Environments & secrets
Scope secrets and sandbox configuration per environment — encrypted vault keys, per-environment overrides, and portable sandbox templates.
Workspaces separate runtime configuration into environments (e.g. production, development, preview). Each environment scopes two things: which secret values apply, and which sandbox templates are available for agents that execute code. Manage environments in Workspace → Workbench → Environments.
Environments
- Every workspace has exactly one default environment; promoting another swaps it atomically.
- The default environment cannot be deleted or deactivated — promote a replacement first.
- Agents resolve their environment through an environment binding; unbound agents use the workspace default.
The secrets vault
Secrets are modelled as keys with per-environment overrides:
- A key (e.g.
DATABASE_URL) lives at the workspace root, optionally with a default value. - Each environment can override the key's value; unset an override and the key falls back to its default.
- Keys are sensitive by default and envelope-encrypted at rest. Listing keys returns masked metadata only — plaintext values are never returned by any read surface.
- You can paste
.envtext to bulk-import: Oxagen parses it, previews new keys versus overrides, and only commits when you explicitly confirm.
Secret values are injected into sandboxes at run time for builds and tests. Agents are instructed never to print, write, or commit them — and generated assets and logs are the audit surface if one ever leaks.
Sandbox templates
A sandbox template describes the machine an agent's code runs in:
| Field | Options |
|---|---|
| Provider | modal, vercel, or docker (local) |
| Resources | vCPU (≤4), memory (≤8 GB), disk (≤20 GB), timeout (≤5 min) |
| Network | public, static_egress, aws_privatelink, gcp_psc, reverse_tunnel, ssh_bastion |
| Secrets | All vault keys, or an explicit subset |
| Packages | Preinstalled via apt, npm, pip, cargo, and other managers |
| Tools | Preloaded capabilities, skills, or MCP servers |
Each environment has one default template. Templates are portable: export produces a v1 manifest containing config, tools, and required secret key names — never secret values — which can be imported into another environment or distributed as a plugin. Import upserts any missing secret keys (without values) and warns about tool refs that are not installed.
Related
- CLI sandbox templates — the same objects from the terminal.
- Code execution security — the isolation model underneath.
Configuration
Environment configuration for running and deploying Oxagen — transactional email (SMTP) and local-development behavior.
Email & SMTP
Configure the SMTP transport that delivers verification and password-reset email. In deployed environments the verification email gates sign-in, so a misconfigured transport blocks all new sign-ups — Oxagen now surfaces that failure loudly.