Skip to main content

SecretStore.create(opts)

Create a new secret store. 
import { SecretStore } from '@opencomputer/sdk';

const store = await SecretStore.create({
  name: 'my-agent-secrets',
  egressAllowlist: ['api.anthropic.com'],
});
name
string
required
Store name (unique per organization)
egressAllowlist
string[]
Allowed egress hosts (e.g. ["api.anthropic.com"])
Returns: Promise<SecretStoreInfo>

SecretStore.list(opts?)

List all secret stores. Returns: Promise<SecretStoreInfo[]>

SecretStore.get(storeId, opts?)

Get a secret store by ID.
storeId
string
required
UUID of the secret store
Returns: Promise<SecretStoreInfo>

SecretStore.update(storeId, opts)

Partial updates — only the fields you pass are changed. 
const updated = await SecretStore.update('store-uuid', {
  name: 'new-name',
  egressAllowlist: ['api.anthropic.com', '*.openai.com'],
});
storeId
string
required
UUID of the store to update
name
string
New store name
egressAllowlist
string[]
New allowed egress hosts
Returns: Promise<SecretStoreInfo>

SecretStore.delete(storeId, opts?)

Deletes the store and all its secrets. Running sandboxes are not affected. Returns: Promise<void>

SecretStore.setSecret(storeId, name, value, opts?)

Set a secret in a store. Secrets are encrypted at rest. The value is never returned by the API. 
await SecretStore.setSecret('store-uuid', 'ANTHROPIC_API_KEY', 'sk-ant-...');
Optionally restrict which hosts can receive this secret: 
await SecretStore.setSecret('store-uuid', 'ANTHROPIC_API_KEY', 'sk-ant-...', {
  allowedHosts: ['api.anthropic.com'],
});
storeId
string
required
UUID of the secret store
name
string
required
Secret name (used as the env var name in sandboxes)
value
string
required
Secret value (encrypted at rest, never returned by API)
allowedHosts
string[]
Restrict this secret to specific hosts only
Returns: Promise<void>

SecretStore.listSecrets(storeId, opts?)

Returns secret metadata only. Values are never exposed. Returns: Promise<SecretEntryInfo[]>

SecretStore.deleteSecret(storeId, name, opts?)

Returns: Promise<void>

Using Secrets with Sandboxes

Pass the secretStore option to Sandbox.create() to inject the store’s secrets: 
const sandbox = await Sandbox.create({
  secretStore: 'my-agent-secrets',
  timeout: 600,
});

// Secrets are available as sealed env vars
const result = await sandbox.commands.run('echo $ANTHROPIC_API_KEY');
// stdout: "osb_sealed_abc123..." (sealed, not the real key)

// But outbound HTTPS requests get the real value substituted by the proxy
const apiResult = await sandbox.commands.run(
  'curl -s https://api.anthropic.com/v1/messages -H "x-api-key: $ANTHROPIC_API_KEY" ...'
);

Types

PropertyTypeDescription
idstringStore UUID
orgIdstringOrganization UUID
namestringStore name
egressAllowliststring[]Allowed egress hosts
createdAtstringISO 8601 timestamp
updatedAtstringISO 8601 timestamp
PropertyTypeDescription
idstringEntry UUID
storeIdstringParent store UUID
namestringSecret name (env var name)
allowedHostsstring[]Host restrictions
createdAtstringISO 8601 timestamp
updatedAtstringISO 8601 timestamp