Skip to main content
W&B Sandboxes is in private preview, available by invitation only. To request enrollment, contact support or your AISE.
Use the W&B Secrets Manager with the W&B Python SDK to access sensitive information such as API keys and tokens in a sandbox. To use a secret in a sandbox, first add it to your team’s Secrets Manager. Then reference that secret by name when you create the sandbox. Do not include the secret’s value directly in your code or in the sandbox configuration. W&B injects each requested secret into the sandbox as an environment variable. By default, the environment variable name matches the secret name. You can customize the environment variable name with the env_var parameter.
See Manage secrets for information about creating and managing secrets in your W&B account.

Access secrets in a sandbox

Use the Secret class to specify which secrets to include in a sandbox. Pass one or more Secret objects to the secrets parameter of Sandbox.run(). Each Secret object identifies a secret by name. W&B injects the secret value into the sandbox as an environment variable.
Pass the secret name, not the secret value. Within the sandbox, read the secret from the corresponding environment variable.
The following example makes two existing secrets available in the sandbox: HF_TOKEN and OPENAI_API_KEY. 
from wandb.sandbox import Sandbox, Secret

with Sandbox.run(
    secrets=[
        Secret(name="HF_TOKEN"),
        Secret(name="OPENAI_API_KEY"),
    ],
) as sandbox:
    result = sandbox.exec([
        "python",
        "-c",
        """
import os
if "HF_TOKEN" in os.environ:
    print(f"Hugging Face token found.")
if "OPENAI_API_KEY" in os.environ:
    print(f"OpenAI key token found.")
""",
    ]).result()
    print(result.stdout)
Inside the sandbox, access each secret through its environment variable. In this example, HF_TOKEN is available as os.environ["HF_TOKEN"], and OPENAI_API_KEY is available as os.environ["OPENAI_API_KEY"]. To customize the environment variable name for a secret, see Use a custom environment variable name.

Use a custom environment variable name

By default, a secret’s environment variable name matches the secret name. To customize a sandbox’s environment variable for a given secret, set the env_var parameter on Secret (Secret(env_var="CUSTOM_NAME")). The following example checks that the HF_TOKEN secret is available in the sandbox: 
from wandb.sandbox import Sandbox, Secret

with Sandbox.run(
    secrets=[
        Secret(name="HF_TOKEN", env_var="HUGGINGFACE_TOKEN")
    ],
) as sandbox:
    result = sandbox.exec([
        "python",
        "-c",
        """
import os
if "HUGGINGFACE_TOKEN" in os.environ:
    print(f"Hugging Face token found!")
""",
    ]).result()
    print(result.stdout)