Guides

Bring secrets into a sandbox

Inject credentials with sandbox variables, without putting them in the file.

Agents often need credentials: a Linear API key, an npm token, a Doppler service token. Sandbox variables get them into the run's environment without ever putting them in the config file.

Two parts: store the value once on your account, then name it in the agent's config. Only agents that name a variable receive it.

1. Store the value

Store variables from the dashboard, or with the API:

curl https://api.ellipsis.dev/v1/sandboxes/variables \
  -H "Authorization: Bearer $ELLIPSIS_API_TOKEN" \
  -H "Content-Type: application/json" \
  -X PUT \
  -d '{"variables": [{"name": "LINEAR_API_KEY", "value": "lin_api_..."}]}'

Values are write-only: the API returns names and timestamps, never values. An account holds up to 500 variables.

2. Name it in the config

ellipsis:
  version: v1
  name: Stale trade auditor
  description: Cross-references stuck shift trades against Linear

claude:
  system: |
    Query the Linear API with LINEAR_API_KEY to find open issues
    labeled "trade-stuck". For each, check splitshift-api's trade
    tables migration history for a matching fix, and comment on the
    issue with what you find.

triggers:
  - type: cron
    schedule: "0 6 * * *"

sandbox:
  repositories:
    - name: splitshift-api
  variables:
    - name: LINEAR_API_KEY
    - name: LOG_LEVEL
      value: info

limits:
  run: 1.00

An entry without a value resolves from your stored variables at run time; an inline value is a literal, for non-secret config. In the sandbox both are ordinary environment variables: $LINEAR_API_KEY in a shell command, os.environ["LINEAR_API_KEY"] in a script the agent writes.

If an agent names a variable that has no inline value and no stored value, the run fails immediately rather than starting with it unset. Define the variable first.

What the sandbox can and cannot do

Code running in a sandbox can list which variable names exist but cannot create, update, or delete stored values: the in-sandbox API token is rejected with 403 on writes. Rotating a secret is one PUT from outside; the next run picks it up.

Next

Install the CLI that consumes the secret at image level instead of run time: Customize the sandbox.