Skip to main content
Terms you’ll see across Brimble docs and the dashboard, in alphabetical order.

A

A record. A DNS record type that maps a hostname to an IPv4 address. Used at the apex of a domain pointing at Brimble’s edge when CNAME at apex isn’t supported by your provider. API key. A long-lived secret used to authenticate against Brimble’s HTTP API, the sandbox SDKs, and any MCP server with MCP authentication enabled. Sent in the x-brimble-key header. One key per subscription (personal or team). See API keys. Application logs. The stdout and stderr stream from your running container. Visible under Logs on a project. See Logs. Apex. The root of a domain (example.com), as opposed to a subdomain (app.example.com). Some DNS providers don’t allow CNAME records at the apex; use an A record or ALIAS instead. Auto-deploy. A project setting that triggers a build on every push to the tracked branch. On by default for git-sourced projects. Auto-destroy (sandbox). A sandbox flag that schedules the sandbox to destroy itself after a fixed wall-clock window (30m, 1h, 3h, 6h, 12h, 18h). Set with autoDestroy: true plus destroyTimeout. Autoscaling group. A configuration that lets a project run more than one container, scaling the count based on CPU, memory, or fixed bounds. See Configure scaling.

B

Bandwidth. Outbound traffic from your project’s edge over a billing cycle. Each plan includes a free amount; overage bills at $0.25/GB. Batch file upload. A sandbox-handle call (putFiles / put_files / PutFiles) that uploads up to 100 files in a single request, with a per-file success/failure summary. See SDKs → Batch file uploads. Block outbound. Legacy sandbox create flag (blockOutbound: true) that maps to egress.mode = deny_all. Prefer the egress object for new integrations. See Network egress. Bucket. A named container for objects in Brimble Object Storage. The unit of access control, CORS configuration, and billing visibility. See Object storage. BuildKit. The container build engine Brimble uses for Dockerfile and Railpack builds. Reuses cached layers when their inputs haven’t changed. Build cache. The persistent layer cache attached to your project. Survives across builds; clears automatically after 15 days of inactivity. Build minutes. Wall-clock time inside the builder, measured from clone start to push end. Each plan includes a monthly allowance; overage on paid plans bills at $0.002/min, or you can top up. See Build minutes. Builder. The ephemeral machine that runs your build. Fresh every build, with the project’s persistent layer cache available.

C

CAA record. A DNS record type that restricts which certificate authorities can issue TLS certificates for the domain. If you have a CAA record that doesn’t allow Let’s Encrypt, certificate issuance fails. Cloudflare. The CDN and edge layer that sits in front of every public request to Brimble. Terminates TLS, filters DDoS, and tunnels into Brimble’s gateway. See Request lifecycle. CNAME. A DNS record type that aliases one hostname to another. Used to point app.example.com at gateway.brimble.app. Commit status. A check mark or red X that Brimble posts to GitHub, GitLab, or Bitbucket on a commit, linking back to the deployment. Shows up next to commits in the provider’s UI. Compute. CPU and memory allocated to a project. Plans include a baseline; usage above the baseline meters at $4/GB-month. Concurrent builds. How many builds can run in parallel under your plan. Above the limit, builds queue. Connection string. A full URI Brimble exposes for a managed database (CONNECTION_STRING) using the public load-balancer hostname. For services in the same workspace and region, prefer PRIVATE_SERVICE_HOST instead.

D

Default domain. The hostname Brimble assigns to every project, of the form <project-name>.brimble.app. Always available, served over HTTPS. Deployment. A single attempt to roll out a new version of a project. Triggered by a push, a redeploy, a PR (for previews), or a manual rollback. See Deployments. Disabled. A project state set when a subscription’s payment has failed for more than 7 days. Existing deployments keep serving, but new builds are blocked. DNS record. A directive at the DNS layer that maps a hostname to an answer (an IP, another hostname, text, etc.). Brimble supports A, AAAA, CNAME, MX, TXT, NS, SRV, and CAA. See DNS record types. Dockerfile. A file in your repo’s root that tells Brimble how to build the container. When present, Brimble uses it directly instead of Railpack. Drain. The window after a new deployment goes active during which the previous deployment continues to serve in-flight requests before being stopped.

