Imagine you have an AI agent running a 40-step data processing pipeline. Somewhere around step 22, the cloud environment it runs in crashes. Without a way to save state, the agent forgets everything it had done, starts over, and crashes again at the same spot. This is the failure mode that has kept production agent deployments fragile, expensive, and embarrassing. OpenAI's updated Agents SDK, released this week, promises to fix it.
The update adds what the company calls snapshotting and rehydration: the agent's state is saved at checkpoints, and if the container fails, execution resumes from the last checkpoint in a fresh environment. It is durable execution for AI agents, and it is the feature that developers building production systems have cited as the hardest to get right. An independent comparison of agent frameworks published two weeks before this blog post listed no built-in state persistence as the OpenAI SDK's most significant gap, according to MorphLLM. The OpenAI blog post is a direct response.
The durability feature is real and meaningful. But the more revealing detail is what OpenAI did while shipping it.
The updated SDK lists seven sandbox infrastructure providers as supported backends: Blaxel, Cloudflare, Daytona, E2B, Modal, Runloop, and Vercel. These are companies that built their businesses on the premise that developers need a secure place to run AI-generated code, and that OpenAI's ecosystem would be a customer for that infrastructure. OpenAI then introduced a Manifest abstraction for describing sandbox workspaces, with native support for mounting data from AWS S3, Google Cloud Storage, Azure Blob Storage, and Cloudflare R2. A Manifest is a portable description of what files, dependencies, and data an agent needs to run. With this abstraction, OpenAI is not just using the sandbox providers. It is describing the interface they all must conform to.
The distinction matters. A customer integration means OpenAI routes work to E2B when an agent needs to run code, and E2B captures the compute revenue. A competing abstraction means OpenAI defines the language every provider must speak, collects the integration work that makes providers interchangeable, and positions itself as the layer that decides which backend runs which task. The seven providers in the supported list are the same companies now competing with OpenAI at the execution layer.
OpenAI has also been unusually direct about what sandboxing cannot do. The blog post states plainly that agent systems should assume prompt injection and data exfiltration attempts are inevitable. The company has told researchers that deterministic security guarantees against prompt injection are challenging to provide. This is not a hedge. It is an honest acknowledgment that the architecture helps contain damage but does not eliminate the attack surface. The sandbox keeps credential material out of environments where model-generated code runs. It does not stop a well-crafted injection from trying.
The update ships in Python only, with TypeScript support planned. TypeScript matters here because the web development ecosystem, which drives most enterprise agent tooling, is TypeScript-native. Anthropic's Claude Agent SDK and Google's ADK both offer TypeScript support at launch. Shipping Python-only is a real constraint that limits adoption in the near term, and the planned-but-not-yet date signals the team knows it.
No production usage data for the Agents SDK durable execution feature is available at press time. The evidence for the claim that checkpoint-based recovery solves production fragility is architectural: the feature exists, the logic is coherent, and the independent analysis confirms the gap it fills. Whether it works at scale in the diverse environments agents actually run in is the open question.
What to watch: whether the seven sandbox providers respond by moving up the stack toward specialized runtime environments that the Manifest abstraction cannot describe, or whether they integrate more tightly with OpenAI's SDK and accept a more commoditized role. The Manifest is a land grab. The providers have weeks to decide what side of it they want to be on.
