#Vaults

Vaults keep credentials out of agent code. Attach vault ids to a session, and Sandbox0 projects the matching credentials into network policy for that session.

Official reference: Claude Managed Agents vaults.

Managed Agents stores vault credential secret payloads as encrypted opaque secret maps at rest. Read APIs return public metadata and auth shape only, not raw secret values. Sandbox0 services decrypt secret material only when resolving runtime credential projection.

LLM Vaults#

Every running session should attach exactly one LLM vault. The LLM vault selects the agent harness and model provider endpoint.

typescript
const llmVault = await client.beta.vaults.create({ display_name: "Claude LLM", metadata: { "sandbox0.managed_agents.role": "llm", "sandbox0.managed_agents.engine": "claude", "sandbox0.managed_agents.llm_base_url": "https://api.anthropic.com", }, }); await client.beta.vaults.credentials.create(llmVault.id, { display_name: "Anthropic API key", auth: { type: "static_bearer", token: process.env.MODEL_API_KEY!, } as any, });
Metadata keyRequiredMeaning
sandbox0.managed_agents.roleYesMust be llm for an LLM vault
sandbox0.managed_agents.engineYesclaude or codex
sandbox0.managed_agents.llm_base_urlNoModel provider base URL

The LLM credential must be an unbound static_bearer credential. Do not set mcp_server_url on LLM credentials.

The as any cast on unbound static_bearer credentials is intentional for current Anthropic TypeScript SDK types. Sandbox0 LLM and generic HTTP credential vaults omit mcp_server_url.

Generic Credential Vaults#

Use credential vaults when the agent needs authenticated outbound access to an external HTTP service.

typescript
const apiVault = await client.beta.vaults.create({ display_name: "Example API", metadata: { "sandbox0.managed_agents.role": "credential", "sandbox0.managed_agents.kind": "http_headers", "sandbox0.managed_agents.version": "1", "sandbox0.managed_agents.target_domains": "api.example.com", "sandbox0.managed_agents.protocol": "https", "sandbox0.managed_agents.tls_mode": "terminate-reoriginate", "sandbox0.managed_agents.failure_policy": "fail-closed", "sandbox0.managed_agents.headers_json": "{\"authorization\":\"{{ .authorization }}\"}", }, }); await client.beta.vaults.credentials.create(apiVault.id, { display_name: "Example API token", auth: { type: "static_bearer", token: process.env.EXAMPLE_API_TOKEN!, } as any, });

Credential vaults can use static_bearer, mcp_oauth, or environment_variable credentials. For Sandbox0 HTTP header projection, Sandbox0 resolves secret values and projects headers only for the target domains.

Sandbox0 credential vault metadata is still validated as kind=http_headers, so provide target_domains and headers_json when creating the vault. environment_variable credentials use the official Managed Agents credential auth shape, but their runtime scope comes from auth.networking.

Environment Variable Credentials#

Use environment_variable credentials when a process running inside the sandbox expects a conventional environment variable, such as OPENAI_API_KEY, GITHUB_TOKEN, or a service-specific SDK token.

typescript
await client.beta.vaults.credentials.create(apiVault.id, { display_name: "OpenAI API key", auth: { type: "environment_variable", secret_name: "OPENAI_API_KEY", secret_value: process.env.OPENAI_API_KEY!, networking: { type: "limited", allowed_hosts: ["api.openai.com"], }, }, });

Sandbox0 stores secret_value as write-only secret material. At runtime, Sandbox0 sets the sandbox-level environment variable named by secret_name to an opaque placeholder. New processes in the sandbox inherit that placeholder through normal process environment behavior. When sandbox HTTP traffic leaves through Sandbox0 egress auth, the placeholder is substituted with the real secret in headers, query parameters, and request bodies for the credential's networking scope.

This credential is for sandbox processes, not for the Managed Agents SDK client or harness configuration. Do not pass the real secret to agent configuration. Store it in the vault and let Sandbox0 project it into sandbox processes.

Networking typeBehavior
unrestrictedThe secret can be substituted on any outbound host allowed by the session environment network policy
limitedThe secret can be substituted only for allowed_hosts; entries must be bare hostnames, IPv4 addresses, or *. wildcard hostnames, with no scheme, port, or path

secret_name must be unique among active credentials in the same vault and cannot be changed after creation. Archive the credential and create a replacement if the environment variable name needs to change. A vault can contain at most 20 active credentials.

MCP Credentials#

For MCP servers, the credential auth includes mcp_server_url.

typescript
await client.beta.vaults.credentials.create(vault.id, { display_name: "MCP token", auth: { type: "static_bearer", token: process.env.MCP_TOKEN!, mcp_server_url: "https://mcp.example.com/sse", }, });

Runtime Injection#

Sandbox0 injects model provider credentials through egress auth and harness compatibility environment variables:

HarnessCompatibility environment
claudeANTHROPIC_API_KEY, ANTHROPIC_AUTH_TOKEN, ANTHROPIC_BASE_URL
codexCODEX_API_KEY, OPENAI_API_KEY, and openai_base_url harness config

For agent-in-sandbox harnesses such as claude and codex, compatibility environment variables may contain placeholders. The real token is projected by Sandbox0-managed credential policy when the sandbox contacts the configured model provider host.

Vault environment_variable credentials are separate from these harness compatibility variables. They create user-defined sandbox process environment variables and resolve them through the same egress auth boundary.

Next Steps#

Agent Harnesses

Choose the runtime adapter that should execute each managed session.

Compatibility

Review supported behavior and current compatibility boundaries.