# Credentials Most agents need an API key for their model provider. An HTTP/HTTPS proxy on your host intercepts outbound requests from the sandbox, looks up the matching credential on the host, and overwrites the auth header before forwarding. The real credential stays on the host; the sandbox sees only a sentinel value. For the security model behind this, see [Credential isolation](/ai/sandboxes/security/credentials/isolation/#credential-isolation). ## How credential injection works The proxy needs three things to inject a credential: which outbound traffic to match, what header to write, and what value to use. The kit (or built-in agent definition) declares the first two. You provide the value on the host. There are two host-side stores, plus a host shell fallback: - Stored secrets, keyed on a service identifier: built-in agents declare service identifiers (`anthropic`, `openai`, `github`, etc.) in their kit specs; custom kits can declare their own. `sbx secret set` stores a value keyed on that identifier. When a sandboxed request matches a service's domain, the proxy reads the stored value and writes the configured header. Inside the sandbox, the environment variable holds a sentinel like `proxy-managed`, so SDKs that read the variable see something non-empty without seeing the real secret. See [Stored secrets](#stored-secrets). - Stored secrets, keyed on a target domain and environment variable name: `sbx secret set-custom` stores a value alongside a target domain, an environment variable name, and an optional placeholder. The sandbox sees the placeholder; the proxy substitutes it with the real value anywhere it appears in outbound traffic to that domain. Use this when the service-identifier model doesn't fit — for example, when the agent validates the variable format at boot, or when the credential lands in a request body. See [Custom secrets](#custom-secrets). - Host shell environment variables: as a fallback, the proxy reads from your shell environment. Useful for one-off testing or development; stored secrets are preferred because shell environment variables are plaintext and visible to other processes running as your user. See [Environment variables](#environment-variables). Registry credentials are a separate store with a different purpose. They authenticate the `sbx` CLI (and optionally the sandbox itself) to private OCI registries for template and kit pulls, and are not used by the credential-injection proxy. See [Registry credentials](#registry-credentials). If both a stored secret and a host environment variable are set for the same service, the stored secret takes precedence. For multi-provider agents (OpenCode, Docker Agent), the proxy selects credentials based on the API endpoint being called. See individual [agent pages](/ai/sandboxes/agents) for provider-specific details. ## Stored secrets `sbx secret set` stores credentials in your OS keychain, keyed on a service identifier. Built-in agents declare a fixed set of services. Custom kits can declare their own. The same `sbx secret set` flow works for both. ### Where secrets are stored The store backing `sbx secret set` depends on your operating system: - macOS: the system Keychain. - Windows: the Windows Credential Manager. - Linux: the Secret Service exposed by your desktop keyring, such as GNOME Keyring or KDE Wallet. The Ubuntu package depends on GNOME Keyring, so a standard desktop install needs no extra setup. On Linux hosts without a running Secret Service — headless servers and some WSL setups — `sbx` falls back to an encrypted file under your user config directory `$XDG_CONFIG_HOME/com.docker.sandboxes`, which defaults to `~/.config/com.docker.sandboxes` when `$XDG_CONFIG_HOME` is unset. The fallback is automatic and needs no configuration. When you store a secret this way, `sbx` prints a notice: ```text No keychain detected - this secret will be stored in an encrypted file on disk ``` The file is encrypted at rest and protected by `0700` directory permissions, the same posture as `~/.docker/config.json`. This is weaker than an OS keychain, which also mediates access per application. If you start a Secret Service on the host later, `sbx` stores new secrets in the keychain again. For more on running sandboxes without a desktop keyring, see [Can I use Docker Sandboxes on headless Linux?](/ai/sandboxes/faq/#can-i-use-docker-sandboxes-on-headless-linux) ### Store a secret ```console $ sbx secret set -g anthropic ``` This prompts you for the secret value interactively. The `-g` flag stores the secret globally so it's available to all sandboxes. To scope a secret to a specific sandbox instead: ```console $ sbx