#Credential
Credential features let Sandbox0 authenticate outbound traffic without placing raw secret material inside the sandbox process.
The Three Objects#
| Object | What it stores | Where it lives |
|---|---|---|
credential source | Secret material such as tokens, headers, client certificates, or username/password pairs | Credential source API |
credential binding | A stable local ref plus projection rules that map a source into a runtime auth shape | network.credentialBindings |
credential rule | Destination match rules that decide when outbound auth should be injected | network.egress.credentialRules |
These objects work together: create a source, expose it through a stable binding ref, and then match outbound traffic with credentialRules that reference that ref. Keep traffic control separate with trafficRules.
trafficRules and credentialRules are orthogonal. trafficRules decide whether traffic is allowed. credentialRules decide whether matching traffic gets outbound authentication.
Where You Configure It#
credentialBindings now live under the same network object everywhere:
- Template defaults:
spec.network - Claim-time config:
config.network - Runtime update:
PUT /api/v1/sandboxes/{id}/network
That public shape is SandboxNetworkPolicy in all three places.
Supported Projections#
| Projection type | Typical use |
|---|---|
http_headers | Inject HTTP or gRPC headers such as Authorization |
tls_client_certificate | Present a client certificate during TLS terminate-reoriginate flows |
username_password | Provide username/password material for protocols such as SOCKS5 or MQTT |
Supported Source Types#
| Resolver kind | Purpose |
|---|---|
static_headers | Store named header values or tokens |
static_tls_client_certificate | Store certificate PEM, private key PEM, and optional CA PEM |
static_username_password | Store a username/password pair |
Next Steps#
Sources
Create and manage reusable credential sources
Egress Auth
Bind sources and inject outbound auth for matching destinations
Sandbox Network
Control traffic allow and deny behavior with trafficRules