Agent credential setup
For remote sandboxes, you can push Claude Code credentials to the Amika secrets store and have them automatically injected at sandbox creation time. This avoids manual authentication inside the sandbox.
See CLI reference for the full amika secret claude push/list/delete flag reference.
OAuth Workflow (preferred)
- Push credentials from your local machine:
# Specify the "oauth" type and amika will auto-detect and store your credential in the secret vault
amika secret claude push --type oauth
- The OAuth credential is auto-set inside the sandbox’s Claude settings, so you can just run
claude without having to log in again.
API Key Workflow
- Push credentials from your local machine:
# Interactive discovery (scans Claude config files and macOS keychain)
amika secret claude push
# Or specify directly
amika secret claude push --type api_key --value sk-ant-xxx
- Inject when creating a sandbox — select a credential via the web UI, or use the
--secret flag:
amika sandbox create --git --remote --secret env:ANTHROPIC_API_KEY=my-claude-key
- Claude Code is pre-authenticated inside the sandbox — no manual login needed.
Credential discovery
amika auth extract discovers locally stored API credentials from multiple coding agent tools and prints them as shell environment assignments.
You can use this to copy coding agent credentials into Amika’s web UI so you can
spin up ready-to-go sandboxes from the web.
Quick start
# Print detected assignments
amika auth extract
# Export into current shell
eval "$(amika auth extract --export)"
# Skip OAuth sources
amika auth extract --no-oauth
Supported sources
Amika reads sources in priority order.
| Priority | Source | Files | Providers |
|---|
| 500 | Claude API key | ~/.claude.json.api, ~/.claude.json | Anthropic |
| 400 | Claude OAuth | ~/.claude/.credentials.json, ~/.claude-oauth-credentials.json | Anthropic |
| 300 | Codex | ~/.codex/auth.json | OpenAI |
| 290 | Amika env cache | ${XDG_CACHE_HOME}/amika/env-cache.json | Any |
| 280 | Amika keychain | ${XDG_DATA_HOME}/amika/keychain.json | Any |
| 270 | Amika OAuth | ${XDG_STATE_HOME}/amika/oauth.json | Any |
| 200 | OpenCode | ~/.local/share/opencode/auth.json | Any |
| 100 | Amp | ~/.amp/config.json | Anthropic |
Output mapping
Amika normalizes provider names and exports common aliases:
- Anthropic keys output as both
ANTHROPIC_API_KEY and CLAUDE_API_KEY.
- OpenAI keys output as both
OPENAI_API_KEY and CODEX_API_KEY.
Example output:
ANTHROPIC_API_KEY='sk-ant-...'
CLAUDE_API_KEY='sk-ant-...'
OPENAI_API_KEY='sk-...'
CODEX_API_KEY='sk-...'
Provider canonicalization
Provider names are normalized before deduplication:
claude, anthropic → anthropiccodex, openai → openai- Other providers are lowercased, with separators normalized to hyphens
OAuth token handling
OAuth sources (claude_oauth, amika_oauth, Codex OAuth, OpenCode OAuth) are included by default. Use --no-oauth to skip them.
OAuth tokens with an expiresAt or expires timestamp are skipped if expired.
Flags
| Flag | Default | Description |
|---|
--export | false | Prefix lines with export |
--homedir <path> | $HOME | Override home directory for discovery |
--no-oauth | false | Skip OAuth credential sources |
Use --homedir in CI or test environments when you need deterministic credential fixtures.