secret set my-sandbox openai ``` > [!NOTE] > A sandbox-scoped secret takes effect immediately, even if the sandbox is > running. A global secret (`-g`) only applies when a sandbox is created. If > you set or change a global secret while a sandbox is running, recreate the > sandbox for the new value to take effect. You can also pipe in a value for non-interactive use: ```console $ echo "$ANTHROPIC_API_KEY" | sbx secret set -g anthropic ``` ### Built-in services Each built-in service name maps to a set of environment variables the proxy checks and the API domains it authenticates requests to: | Service | Environment variables | API domains | | ----------- | ---------------------------------- | ----------------------------------- | | `anthropic` | `ANTHROPIC_API_KEY` | `api.anthropic.com` | | `aws` | `AWS_ACCESS_KEY_ID` | AWS Bedrock endpoints | | `github` | `GH_TOKEN`, `GITHUB_TOKEN` | `api.github.com`, `github.com` | | `google` | `GEMINI_API_KEY`, `GOOGLE_API_KEY` | `generativelanguage.googleapis.com` | | `groq` | `GROQ_API_KEY` | `api.groq.com` | | `mistral` | `MISTRAL_API_KEY` | `api.mistral.ai` | | `nebius` | `NEBIUS_API_KEY` | `api.studio.nebius.ai` | | `openai` | `OPENAI_API_KEY` | `api.openai.com` | | `xai` | `XAI_API_KEY` | `api.x.ai` | When you store a secret with `sbx secret set -g `, the proxy uses it the same way it would use the corresponding environment variable. You don't need to set both. ### Services declared by kits Custom kits can declare their own service identifiers in `spec.yaml` — they're not limited to the table above. To provide a credential for a kit-declared service, run `sbx secret set` with the same identifier the kit declares under `credentials.sources`: ```console $ sbx secret set -g my-service ``` There's no separate registration step; the keychain entry is keyed on the identifier the kit already uses. See [Authenticate to external services](/ai/sandboxes/customize/kits/#authenticate-to-external-services) for the kit-side wiring. ### List and remove secrets List all stored secrets: ```console $ sbx secret ls SCOPE TYPE NAME SECRET (global) service github gho_GCaw4o****...****43qy ``` Remove a secret: ```console $ sbx secret rm -g github ``` > [!NOTE] > Running `sbx reset` deletes all stored secrets along with all sandbox state. > You'll need to re-add your secrets after a reset. ### GitHub token The `github` service gives the agent access to the `gh` CLI inside the sandbox. Pass your existing GitHub CLI token: ```console $ echo "$(gh auth token)" | sbx secret set -g github ``` This is useful for agents that create pull requests, open issues, or interact with GitHub APIs on your behalf. ### SSH agent If your host has an SSH agent and `SSH_AUTH_SOCK` is set, Docker Sandboxes forwards the agent into the sandbox and sets `SSH_AUTH_SOCK` there. The private keys stay on your host. Processes inside the sandbox can request signatures from the forwarded agent, but they can't read or copy the private key. Use SSH agent forwarding for Git operations over SSH and SSH-based commit signing. The signing key must be loaded in the host SSH agent for sandboxed commit signing to work. Outbound SSH connections are still subject to sandbox network policy. For details, see [Commit signing](/ai/sandboxes/workflows/#commit-signing). ## Custom secrets > [!IMPORTANT] > Custom secrets are experimental. Behavior, flags, and the placeholder format may > change without notice. For credentials that don't fit the service-identifier model — for example, when an agent validates the environment variable format at boot, or when the credential lands in a request body rather than a header — use `sbx secret set-custom`. The secret is keyed on a target domain, an environment variable name, and an optional placeholder string, instead of a service identifier. ```console $ sbx secret set-custom -g \ --host api.example.com \ --env API_KEY \ --value ``` > [!WARNING] > Passing the secret as `--value ` records it in your shell history > and exposes it to other processes running as your user. Avoid pasting > real credentials inline — read the value from a variable that's already > in your environment, and clear shell history if a real secret was passed > on the command line. Inside the sandbox, `API_KEY` is set to a generated placeholder (for example, `sbx-cs-`). When a sandboxed process sends a request to `api.example.com` and the placeholder appears anywhere in the request, the proxy replaces it with the real value. The agent never sees the real secret. Prefer the [service-based flow](#stored-secrets) whenever it's an option — the kit handles the wiring; you only provide the value. ## Registry