Secret Stores

`await SecretStore.create(**kwargs)`

Create a new secret store.

from opencomputer import SecretStore

store = await SecretStore.create(
    name='my-agent-secrets',
    egress_allowlist=['api.anthropic.com'],
)

name

str

required

Store name (unique per organization)

egress_allowlist

list[str] | None

Allowed egress hosts

Returns: dict

`await SecretStore.list(**kwargs)`

Returns: list[dict]

`await SecretStore.get(store_id, **kwargs)`

store_id

str

required

UUID of the secret store

Returns: dict

`await SecretStore.update(store_id, **kwargs)`

Partial updates — only the fields you pass are changed.

updated = await SecretStore.update(
    'store-uuid',
    name='new-name',
    egress_allowlist=['api.anthropic.com', '*.openai.com'],
)

store_id

str

required

UUID of the store to update

name

str

New store name

egress_allowlist

list[str] | None

New allowed egress hosts

Returns: dict

`await SecretStore.delete(store_id, **kwargs)`

Deletes the store and all its secrets. Running sandboxes are not affected. Returns: None

`await SecretStore.set_secret(store_id, name, value, **kwargs)`

Set a secret. Encrypted at rest, never returned by API.

await SecretStore.set_secret('store-uuid', 'ANTHROPIC_API_KEY', 'sk-ant-...')

# Optionally restrict to specific hosts:
await SecretStore.set_secret(
    'store-uuid', 'ANTHROPIC_API_KEY', 'sk-ant-...',
    allowed_hosts=['api.anthropic.com'],
)

store_id

str

required

UUID of the secret store

name

str

required

Secret name (env var name in sandboxes)

value

str

required

Secret value

allowed_hosts

list[str] | None

Restrict to specific hosts

Returns: None

`await SecretStore.list_secrets(store_id, **kwargs)`

Returns metadata only. Values are never exposed. Returns: list[dict]

`await SecretStore.delete_secret(store_id, name, **kwargs)`

Returns: None

Using Secrets with Sandboxes

sandbox = await Sandbox.create(
    secret_store='my-agent-secrets',
    timeout=600,
)

# Secrets are available as sealed env vars
result = await sandbox.commands.run('echo $ANTHROPIC_API_KEY')
# stdout: "osb_sealed_abc123..." (sealed, not the real key)

# Outbound HTTPS requests get the real value substituted by the proxy
api_result = await sandbox.commands.run(
    'curl -s https://api.anthropic.com/v1/messages -H "x-api-key: $ANTHROPIC_API_KEY" ...'
)

Getting Started

Agents

Sandboxes

CLI

Guides

TypeScript SDK

Python SDK

CLI Reference

API Reference

Resources

`await SecretStore.create(**kwargs)`

`await SecretStore.list(**kwargs)`

`await SecretStore.get(store_id, **kwargs)`

`await SecretStore.update(store_id, **kwargs)`

`await SecretStore.delete(store_id, **kwargs)`

`await SecretStore.set_secret(store_id, name, value, **kwargs)`

`await SecretStore.list_secrets(store_id, **kwargs)`

`await SecretStore.delete_secret(store_id, name, **kwargs)`

Using Secrets with Sandboxes

Getting Started

Agents

Sandboxes

CLI

Guides

TypeScript SDK

Python SDK

CLI Reference

API Reference

Resources

​await SecretStore.create(**kwargs)

​await SecretStore.list(**kwargs)

​await SecretStore.get(store_id, **kwargs)

​await SecretStore.update(store_id, **kwargs)

​await SecretStore.delete(store_id, **kwargs)

​await SecretStore.set_secret(store_id, name, value, **kwargs)

​await SecretStore.list_secrets(store_id, **kwargs)

​await SecretStore.delete_secret(store_id, name, **kwargs)

​Using Secrets with Sandboxes

`await SecretStore.create(**kwargs)`

`await SecretStore.list(**kwargs)`

`await SecretStore.get(store_id, **kwargs)`

`await SecretStore.update(store_id, **kwargs)`

`await SecretStore.delete(store_id, **kwargs)`

`await SecretStore.set_secret(store_id, name, value, **kwargs)`

`await SecretStore.list_secrets(store_id, **kwargs)`

`await SecretStore.delete_secret(store_id, name, **kwargs)`

Using Secrets with Sandboxes