#Credential
Credential features let Sandbox0 authenticate outbound traffic without placing raw secret material inside the sandbox process.
Credential sources are team-scoped objects. In Sandbox0 Cloud, sign in with s0 auth login, select the correct current team, and create API keys only when you need SDK or raw HTTP access.
The Three Objects#
| Object | What it stores | Where it lives |
|---|---|---|
credential source | Secret material such as tokens, headers, client certificates, or username/password pairs | Team-scoped credential source API |
credential binding | A stable local ref plus projection rules that map a source into a runtime auth shape | network.credentialBindings |
credential rule | Destination match rules that decide when outbound auth should be injected | network.egress.credentialRules |
These objects work together: create a source, expose it through a stable binding ref, and then match outbound traffic with credentialRules that reference that ref. Keep traffic control separate with trafficRules.
trafficRules and credentialRules are orthogonal. trafficRules decide whether traffic is allowed. credentialRules decide whether matching traffic gets outbound authentication.
Where You Configure It#
credentialBindings now live under the same network object everywhere:
- Template defaults:
spec.network - Claim-time config:
config.network - Runtime update:
PUT /api/v1/sandboxes/{id}/network
That public shape is SandboxNetworkPolicy in all three places.
Supported Projections#
| Projection type | Typical use |
|---|---|
http_headers | Inject HTTP or gRPC headers such as Authorization |
tls_client_certificate | Present a client certificate during TLS terminate-reoriginate flows |
username_password | Provide username/password material for protocols such as SOCKS5 or MQTT |
Supported Source Types#
| Resolver kind | Purpose |
|---|---|
static_headers | Store named header values or tokens |
static_tls_client_certificate | Store certificate PEM, private key PEM, and optional CA PEM |
static_username_password | Store a username/password pair |
Next Steps#
Sources
Create reusable credential sources for runtime projection.
Egress Auth
Inject destination-scoped outbound credentials through network policy.