credentials Registry credentials authenticate to private OCI registries when pulling [templates](/ai/sandboxes/customize/templates/) or [kits](/ai/sandboxes/customize/kits/). Use `sbx secret set --registry ` to store them. They are independent from service secrets: the proxy doesn't touch them, and they're used directly by the `sbx` CLI when resolving image references. For Docker Hub, `sbx` reuses your `sbx login` session — no registry secret needed. For other registries (GitHub Container Registry, ECR, ACR, self-hosted Nexus, and so on), store credentials with `sbx secret set --registry`. ### Store registry credentials Pipe a token from stdin and target the registry hostname: ```console $ gh auth token | sbx secret set --registry ghcr.io --password-stdin ``` For registries that require a username (for example, ACR with an admin account), add `--username`: ```console $ echo "$ACR_PASSWORD" | sbx secret set \ --registry myregistry.azurecr.io \ --username myuser \ --password-stdin ``` Three scopes control where the credential is used: - Host-only (no `-g`, no sandbox name): the `sbx` CLI uses it to pull templates and kits when creating a sandbox. The credential is not injected into the sandbox itself, so processes inside the sandbox can't use it. - Global (`-g`): same as host-only, plus written into `~/.docker/config.json` in every new sandbox. Use this when agents need to pull or push from inside the sandbox — for example, when an agent builds and publishes container images. - Sandbox-scoped (positional `SANDBOX` argument): credential applies only to that named sandbox. Useful when only one sandbox needs access to a private registry. ```console $ gh auth token | sbx secret set -g --registry ghcr.io --password-stdin $ gh auth token | sbx secret set my-sandbox --registry ghcr.io --password-stdin ``` `sbx kit pull` also uses these credentials, with the Docker credential store as a fallback. `sbx kit push` uses only the Docker credential store — push targets still require a prior `docker login`. ### Remove registry credentials Remove both the host-only and global entries for a registry: ```console $ sbx secret rm --registry ghcr.io -f ``` To remove only the global (sandbox-injected) entry and leave the host-only credential in place, pass `-g`: ```console $ sbx secret rm -g --registry ghcr.io -f ``` To remove a sandbox-scoped credential, pass the sandbox name: ```console $ sbx secret rm my-sandbox --registry ghcr.io -f ``` ## Environment variables As an alternative to stored secrets, export the relevant environment variable in your shell before running a sandbox: ```console $ export ANTHROPIC_API_KEY=sk-ant-api03-xxxxx $ sbx run claude ``` The proxy reads the variable from your terminal session. See individual [agent pages](/ai/sandboxes/agents) for the variable names each agent expects. > [!NOTE] > These environment variables are set on your host, not inside the sandbox. > Sandbox agents are pre-configured to use credentials managed by the > host-side proxy. For custom environment variables not tied to a > [built-in service](#built-in-services), see > [Setting custom environment variables](/ai/sandboxes/faq/#how-do-i-set-custom-environment-variables-inside-a-sandbox). ## Best practices - Use [stored secrets](#stored-secrets) over environment variables. Stored secrets are encrypted at rest in the OS keychain (or an encrypted file on Linux hosts without a keychain), while environment variables are plaintext in your shell. See [Where secrets are stored](#where-secrets-are-stored). - Don't set API keys manually inside the sandbox. Sandbox agents are pre-configured to use proxy-managed credentials. - For Claude Code and Codex, OAuth is another secure option: the flow runs on the host, so the token is never exposed inside the sandbox. If you haven't stored a credential, both agents prompt you to authenticate before the sandbox launches — Codex prompts on the host from `sbx run codex`, and Claude Code prompts inside the agent. To authenticate ahead of time, run `sbx secret set -g openai --oauth` for Codex, or use `/login` inside Claude Code. - If you store credentials in 1Password, see [Sourcing credentials from 1Password](/ai/sandboxes/workflows/#sourcing-credentials-from-1password) for how to use `op read` and `op run` with `sbx`. ## Custom templates and placeholder values When building custom templates or installing agents manually in a shell sandbox, some agents require environment variables like `OPENAI_API_KEY` to be set before they start. Set these to placeholder values (e.g. `proxy-managed`) if needed. The proxy injects actual credentials regardless of the environment variable value.