E

Edge. The first Brimble-managed component a request hits after Cloudflare. Terminates TLS, applies ingress rules, and forwards to your container. Environment. A named set of configuration a project deploys with. Default is Production; Preview is created automatically for PR builds. You can create more. See Environments. Environment variable. A key/value pair injected into both the builder and the running container. See Manage environment variables. Egress (sandbox). Outbound network policy for a sandbox. Modes: open (default), deny_all, or restricted (allowlist). Set at create with egress or change at runtime with PUT /sandboxes/{id}/egress. See Network egress. env (sandbox call). Per-call environment variables passed on exec or runCode. Layered on top of the sandbox’s existing environment for one invocation only; the next call starts from the sandbox defaults again. See SDKs → Per-call environment variables. Ephemeral sandbox. A sandbox created without persistent: true or volumeId. Everything written to the filesystem is lost on destroy. The default if you don’t opt into persistence. EPP code. Also called the auth code or transfer code. The token from a domain’s current registrar that authorizes a transfer to a new registrar. See Transfer a domain. Exec (sandbox). The runtime call (handle.exec({ cmd })) that runs a shell command inside a sandbox and returns stdout, stderr, exit code, and duration. Pass stream: true or use the stream helpers for live output. See SDKs → Exec and Stream exec output. ExecStream. The SDK wrapper around a streaming exec / runCode response. Iterate live stdout/stderr chunks, then call .result() for the aggregated final output. See SDKs → Stream exec output.

G

GB-hour. The unit Brimble uses to bill compute. One GB of CPU or memory allocated for one hour. A 0.5 GB excess for 720 hours equals 360 GB-hours. GB-month. Monthly equivalent of GB-hour, used for storage pricing. 720 hours per month. Gateway. The Brimble-managed proxy that sits between Cloudflare and your container. Strips dangerous headers, applies ingress rules, injects Brimble headers, and forwards to your service. Also the public CNAME target for custom domains: gateway.brimble.app. GitHub App. Brimble’s auth model for GitHub. You install the App at the user or org level and grant access to specific repos; Brimble’s webhooks then come from the App, not from per-repo hooks.

H

Health check. A probe Brimble runs against a new deployment to decide whether to flip traffic to it. For web services and MCP servers, an HTTP GET against healthCheckPath (default /); for workers, process liveness. Hostname. The DNS name a request comes in on. Brimble’s edge matches the hostname against a domain table to find the right project.

I

Idempotency key. An optional option on sandbox lifecycle calls (create, destroy, pause, resume, snapshot, volume create/delete) that makes safe retries possible. Two calls with the same key produce one server-side effect. See SDKs → Retries and idempotency. Ingress rules. The set of gates the gateway runs through before forwarding a request: project disabled, maintenance mode, password protection, MCP authentication, redirect, deployment status. Each can short-circuit the request. Inherit (environments). A child environment can pull values from a parent environment for variables marked inheritable. Child values override the parent. Internal services. Brimble’s region-scoped private network. Services in the same workspace and region can talk to each other at <project-slug>.service.brimble.internal. See Internal services.

L

Layer cache. See Build cache. Let’s Encrypt. The certificate authority Brimble uses for automatic TLS. Certificates are issued and renewed without action on your side; the only common blocker is a CAA record that doesn’t authorize Let’s Encrypt. Log retention. How long application and request logs are kept. Plan-dependent: 1 day on Free, 7 on Hacker, 14 on Pro, 30 on Team.

M

Maintenance mode. A project flag that returns a maintenance page (HTTP 200) instead of routing traffic. Toggled per-project. MCP server. A Model Context Protocol server, deployed as a Brimble service type tuned for AI clients. Brimble can require an x-brimble-key header on every request when the MCP authentication toggle is on. Metered. Pricing where you pay for what you use, like compute above plan default or bandwidth above the included amount. Multipart upload. S3 protocol pattern for uploading a large object as a series of parts (5 MB minimum per part, 5 GB max) that the bucket assembles into the final object on completion. Use the high-level helpers in your S3 SDK (@aws-sdk/lib-storage’s Upload, boto3’s upload_file) for anything above ~100 MB.

