> ## Documentation Index
> Fetch the complete documentation index at: https://docs.amika.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Inject credentials

> Wire stored secrets and agent credentials into a sandbox at create time.

Once you've pushed secrets and provider credentials to the vault (see
[Manage secrets](/guides/manage-secrets)), you decide which ones get
injected into each new sandbox. Amika supports three patterns:

1. **Env-var secrets** — generic secrets exposed as environment variables.
2. **Pinned agent credentials** — pick a specific Claude / Codex credential.
3. **Skip an agent kind** — opt out entirely for one kind.

## Step 1 — Inject env-var secrets

Map a sandbox env var to a secret stored in the vault.

<CodeGroup>
  ```bash CLI theme={null}
  # Map a specific env var to a secret by name
  amika sandbox create --name dev-box \
    --secret env:ANTHROPIC_API_KEY=my-claude-key

  # Shorthand: env var name matches the secret name
  amika sandbox create --name dev-box --secret env:DATABASE_URL
  ```

  ```ts TypeScript theme={null}
  await amika.createSandbox({
    name: "dev-box",
    secretEnvVars: {
      ANTHROPIC_API_KEY: "my-claude-key",
      DATABASE_URL: "database-url",
    },
  });
  ```
</CodeGroup>

## Step 2 — Pin a specific agent credential

If you have multiple credentials for the same agent (e.g. both an OAuth and
an API-key credential for Claude), pin which one to inject. Pin by name or
by type.

<CodeGroup>
  ```bash CLI theme={null}
  # Pin by stored credential name
  amika sandbox create --name dev-box \
    --agent-credential claude=personal-oauth

  # Pin by type — let the server pick a matching credential
  amika sandbox create --name dev-box \
    --agent-credential-type claude=api-key
  ```

  ```ts TypeScript theme={null}
  await amika.createSandbox({
    name: "dev-box",
    agentCredentials: [
      { kind: "claude", name: "personal-oauth" },
      // Or pin by type:
      // { kind: "claude", type: "api_key" },
    ],
  });
  ```
</CodeGroup>

## Step 3 — Skip an agent kind entirely

Opt out of credential injection for one agent kind.

<CodeGroup>
  ```bash CLI theme={null}
  amika sandbox create --name dev-box \
    --no-agent-credential codex
  ```

  ```ts TypeScript theme={null}
  await amika.createSandbox({
    name: "dev-box",
    agentCredentials: [{ kind: "codex", none: true }],
  });
  ```
</CodeGroup>

## Inspect what actually got injected

The sandbox response includes a `resolvedAgentCredentials` field that shows,
per kind, the outcome (`resolved` or `skipped`), the source, and a reason.
Use it to confirm the right credential made it into the sandbox.

```ts theme={null}
const sb = await amika.getSandbox("dev-box");
for (const c of sb.resolvedAgentCredentials ?? []) {
  console.log(c.kind, c.outcome, c.name, c.source, c.reason);
}
```

Example:

```
claude resolved personal-oauth user_default ""
codex  skipped  ""            no-credential "no-agent-credential flag"
```

## Picking from the web UI

The **New sandbox** form on [app.amika.dev](https://app.amika.dev) lets you
pick the credential per kind from a dropdown. The CLI flags and SDK options
above are the scriptable equivalent of that picker.

## Combining flags

* `--agent-credential` and `--agent-credential-type` may both appear for the
  same kind — they narrow by both name and type.
* `--no-agent-credential` is mutually exclusive with the other two flags for
  the same kind.
* Each flag may appear at most once per kind.

Supported kinds today: `claude`, `codex`. Type values: `oauth` and
`api_key` (the CLI also accepts the hyphenated `api-key`).

## Next steps

<CardGroup>
  <Card title="Manage secrets" href="/guides/manage-secrets" icon="key" />

  <Card title="Send a message to an agent" href="/guides/send-a-message-to-an-agent" icon="paper-plane" />

  <Card title="Sandbox configuration reference" href="/reference/sandbox-configuration" icon="sliders" />
</CardGroup>
