Developer

Appearance

Secret Injection

Secret Injection

The Secret Injection API manages HTTPS request injection rules stored by the platform. When creating a sandbox, you can reference saved rules through injections, or pass inline rules directly. Real secrets are held by the platform and are not directly readable by processes inside the sandbox.

Supported Injection Types

TypeRequired ParametersDescription
httpbase_urlCustom HTTP header injection
openaiapi_keyOpenAI-compatible API injection. Matches api.openai.com by default
anthropicapi_keyAnthropic API injection. Matches api.anthropic.com by default
geminiapi_keyGoogle Gemini API injection. Matches generativelanguage.googleapis.com by default
sufyapi_keySufy AI API injection. Matches the default Sufy AI API host
githubtokenGitHub HTTPS request injection. Matches github.com and api.github.com

List Injection Rules

Description

Lists saved injection rules under the current account.

Request Path

http
GET /injection-rules

Response Fields

Returns an array of injection rules:

FieldTypeDescription
ruleIDstringInjection rule ID
namestringInjection rule name. Unique under the same user
createdAtstringCreation time
updatedAtstringUpdate time
injectionobjectInjection rule configuration

Request Example

bash
curl -X GET "$SUFY_SANDBOX_API_URL/injection-rules" \
  -H "Authorization: Sufy <SignedToken>"

SignedToken is generated by signing the request with your Sufy AK/SK.

Create an Injection Rule

Description

Creates a reusable injection rule.

Request Path

http
POST /injection-rules

Request Parameters

ParameterTypeRequiredDescription
namestringYesInjection rule name. Maximum 64 characters and unique under the same user
injectionobjectYesInjection rule configuration

Parameters for the http type:

ParameterTypeRequiredDescription
injection.typestringYesAlways http
injection.base_urlstringYesBase URL matched by HTTPS requests. If the protocol is not specified, https is used by default
injection.headersobjectNoHTTP headers to inject or override. Up to 20 entries

Parameters for AI service types:

ParameterTypeRequiredDescription
injection.typestringYesOne of openai, anthropic, gemini, or sufy
injection.api_keystringYesAPI key for the corresponding service
injection.base_urlstringNoCustom base URL. When omitted, the default host for the selected type is used

Parameters for the GitHub type:

ParameterTypeRequiredDescription
injection.typestringYesAlways github
injection.tokenstringYesGitHub token

Response Fields

The fields are the same as a single rule object in the injection rule list.

Request Example

bash
curl -X POST "$SUFY_SANDBOX_API_URL/injection-rules" \
  -H "Authorization: Sufy <SignedToken>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "openai-prod",
    "injection": {
      "type": "openai",
      "api_key": "sk-xxx"
    }
  }'

Response Example

json
{
  "ruleID": "ir_123456",
  "name": "openai-prod",
  "createdAt": "2026-01-01T00:00:00Z",
  "updatedAt": "2026-01-01T00:00:00Z",
  "injection": {
    "type": "openai"
  }
}

Get Injection Rule Details

Request Path

http
GET /injection-rules/{ruleID}

Path Parameters

ParameterTypeRequiredDescription
ruleIDstringYesInjection rule ID

Returns a single injection rule object on success.

Update an Injection Rule

Request Path

http
PUT /injection-rules/{ruleID}

Request Parameters

ParameterTypeRequiredDescription
namestringNoNew injection rule name. Maximum 64 characters
injectionobjectNoNew injection rule configuration

Returns the updated injection rule object on success.

Delete an Injection Rule

Request Path

http
DELETE /injection-rules/{ruleID}

Returns 204 No Content on success.

Reference a Rule When Creating a Sandbox

Saved injection rules can be referenced with type: id when creating a sandbox:

bash
curl -X POST "$SUFY_SANDBOX_API_URL/sandboxes" \
  -H "X-API-Key: $SUFY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "templateID": "base",
    "injections": [
      {
        "type": "id",
        "id": "ir_123456"
      }
    ]
  }'