N

Nameservers. The authoritative DNS servers for a domain. Brimble’s are ns1.brimble.io and ns2.brimble.io. Domains purchased through Brimble use these by default.

O

Object. A single file in a Brimble Object Storage bucket, addressed by its full key (e.g. reports/2026/q1.pdf). Objects are private; access is gated by a storage credential or a presigned URL. See Working with objects. Object storage. Brimble’s S3-compatible bucket service. Independent of any project; any S3 SDK or CLI works against it. See Object storage. One-shot (sandbox). A sandbox flag (oneShot: true) that destroys the sandbox the moment its main process exits. Best for batch jobs and CI-style runs.

P

Passkey. A cryptographic credential bound to a device (Touch ID, Windows Hello, hardware key). Used for sign-in and step-up authentication. See Two-factor authentication. Persistent disk. A durable volume attached to a project so files survive restarts and redeploys. 10 to 150 GB in 10 GB steps, billed at $0.25/GB-month base. See Persistent disk. Plan. Free, Hacker, Pro, or Team. Each has a base price, an included quota of resources, and a feature set. See Plans and pricing. Presigned URL. A temporary, signed URL generated server-side that lets the holder upload (PUT) or download (GET) one object in a bucket without your credentials being involved. Standard S3 feature; expiry is set when the URL is generated. See Presigned URLs. Preview deployment. A deployment built from a PR or merge request, served at its own hostname. Used to vet changes before merging. PRIVATE_SERVICE_HOST. A system environment variable Brimble injects on database projects. Resolves to <project-slug>.service.brimble.internal, used by other projects in the same workspace and region for the fastest path to the database. Project. The top-level unit you deploy on Brimble. Has a service type, a region, a build configuration, and zero or more environments. Project slug. The lowercase, dash-separated form of a project’s name. Used in URLs, internal hostnames, and {{@slug.NAME}} env-variable references. Promo code. A discount code applied to a workspace at creation. Entered on the workspace creation flow. Proxied (DNS). A flag on A and CNAME records that routes traffic for that hostname through Brimble’s edge (with TLS, edge protections, and the origin IP hidden). Off for records pointing at non-Brimble services like email.

R

Railpack. Brimble’s build pipeline for backend services. Detects your stack (Node, Python, Ruby, Go, etc.), installs dependencies, runs your build, and produces a runnable container without you writing a Dockerfile. Recovery code. An 8-character single-use code generated when you enable TOTP. Use it to sign in if you lose access to your authenticator app. Shown once at setup; save them. Redeploy. Re-running a deployment without a new commit. Picks up env-var changes, retries a failed deploy, or rolls back to a previous artifact. Redirect (domain). A configuration on a domain that returns a 301, 302, 307, or 308 to a destination URL at the edge. The request never reaches a project. See Redirect a domain. Region. The datacenter where a project runs. Pick the one closest to your users. See Regions. Sandboxes also accept "auto", the server picks the best region for your account; it’s the default when you omit the field. Restore (snapshot). Creating a new sandbox whose initial filesystem is a snapshot’s image, via fromSnapshot on create. Restores take a few extra seconds to boot vs a fresh template sandbox since snapshot images aren’t pre-warmed. Rollback. Re-running a previous deployment’s artifact (no rebuild) and flipping traffic to it. Seconds, not minutes.

