Skip to main content
Keep API keys out of sandbox code. Create an Identity provider, add key/value secrets, attach it to a runtime (sandbox), and those secrets become environment variables on each run_code / run_cmd.
Manage Identity providers in Identity → Providers on the platform, or via client.identity.providers / /v1/identity/providers. Secret values are write-only — list/get return masked placeholders only.

Why Identity providers?

WithoutWith
Keys in prompts or scriptsKeys encrypted in Identity
Copy keys into every sandboxAttach once; reuse across runtimes
Painful rotationUpdate the Identity provider; next execution uses the new value
Secrets are resolved at execution time. They are not stored in the runtime’s persisted env record.

Behavior

  • Secret keys become env var names (OPENAI_API_KEY).
  • Same key on an Identity provider overwrites the previous value.
  • Attach at create (providers=[...]) or later with client.identity.providers.attach(...).
  • After detach, the next execution no longer receives those keys.
  • Interactive terminal/SSH does not auto-inherit Identity provider secrets — use run_code or run_cmd.

Create an Identity provider

Multiple secrets

One Identity provider can hold several keys:

Attach at create

Attach to a running sandbox

Use secrets in code

Detach

SDK reference

All Identity provider operations live under client.identity.providers (maps to /v1/identity/providers).
MethodPurpose
create(...)Create an Identity provider (optional initial secrets)
list(...)List Identity providers (masked)
get(provider_id)Get one Identity provider (masked secrets)
update(provider_id, ...)Update name, type, or is_active
delete(provider_id)Soft-delete the Identity provider
add_secret(provider_id, key, value)Add or upsert a secret pair
list_secrets(provider_id)List secret keys (values masked)
update_secret(provider_id, secret_id, ...)Rename key and/or replace value
delete_secret(provider_id, secret_id)Delete a secret pair
attach(provider_id, runtime_id)Attach to a runtime sandbox
detach(provider_id, runtime_id)Detach from a runtime sandbox
list_for_runtime(runtime_id)List Identity providers attached to a runtime

CLI

Next

Create Runtime

Create a sandbox with Identity providers

Run Python

Execute code that reads env vars