Bring secrets into a sandbox
Inject credentials with sandbox variables, without putting them in the file.
Agents often need credentials: a Linear API key, an npm token, a Doppler service token. Sandbox variables get them into the run's environment without ever putting them in the config file.
Two parts: store the value once on your account, then name it in the agent's config. Only agents that name a variable receive it.
1. Store the value
Store variables from the dashboard, or with the API:
curl https://api.ellipsis.dev/v1/sandboxes/variables \
-H "Authorization: Bearer $ELLIPSIS_API_TOKEN" \
-H "Content-Type: application/json" \
-X PUT \
-d '{"variables": [{"name": "LINEAR_API_KEY", "value": "lin_api_..."}]}'Values are write-only: the API returns names and timestamps, never values. An account holds up to 500 variables.
2. Name it in the config
ellipsis:
version: v1
name: Stale trade auditor
description: Cross-references stuck shift trades against Linear
claude:
system: |
Query the Linear API with LINEAR_API_KEY to find open issues
labeled "trade-stuck". For each, check splitshift-api's trade
tables migration history for a matching fix, and comment on the
issue with what you find.
triggers:
- type: cron
schedule: "0 6 * * *"
sandbox:
repositories:
- name: splitshift-api
variables:
- name: LINEAR_API_KEY
- name: LOG_LEVEL
value: info
limits:
run: 1.00An entry without a value resolves from your stored variables at run time; an inline value is a literal, for non-secret config. In the sandbox both are ordinary environment variables: $LINEAR_API_KEY in a shell command, os.environ["LINEAR_API_KEY"] in a script the agent writes.
If an agent names a variable that has no inline value and no stored value, the run fails immediately rather than starting with it unset. Define the variable first.
What the sandbox can and cannot do
Code running in a sandbox can list which variable names exist but cannot create, update, or delete stored values: the in-sandbox API token is rejected with 403 on writes. Rotating a secret is one PUT from outside; the next run picks it up.
Next
Install the CLI that consumes the secret at image level instead of run time: Customize the sandbox.