Gemini API Managed Agents turns one API call into a Linux agent

Google added Managed Agents to the Gemini API preview on May 19, 2026. The headline version is simple: one API call can start an agent. The more useful reading for product teams is narrower. A Gemini API request can now delegate work to a Google-hosted Linux sandbox where an agent plans, invokes tools, runs code, manages files, and keeps environment state for later calls.

Google says the preview is powered by the Antigravity agent. The Antigravity agent uses Gemini 3.5 Flash and the same harness as the Antigravity IDE. The API example passes agent: "antigravity-preview-05-2026" and environment: "remote" to ask the agent to read the top Hacker News stories and save the results as a PDF. That is not only a demo prompt. It describes the contract Google wants developers to see: model reasoning, filesystem access, web retrieval, code execution, and artifact storage inside one interaction.

curl -X POST "https://generativelanguage.googleapis.com/v1beta/interactions" \
  -H "Content-Type: application/json" \
  -H "x-goog-api-key: $GEMINI_API_KEY" \
  -H "Api-Revision: 2026-05-20" \
  -d '{
    "agent": "antigravity-preview-05-2026",
    "input": "Read Hacker News, summarize the top 10 stories, and save the results as a PDF.",
    "environment": "remote"
  }'

Gemini API work has historically centered on generateContent. Google previewed the Interactions API in December 2025 to put models and agents behind a shared interface. At the time, Google argued that agentic applications need a data model for interleaved messages, thoughts, tool calls, and state. Managed Agents is the next visible step in that direction. The same path that previously exposed Google built-in agents such as Deep Research is now being extended to a developer-facing Antigravity runtime.

Google did not announce Managed Agents in isolation at I/O 2026. The developer update grouped it with the Antigravity 2.0 desktop application, Antigravity CLI, Antigravity SDK, Gemini Enterprise Agent Platform integration, and an agent playground in Google AI Studio. That bundle says more than the API page alone. Google is treating coding agents as a set of surfaces: the IDE for human coordination, the CLI for terminal work, the SDK for teams that want to deploy their own infrastructure, and Gemini API Managed Agents for products that want to call an agent from a backend workflow.

The first operational change is sandbox ownership. Google documentation says one API call can provision a Linux sandbox where the agent can run Bash, Python, and Node.js commands, then read, write, and search files. The default environment includes Python 3.12 and Node.js 22. Passing environment: "remote" creates a new environment. Passing an existing environment ID lets the agent reuse prior files and state. This is not just conversation memory. It is the working directory, intermediate artifacts, installed packages, and file changes that survive across interactions.

The second change is tool authority. In the Antigravity agent docs, the default tools include code_execution, google_search, and url_context. When an environment is specified, filesystem tools are enabled automatically. Developers can narrow the tool set through the tools array. Once an agent can fetch web pages, execute code, and edit files, logging only the final model response is insufficient. Teams need to record the request, environment ID, network rules, tool set, artifact changes, and token usage if they want a run to be auditable or reproducible.

The security document has one line that deserves attention before teams connect this to production systems: outbound networking is unrestricted by default. Google says each agent runs in an OS-level isolated sandbox, but the environment can reach the network unless a team applies an allowlist with domains or wildcard patterns. Once a company connects a private Git repository, package registry, ticketing system, or payment API, the direct risk variable is not only what the model says. It is where the sandbox can send requests.

Credential injection changes the operating model as well. Google recommends least-privilege service accounts or API keys for external tools and APIs, short-lived tokens instead of long-lived keys, rotation policies, and an explicit check that the team really intends to expose the credential scope to the agent. The docs also mention header transformation as a way to avoid exposing a credential directly inside the sandbox. Even with that pattern, an agent can still use the reachable credential. The permission should be treated as granted to a remote execution environment, not merely to a language model.

Cost planning also differs from a normal token price sheet. The Agents Overview says Managed Agents uses pay-as-you-go pricing based on Gemini model tokens and tool usage, while environment compute is not charged during the preview. The same documentation says one interaction may involve multiple reasoning loops and commonly consume 100k to 3M tokens. A 3M-token run does not feel like a single chat completion. If the agent searches the web, reads files, runs code, fixes errors, and reruns tests in one task, the budget needs to be set per job rather than per prompt.

The preview limits show where the product fits today. An environment is permanently deleted after seven days of inactivity. A VM spins down after a short idle period and restores state on the next request. A project can have up to 1,000 managed agents. Those constraints point away from permanent daemons or long-lived workers. The current shape is closer to an ephemeral worker that wakes up for a bounded task, produces artifacts, and goes quiet. Document conversion, research, test execution, data cleanup, code review, and batch maintenance are natural first candidates.

Google's announcement also lands in a different part of the agent market than the visible coding assistants. OpenAI Codex, GitHub Copilot coding agent, and Anthropic Claude Code have focused heavily on the developer-facing workspace and review loop. Google's preview gives API callers a hosted agent runtime. A SaaS product could add a button that checks out a repository, runs tests, edits files, and leaves a report without building its own Kubernetes job runner, sandbox image, browser tooling, and secret proxy from scratch.

AI Studio gives teams a lower-friction experimentation path. Google's announcement says new custom templates let developers start with Managed Agents directly in Google AI Studio Playground. Before integrating the API, a team can inspect prompts, tool choices, instruction files, and artifact formats visually. The useful part is not only prototyping speed. A product manager or operations lead can validate the agent behavior in AI Studio, while an engineer moves the same agent definition into an API call or a registered managed agent.

The enterprise preview is a separate signal. Google says Gemini Enterprise Agent Platform support for Managed Agents is also in preview. That sentence points to a different buyer than the consumer-facing Antigravity app. Enterprise customers will ask about Google Cloud project boundaries, identity, audit logs, data boundaries, and network policies before they compare a single agent's benchmark scores. The noteworthy part is not only that Managed Agents entered Gemini API. The same Antigravity harness is being repeated across desktop, CLI, SDK, enterprise platform, and API surfaces.

The tradeoff is that part of the execution layer moves to Google. VentureBeat framed the preview as collapsing weeks of agent deployment work into one call while raising questions about execution-layer control. Product teams face the same checklist. How reproducible is the sandbox image? How granular are network allowlists? Can tool-call logs be exported into an audit system? Can a failed run be retried from the same state? Where should durable artifacts be copied before the seven-day inactivity window deletes the environment?

Community reaction was still sparse at the June 1, 2026 research point. The announcement was not visible on the Hacker News front page or GeekNews latest list during the check. Reddit reposts and secondary coverage described the upside as "agents as a service" and the concern as handing execution control to the model or API provider, but voting and comment volume were low. The quiet response does not prove low impact. It more likely means API-preview users have not yet produced enough public cost, quota, and failure-mode reports.

Teams evaluating Managed Agents should start with observability rather than model preference. A useful trace needs the agent, environment, tool list, network rule, input files, output files, token usage, tool usage, and any human approval step in one record. Coding agents that fix tests, analyst agents that transform datasets, and documentation agents that update internal pages all create valuable intermediate states. Failed states are often more important for audit and debugging than the final success artifact.

Managed Agents is a narrower event than "agents are getting easier." Google put a remote Linux environment, the Antigravity harness, file state, web access, and tool loops inside the Gemini API. That can reduce deployment work for teams that want to expose agents as product features. It also turns token budgets, network egress, credential scope, environment deletion, and artifact retention into product requirements. In 2026, an agent API comparison table needs to list execution location and operating contract next to model benchmarks.