Syva Docs

Documentation

Secrets

Project-scoped values for commands and config files that should not be hardcoded into scripts, images, or source code.

Model

Secrets belong to a project. Add them in the dashboard, then use the same project when creating or controlling sandboxes. Secret values are encrypted before storage and are not returned by the API after creation.

A secret has a kind, a target, and a value. For env secrets, the target is the environment variable name. For file secrets, the target is the absolute path where the file should exist inside the sandbox.

Env secrets

Use an env secret when a command expects a value in its environment. In the dashboard, choose Env, set the target to the variable name, and enter the secret value.

Env secrets are merged into commands run through Syva. They are not written to disk by Syva. Explicit env values passed to a command override project env secrets with the same target.

Command
python - <<'PY'
import os

if not os.environ.get("KEY"):
    raise SystemExit("KEY is not set")

print("KEY is available")
PY

File secrets

Use a file secret when a tool expects a config file, token file, or rc file at a path. In the dashboard, choose File, set the target to an absolute sandbox path, choose a restrictive mode such as 0600, and enter the file contents as the secret value.

File secrets are synced into active project sandboxes. If you delete or disable the secret, Syva removes that path from active sandboxes.

Command
test -f /workspace/config/.env
stat -c "%a %n" /workspace/config/.env

Runtime behavior

  • Env secrets are available to commands executed through Syva for the same project.
  • File secrets are written into active sandboxes and applied to new sandboxes after they are created.
  • Secret metadata can be listed, but secret values are not returned after creation or update.
  • Create, update, delete, and file-apply actions are recorded in audit logs.

Safety

Do not print secrets from sandbox processes. Syva redacts exact known secret values in stored command history, but live command output is still the process output. Treat anything a command writes to stdout, stderr, files, or external services as controlled by that command.

Prefer scoped, revocable credentials. Remove secrets when they are no longer needed, and rotate a credential if an agent or command may have exposed it.

Limits

  • Project secrets are managed by project admins and owners.
  • Each project can store up to 20 secrets during the beta.
  • Each secret value can be up to 8 KiB.
  • Env secret targets must be valid environment variable names.
  • File secret targets must be absolute sandbox paths in app-owned locations.
  • File secret modes must be restrictive octal modes such as 0600.