Share feedback
Answers are generated based on the documentation.

sbx secret import

DescriptionImport secrets detected in host environment variables
Usagesbx secret import [SERVICE] [flags]

Description

Import secrets that sbx detects in your host environment variables (e.g. OPENAI_API_KEY, ANTHROPIC_API_KEY, GH_TOKEN) into the global keychain. Once imported, the secret is available to every sandbox without needing the env var on each shell.

Each detected env var is offered interactively with a Y/n prompt and a last-4-char preview of the value. Existing stored entries are never overwritten silently:

  • Interactive mode prompts for confirmation before overwriting.
  • --all imports new entries without prompting but SKIPS overwrites (use --force when you actually want to replace stored values).
  • --force imports unconditionally, including overwriting.

Services that already have an OAuth token configured (e.g. anthropic after sbx run claude … -- auth login) are skipped: the OAuth token takes precedence at runtime so any api-key import would never be used. Run sbx secret rm -g <service> first if you want to switch from OAuth to api-key auth.

Available services: anthropic, cursor, droid, github, google, groq, mistral, nebius, openai, openrouter, xai

Options

OptionDefaultDescription
--allImport every detected env var without prompting
--dry-runShow what would be imported without writing
-f, --forceOverwrite an existing stored entry without confirmation

Global options

OptionDefaultDescription
-D, --debugEnable debug logging

Examples

# Walk every detected env var, prompting before each import
sbx secret import

# Import only the openai service (uses OPENAI_API_KEY)
sbx secret import openai

# Non-interactive: import everything detected without prompting
sbx secret import --all

# Overwrite an existing stored entry without confirmation
sbx secret import openai --force

# Preview what would be imported without writing
sbx secret import --dry-run