S

Sandbox. A short-lived, isolated compute environment for running code, scripts, or one-off jobs. Spun up from a template, optionally persistent, destroyed on demand or by autoDestroy / oneShot. See Sandboxes. Sandbox handle. The SDK object returned by create, get, getReady, or withVolume. Exposes exec, runCode, file ops, pause, resume, destroy, and snapshots for one sandbox. create() already returns a ready handle (~2–3s blocking POST). Sandbox status. Where a sandbox is in its lifecycle: starting, ready, pausing, paused, resuming, failed, destroyed. Runtime ops require ready. Scaling group. See autoscaling group. Segment (compute). A time range during which a project’s resources didn’t change. Compute billing tracks segments and charges for each one separately, so scaling mid-cycle is billed precisely. Service type. The kind of workload a project runs: Web service, Static site, Worker, Database, or MCP server. Determines build behavior and runtime model. See Service types. Shared environment. A workspace-level set of environment variables that any project can inherit from. Variables in a shared environment can be referenced from a project as {{shared.NAME}}. Slug. See project slug. Snapshot (sandbox). A point-in-time image of a sandbox’s filesystem. Restorable into a brand-new sandbox via fromSnapshot. Independent of the source sandbox: deleting the source doesn’t affect the snapshot, and vice versa. See Snapshots. Snapshot mode. Either manual (the default, you call snapshots.create whenever you want) or automatic (set at create time with snapshotFrequency, a 5-field cron expression; Brimble snapshots on the schedule). Step-up authentication. An additional 2FA prompt before a sensitive action: deleting a project, deleting a custom domain, rotating a database password, transferring a domain out, or transferring team ownership. Storage credential. An access key pair (accessKeyId + secretAccessKey) scoped to one bucket with a role (ReadOnly or Editor). Hand it to any S3-compatible client to access the bucket. See Storage credentials. Stream frame. One SSE event payload in a streaming exec / runCode response (data: {...} inside text/event-stream). Variants: stdout, stderr, done (final, carries exit code and duration), error (transport failure mid-stream). See SDKs → Stream exec output. System variable. An environment variable Brimble manages for you, like PORT (assigned at runtime) and the database connection variables (CONNECTION_STRING, SERVICE_HOST, SERVICE_PORT, PRIVATE_SERVICE_HOST) on database projects.

T

Template (sandbox). The preconfigured base image a sandbox starts from. Language runtimes (python-3.12 default, node-22, bun-1, deno-2, ubuntu-24) and AI coding agents (claude-code, codex, opencode, droid). Pull the live list with client.sandboxes.listTemplates(). Top-up (build minutes). A purchase of additional build minutes that get added as credits. Credits never expire and are spent after the plan’s monthly allowance. See Build minutes. TOTP. Time-based One-Time Password. The 6-digit code an authenticator app generates. Brimble uses TOTP as one of its 2FA methods. Trend chart (logs). The chart at the top of the application-logs view that bins log volume by level (info, warn, error) over your selected window. Three counters above the chart show totals for the window.

V

Volume (sandbox). A persistent S3-backed disk you can attach to a sandbox at create time: pass persistent: true plus persistentDiskGB for a fresh one, or volumeId for an existing detached volume. Survives sandbox destroy; detached, not deleted, when its sandbox goes away. See SDKs → Volumes. Volume type. Either sandbox (attachable to sandboxes via the SDK) or web (project persistent disk, created from the dashboard). The SDKs lock new volumes to type: "sandbox"; for project disks use the persistent-disk toggle on a web service. See Persistent disk.

W

waitUntilReady. An SDK option on runtime methods (exec, runCode, putFile, etc.) and a standalone helper on the sandbox handle that waits until the sandbox is ready before running the operation. Useful after resume or when reconnecting to an existing sandbox via getReady. Not required immediately after create() — create already blocks until ready. Watch paths. A project setting that limits which file changes trigger a build. For monorepos, set this to the directory of the project so unrelated pushes don’t redeploy. Webhook. An HTTP POST Brimble sends to a URL you configure when an event happens (deployment success, domain renewed, env var changed, etc.). See Webhooks. Workspace. A context the dashboard organizes projects under. Personal workspaces hold your individual projects; team workspaces hold projects shared with members.

X

x-brimble-id. A unique-per-request UUID Brimble’s gateway adds to every response. Log it on your side and Brimble’s side correlates the same request, useful for support tickets. x-brimble-key. The header MCP server projects with auth enabled require on every request. The value is your account-level API key (one per account, not per project), available in the profile drawer; reroll from the same panel. Paid plans only. x-brimble-session. The httpOnly session cookie Brimble sets after a successful login on a password-protected project.
Last modified on July 1, 2026