Skip to main content
Learn security best practices for using Hopx Sandboxes safely and securely.
For detailed security information, see the Security page in Core Concepts.

Secrets Management

Never hardcode secrets in your code. Always use environment variables:
  • Python
  • JavaScript/TypeScript
from hopx_ai import Sandbox

# ✅ Good: Pass secrets via environment variables
sandbox = Sandbox.create(
    template="code-interpreter",
    env_vars={
        "DATABASE_PASSWORD": "secret123",
        "API_KEY": "key-abc"
    }
)

# Use secrets in code
result = sandbox.run_code("""
import os
password = os.getenv('DATABASE_PASSWORD')
api_key = os.getenv('API_KEY')
# Use secrets securely
""")
Never hardcode secrets in your code! Always use environment variables or secrets managers.

Isolation

Each sandbox is completely isolated:
  • Separate filesystem: Each sandbox has its own isolated filesystem
  • Separate network namespace: Each sandbox has its own network stack
  • Separate process tree: Processes cannot access other sandboxes
  • Resource limits: CPU, memory, and disk limits are enforced
  • Python
  • JavaScript/TypeScript
from hopx_ai import Sandbox

# Sandbox 1
sandbox1 = Sandbox.create(template="code-interpreter")
sandbox1.files.write("/workspace/data.txt", "Sandbox 1 data")

# Sandbox 2 (completely separate)
sandbox2 = Sandbox.create(template="code-interpreter")
# Cannot access sandbox1's files

Security Best Practices

Always pass secrets via environment variables:
sandbox = Sandbox.create(
    template="code-interpreter",
    env_vars={"API_KEY": api_key}
)
For production, use secrets managers (AWS Secrets Manager, HashiCorp Vault, etc.):
# Get secret from AWS Secrets Manager
secrets = get_secrets_from_manager()
sandbox = Sandbox.create(
    template="code-interpreter",
    env_vars=secrets
)
Rotate your API keys every 90 days or when team members leave.
Use separate API keys for development, staging, and production.
Never hardcode secrets in your code:
# ❌ Bad: Hardcoded secret
# sandbox = Sandbox.create(
#     template="code-interpreter",
#     env_vars={"PASSWORD": "hardcoded-secret-123"}
# )
Never share API keys in chat, email, or commit them to version control.
Never log API keys or secrets in plain text. Always redact sensitive information.

Learn More

For comprehensive security information, see:

Security Guide

Complete security guide with isolation details

Authentication

Learn about API key management

Networking

Understand network security

Filesystem

Learn about filesystem isolation