docs/sandboxes/secrets.mdx
Secrets use a placeholder substitution model. The guest VM never sees the real credential.
When you bind a secret to an environment variable and one or more allowed hosts, microsandbox generates a random placeholder (e.g., OPENAI_API_KEY=msb_ph_a8f3c2...) and injects that into the guest instead. The real value never enters the VM. The only way it reaches the outside world is when a request goes to an allowed host, at which point microsandbox swaps the placeholder for the real value. Everywhere else, the placeholder is just a meaningless string.
So even with full code execution inside the sandbox, there's nothing to steal. The credential was never there.
<CodeGroup> ```rust Rust use microsandbox::Sandbox;let sb = Sandbox::builder("agent") .image("python") .secret(|s| s .env("GITHUB_TOKEN") .value(std::env::var("GITHUB_TOKEN")?) .allow_host("api.github.com") .allow_host_pattern("*.githubusercontent.com") ) .secret_env("OPENAI_API_KEY", api_key, "api.openai.com") .create() .await?;
```typescript TypeScript
import { Sandbox } from "microsandbox";
await using sb = await Sandbox.builder("agent")
.image("python")
.secret((s) =>
s.env("GITHUB_TOKEN")
.value(process.env.GITHUB_TOKEN!)
.allowHost("api.github.com")
.allowHostPattern("*.githubusercontent.com"),
)
.secretEnv("OPENAI_API_KEY", process.env.OPENAI_API_KEY!, "api.openai.com")
.create();
import os
from microsandbox import Sandbox, Secret
sb = await Sandbox.create(
"agent",
image="python",
secrets=[
Secret.env(
"GITHUB_TOKEN",
value=os.environ["GITHUB_TOKEN"],
allow_hosts=["api.github.com"],
allow_host_patterns=["*.githubusercontent.com"],
),
Secret.env(
"OPENAI_API_KEY",
value=os.environ["OPENAI_API_KEY"],
allow_hosts=["api.openai.com"],
),
],
)
msb create python --name agent \
--secret "GITHUB_TOKEN=$GITHUB_TOKEN@api.github.com" \
--secret "OPENAI_API_KEY=$OPENAI_API_KEY@api.openai.com"
See the SDK Reference for the full API: Rust | TypeScript | Python.