e2b-dev · jakubno · May 22, 2026 · May 22, 2026
@@ -45,8 +45,9 @@ const (
 	metricTemplateAlias         = metrics.MetricPrefix + "template.alias"
 	minEnvdVersionForSecureFlag = "0.2.0" // Minimum version of envd that supports secure flag
 
-	// Network validation error messages
-	ErrMsgDomainsRequireBlockAll = "When specifying allowed domains in allow out, you must include 'ALL_TRAFFIC' in deny out to block all other traffic."
+	// Validation error messages
+	ErrMsgDomainsRequireBlockAll      = "When specifying allowed domains in allow out, you must include 'ALL_TRAFFIC' in deny out to block all other traffic."
+	ErrMsgAutoResumeRequiresAutoPause = "autoResume can only be enabled when autoPause is true"
 
 	maxNetworkRuleDomains             = 10
 	maxNetworkRuleTransformsPerDomain = 1
@@ -148,6 +149,13 @@ func (a *APIStore) PostSandboxes(c *gin.Context) {
 	)
 
 	autoPause := sharedUtils.DerefOrDefault(body.AutoPause, sandbox.AutoPauseDefault)
+	if err := validateAutoResumeConfig(autoPause, body.AutoResume); err != nil {
+		a.sendAPIStoreError(c, err.Code, err.ClientMsg)
+		telemetry.ReportErrorByCode(ctx, err.Code, "invalid auto resume config", err.Err)
+
+		return
+	}
+
 	envVars := sharedUtils.DerefOrDefault(body.EnvVars, nil)
 	mcp := sharedUtils.DerefOrDefault(body.Mcp, nil)
 	metadata := sharedUtils.DerefOrDefault(body.Metadata, nil)
@@ -310,6 +318,18 @@ func buildAutoResumeConfig(autoResume *api.SandboxAutoResumeConfig) *types.Sandb
 	}
 }
 
+func validateAutoResumeConfig(autoPause bool, autoResume *api.SandboxAutoResumeConfig) *api.APIError {
+	if autoResume != nil && autoResume.Enabled && !autoPause {
+		return &api.APIError{
+			Err:       errors.New(ErrMsgAutoResumeRequiresAutoPause),
+			ClientMsg: ErrMsgAutoResumeRequiresAutoPause,
+			Code:      http.StatusBadRequest,
+		}
+	}
+
+	return nil
+}
+
 func dedupeVolumeNames(items []api.SandboxVolumeMount) []string {
 	itemsSet := make(map[string]struct{}, len(items))
 	for _, item := range items {

@@ -86,6 +86,60 @@ func TestBuildAutoResumeConfig(t *testing.T) {
 	}
 }
 
+func TestValidateAutoResumeConfig(t *testing.T) {
+	t.Parallel()
+
+	configPtr := func(v bool) *api.SandboxAutoResumeConfig {
+		return &api.SandboxAutoResumeConfig{Enabled: v}
+	}
+
+	tests := []struct {
+		name       string
+		autoPause  bool
+		autoResume *api.SandboxAutoResumeConfig
+		wantErr    bool
+	}{
+		{
+			name:      "nil auto resume is valid with auto pause disabled",
+			autoPause: false,
+		},
+		{
+			name:       "disabled auto resume is valid with auto pause disabled",
+			autoPause:  false,
+			autoResume: configPtr(false),
+		},
+		{
+			name:       "enabled auto resume requires auto pause",
+			autoPause:  false,
+			autoResume: configPtr(true),
+			wantErr:    true,
+		},
+		{
+			name:       "enabled auto resume is valid with auto pause enabled",
+			autoPause:  true,
+			autoResume: configPtr(true),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			got := validateAutoResumeConfig(tt.autoPause, tt.autoResume)
+
+			if tt.wantErr {
+				require.NotNil(t, got)
+				assert.Equal(t, http.StatusBadRequest, got.Code)
+				assert.Equal(t, ErrMsgAutoResumeRequiresAutoPause, got.ClientMsg)
+
+				return
+			}
+
+			require.Nil(t, got)
+		})
+	}
+}
+
 func TestValidateNetworkConfig(t *testing.T) {
 	t.Parallel()
 	tests := []struct {