Credential Injection
Inject API keys into a sandbox without exposing the raw secret to the agent's environment.
The agent inside a sandbox needs to call third-party APIs (OpenAI,
Anthropic, GitHub, HuggingFace, etc.). The naive way is to set
OPENAI_API_KEY=sk-... as a sandbox env var, but then the agent's
process can read it from process.env, dump it to a file, exfiltrate
it via DNS, or include it in an LLM prompt by accident.
Credential injection solves this by holding the real secret on the host and never letting it cross into the guest VM. The host runs a reverse proxy that watches outbound HTTPS connections from the sandbox; when one matches a known service URL, it inserts the matching credential into the request before forwarding upstream.
Inject a credential
import { Isorun } from 'isorun'
const isorun = new Isorun()
const sandbox = await isorun.create({
image: 'python:3.12-slim',
credentials: {
openai: process.env.OPENAI_API_KEY!,
anthropic: process.env.ANTHROPIC_API_KEY!,
github: process.env.GITHUB_TOKEN!,
},
})
try {
// The agent's environment has placeholder values:
await sandbox.exec("env | grep -E 'OPENAI|ANTHROPIC|GITHUB'")
// OPENAI_API_KEY=sk-isorun-proxy-managed
// OPENAI_BASE_URL=http://169.254.169.254:<port>/proxy/openai
// ANTHROPIC_API_KEY=sk-ant-isorun-proxy-managed
// …
// And the agent's HTTPS calls work, SDKs that honor
// *_BASE_URL pick up the proxy automatically.
await sandbox.exec("python3 -c 'import openai; print(openai.models.list())'")
} finally {
await sandbox.destroy()
}Tip
The agent never sees the real secret. Printing process.env.OPENAI_API_KEY or reading /proc/self/environ returns the placeholder. The only thing the agent can do with it is make HTTPS calls through the proxy, which is exactly what you want.
Recognised service keys
The proxy maps each credential map key to a known service. Pass the service short-name as the map key:
| Key | Service hostname |
|---|---|
openai | api.openai.com |
anthropic | api.anthropic.com |
google | generativelanguage.googleapis.com |
github | api.github.com |
huggingface | api-inference.huggingface.co |
For each known service the proxy sets the right env vars inside the
guest (OPENAI_API_KEY + OPENAI_BASE_URL, etc.) and injects the
matching auth header on outbound requests through the proxy.
Per-endpoint filtering
For tighter control, allow POST /v1/chat/completions but reject
DELETE /v1/admin/..., use Endpoint Rules
to specify which methods + paths the proxy is willing to forward for
each credential.
Combine with network profiles
Credential injection composes cleanly with network profiles. The profile blocks all egress except the API hosts you trust; credential injection ensures the agent's calls to those hosts go out with the right key, without ever putting the key in the guest's address space.
Next steps
- Endpoint rules, restrict the proxy to specific methods and paths.
- Network profiles, block egress to everything but trusted hosts.
- Audit trail, proxied requests are logged, never the credential.