Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.amika.dev/llms.txt

Use this file to discover all available pages before exploring further.

Once you’ve pushed secrets and provider credentials to the vault (see Manage secrets), you decide which ones get injected into each new sandbox. Amika supports three patterns:
  1. Env-var secrets — generic secrets exposed as environment variables.
  2. Pinned agent credentials — pick a specific Claude / Codex credential.
  3. Skip an agent kind — opt out entirely for one kind.

Step 1 — Inject env-var secrets

Map a sandbox env var to a secret stored in the vault. 
# Map a specific env var to a secret by name
amika sandbox create --name dev-box \
  --secret env:ANTHROPIC_API_KEY=my-claude-key

# Shorthand: env var name matches the secret name
amika sandbox create --name dev-box --secret env:DATABASE_URL

Step 2 — Pin a specific agent credential

If you have multiple credentials for the same agent (e.g. both an OAuth and an API-key credential for Claude), pin which one to inject. Pin by name or by type. 
# Pin by stored credential name
amika sandbox create --name dev-box \
  --agent-credential claude=personal-oauth

# Pin by type — let the server pick a matching credential
amika sandbox create --name dev-box \
  --agent-credential-type claude=api-key

Step 3 — Skip an agent kind entirely

Opt out of credential injection for one agent kind. 
amika sandbox create --name dev-box \
  --no-agent-credential codex

Inspect what actually got injected

The sandbox response includes a resolvedAgentCredentials field that shows, per kind, the outcome (resolved or skipped), the source, and a reason. Use it to confirm the right credential made it into the sandbox. 
const sb = await amika.getSandbox("dev-box");
for (const c of sb.resolvedAgentCredentials ?? []) {
  console.log(c.kind, c.outcome, c.name, c.source, c.reason);
}
Example: 
claude resolved personal-oauth user_default ""
codex  skipped  ""            no-credential "no-agent-credential flag"

Picking from the web UI

The New sandbox form on app.amika.dev lets you pick the credential per kind from a dropdown. The CLI flags and SDK options above are the scriptable equivalent of that picker.

Combining flags

  • --agent-credential and --agent-credential-type may both appear for the same kind — they narrow by both name and type.
  • --no-agent-credential is mutually exclusive with the other two flags for the same kind.
  • Each flag may appear at most once per kind.
Supported kinds today: claude, codex. Type values: oauth and api_key (the CLI also accepts the hyphenated api-key).

Next steps

Manage secrets

Send a message to an agent

Sandbox configuration reference