Skip to main content
Pocketenv has two ways to pass configuration into a sandbox:
Environment VariablesSecrets
Stored asPlaintextEncrypted (libsodium)
Visible in APIYesRedacted
Use forNon-sensitive configPasswords, tokens, keys

Environment variables

CLI

# Set a variable
pocketenv env put my-sandbox DATABASE_URL "postgres://localhost/mydb"
pocketenv env put my-sandbox NODE_ENV "production"

# List all variables
pocketenv env list my-sandbox
pocketenv env ls my-sandbox      # alias

# Delete a variable
pocketenv env delete <variable-id>
pocketenv env rm <variable-id>   # alias

SDK

await sandbox.env.put("DATABASE_URL", "postgres://localhost/mydb");
await sandbox.env.put("NODE_ENV", "production");

const vars = await sandbox.env.list();
// [{ id: "...", name: "DATABASE_URL", value: "postgres://..." }, ...]

await sandbox.env.delete(varId);

Secrets

Secrets are encrypted at rest using libsodium. The value is never returned in API responses — only a redacted placeholder is shown.

CLI

# Set a secret (you'll be prompted for the value)
pocketenv secret put my-sandbox API_KEY

# List secret names (values are never shown)
pocketenv secret list my-sandbox
pocketenv secret ls my-sandbox   # alias

# Delete
pocketenv secret delete <secret-id>
pocketenv secret rm <secret-id>  # alias

SDK

await sandbox.secret.put("API_KEY", process.env.API_KEY!);
await sandbox.secret.put("STRIPE_SECRET", "sk_live_...");

const secrets = await sandbox.secret.list();
// [{ id: "...", name: "API_KEY" }]  ← value is never returned

await sandbox.secret.delete(secretId);

Setting variables at sandbox creation

You can bake env vars and secrets into a sandbox at creation time via the SDK builder: 
const sandbox = await Sandbox.builder("openclaw")
  .name("my-app")
  .env("NODE_ENV", "production")
  .env("PORT", "3000")
  .secret("DATABASE_URL", process.env.DATABASE_URL!)
  .secret("API_KEY", process.env.API_KEY!)
  .create();

API

For direct API usage see: