Secrets

Secrets use a placeholder substitution model. The guest VM never sees the real credential. When you bind a secret to an environment variable and one or more allowed hosts, microsandbox generates a random placeholder (e.g., OPENAI_API_KEY=msb_ph_a8f3c2...) and injects that into the guest instead. The real value never enters the VM. The only way it reaches the outside world is when a request goes to an allowed host, at which point microsandbox swaps the placeholder for the real value. Everywhere else, the placeholder is just a meaningless string. So even with full code execution inside the sandbox, there’s nothing to steal. The credential was never there.

use microsandbox::Sandbox;

let sb = Sandbox::builder("agent")
    .image("python")
    .secret(|s| s
        .env("GITHUB_TOKEN")
        .value(std::env::var("GITHUB_TOKEN")?)
        .allow_host("api.github.com")
        .allow_host_pattern("*.githubusercontent.com")
    )
    .secret_env("OPENAI_API_KEY", api_key, "api.openai.com")
    .create()
    .await?;

See the SDK Reference for the full API: Rust | TypeScript.

Getting Started

Sandboxes

Networking

Images

Configuration