and a buzz — no SDK, no client app, no dashboard.

Pipe·Agent·Notifications

A microphone over HTTP, in two terminals

ffmpeg captures the mic, pipes to a URL. The other end curls and plays the audio. No Zoom, no SDK, no signaling server.

Pipe

Five agents, five pipes, one verdict

A panel of five models reviews the same input. Each runs in its own container and streams its verdict to its own pipe path. A judge process curls all five in parallel and tallies the result.

Pipe·Agent·Containers

Replay this morning's incident to the whole team

Snapshot the incident-time logs in hoody-files. Replay them through a Hoody Pipe URL with ?n=8. Eight engineers curl the same path and watch the cascade fire in lockstep — the post-mortem is a synchronized stream, not a Confluence doc.

Pipe·Files

The fastest 'send me that file' you've ever typed

A teammate pings for a 4 GB dump. Slack rejects it, Drive needs a share request. You type curl -T file …; they type curl … > file. The bytes move directly between disks — no upload bar, no link to share.

Pipe

Run a local LLM, serve it to your whole fleet

One GPU runs llama.cpp. Its tokens stream into a pipe path with ?n=50. Fifty containers curl the same URL and split the stream.

Pipe·Daemon

A live metrics dashboard with no metrics backend

Each container's monitoring loop curls a metric to a pipe URL. The dashboard curls the same URL with ?progress and renders the SSE stream.

Pipe

The cron job that deletes itself when you're done

POST a managed cron entry with expires_at set 48 hours out. The job runs on schedule, then removes itself — no reminder, no cleanup PR, no stale entry.

Cron

Snapshot the container right before the nightly migration

A hoody-cron entry that fires at 02:55 UTC, curls the snapshots URL, and names the artifact pre-migration-2026-05-04. Five minutes later the migration runs. If it succeeds, the snapshot sits idle and costs nothing. If it fails, you restore in 30 seconds with a single PATCH.

Cron·Snapshots

Per-customer sandboxes at fleet scale

How a signup turns into one of 812 sandboxes

Stripe calls your exec endpoint

Script clones the customer template

New URL handed back to the user

The math that makes fleet-scale isolation cheap

What container-per-tenant unlocks at this price

Every new customer is a `cp` away

GDPR delete is one HTTP call

One tenant's bug stays inside one tenant

What this replaces

Read the others

Sixty containers on one server

Onboard a developer with one link

API endpoints that materialize on demand

Branch computers like Git

Real VS Code on your phone

AI agents that spawn other AI agents

One sandbox per customer, automatically

Wake up to a finished prototype

Emergency production fix from your phone

Tail production logs to a URL anyone can curl

Push one build to thirty CI workers at once

Watch your agent think from the coffee shop

Share your screen with a URL, not a meeting invite

Move 200GB between clouds with two curls

Send a teammate a database state in one line

Stream LLM tokens to anything that reads HTTP

A progress bar your boss can spectate without joining

The webhook fan-out you didn't have to build

A CI cache that's just two curl commands

Drag-drop uploads into your script

Broadcast a workshop to 200 viewers from your laptop

Inter-container IPC without the message broker

Tail your agent on the train, get pinged when it lands

A microphone over HTTP, in two terminals

Five agents, five pipes, one verdict

Replay this morning's incident to the whole team

The fastest 'send me that file' you've ever typed

Run a local LLM, serve it to your whole fleet

A live metrics dashboard with no metrics backend

The cron job that deletes itself when you're done

Snapshot the container right before the nightly migration

A separate crontab for every customer, automatically

Wake an agent at 3am, retire it at 4

Daily rollups without an orchestrator

A crontab per branch, deployed with the code

On-call escalation that ages out with the shift

Hourly scrape, daily digest, weekly archive — one container

Let your customers BYO their own cron schedule

Schedule the agent, not the script

A heartbeat for the silent jobs

Keep the last 24 hours as 24 snapshots

Replay this morning's webhooks at the same time tomorrow

Edit your crontab from a phone, in the airport

A scheduled digest that fans out to 200 inboxes

Mute the flaky job without losing it

An agent that grades yesterday's agents

Cleanup jobs that schedule their own retirement

Roll your TLS certificates without an SSH session

A weekly canary that tries to break production

The hobby-project graveyard you can afford to keep alive

A preview environment per pull request, all month

Run a 12-product portfolio from one bare-metal box

Kill the staging-server tax

Forty client sites, one rent, one dashboard

Replace the E2B bill with the bare metal you already rent

Idle staging costs nothing, so staging stops getting deleted

The CI cache that's not an S3 line item

Fifty demo environments for fifty sales calls