OxagenDocs
Configuration

Environments & secrets

Scope secrets and sandbox configuration per environment — encrypted vault keys, per-environment overrides, and portable sandbox templates.

Workspaces separate runtime configuration into environments (e.g. production, development, preview). Each environment scopes two things: which secret values apply, and which sandbox templates are available for agents that execute code. Manage environments in Workspace → Workbench → Environments.

Environments

  • Every workspace has exactly one default environment; promoting another swaps it atomically.
  • The default environment cannot be deleted or deactivated — promote a replacement first.
  • Agents resolve their environment through an environment binding; unbound agents use the workspace default.

The secrets vault

Secrets are modelled as keys with per-environment overrides:

  • A key (e.g. DATABASE_URL) lives at the workspace root, optionally with a default value.
  • Each environment can override the key's value; unset an override and the key falls back to its default.
  • Keys are sensitive by default and envelope-encrypted at rest. Listing keys returns masked metadata only — plaintext values are never returned by any read surface.
  • You can paste .env text to bulk-import: Oxagen parses it, previews new keys versus overrides, and only commits when you explicitly confirm.

Secret values are injected into sandboxes at run time for builds and tests. Agents are instructed never to print, write, or commit them — and generated assets and logs are the audit surface if one ever leaks.

Sandbox templates

A sandbox template describes the machine an agent's code runs in:

FieldOptions
Providermodal, vercel, or docker (local)
ResourcesvCPU (≤4), memory (≤8 GB), disk (≤20 GB), timeout (≤5 min)
Networkpublic, static_egress, aws_privatelink, gcp_psc, reverse_tunnel, ssh_bastion
SecretsAll vault keys, or an explicit subset
PackagesPreinstalled via apt, npm, pip, cargo, and other managers
ToolsPreloaded capabilities, skills, or MCP servers

Each environment has one default template. Templates are portable: export produces a v1 manifest containing config, tools, and required secret key names — never secret values — which can be imported into another environment or distributed as a plugin. Import upserts any missing secret keys (without values) and warns about tool refs that are not installed.

On this page