Secrets
Environment variables & secrets access in dev environments
Open-SWE implements a secure, encrypted way to share user environment variables with the agent and pass them to the development server.
Default Behavior (Secure):
Environment Variables & API Keys
How API Keys Are Protected
Your API keys are protected with industry-standard AES-256-GCM encryption both in transit and at rest. Storage Process:- Frontend: Temporarily stored in browser localStorage (plain text)
- Transit: Encrypted with AES-256-GCM before sending to backend
- Backend: Stored encrypted in LangGraph’s database
- Runtime: Decrypted when necessary using server-side encryption keys
Technical Encryption Details
Technical Encryption Details
Encryption Details:
- Algorithm: AES-256-GCM (authenticated encryption)
- Key Derivation: SHA-256 hash of system
SECRETS_ENCRYPTION_KEY - IV Generation: Random 12-byte initialization vector per encryption
- Authentication: 16-byte authentication tag prevents tampering
System vs User Environment Variables
Open-SWE handles two types of environment variables: System Environment Variables:- Purpose: Environment variables required to run Open-SWE. If you’re self-hosting, you can set LLM, infrastructure, and authentication keys
- Examples:
DAYTONA_API_KEY,SECRETS_ENCRYPTION_KEY,GITHUB_APP_PRIVATE_KEY - Access: Server-side only via
process.env - Security: Never exposed to users or sandboxes
- Purpose: Personal API keys and custom development variables
- Examples:
ANTHROPIC_API_KEY,MY_DATABASE_URL,STRIPE_TEST_KEY - Access: User-controlled via settings page in UI
- Security: AES-256-GCM encrypted + explicit user consent required to pass them to the development server
When API Keys Are Exposed to Sandbox Environments
Your API keys are never automatically exposed to sandbox environments. Exposure requires explicit user consent. You may wonder, why does the sandbox environment even need API keys? We’ve designed Open-SWE to be your junior dev. Part of development is testing code in real-time. Open-SWE has the ability to spin up development servers that can run your LangGraph agents, Next.js apps, Flask servers, and more, all within the sandbox its running in. If you think this option can be useful, please review what it means to pass your keys to the sandbox.Consider using separate development API keys with limited permissions instead of your production keys when enabling sandbox access. This reduces the impact of potential exposure while maintaining functionality.
- API keys are only used for LLM model initialization & setting up Daytona using your own key, if you passed it
- Keys are NOT available as environment variables in sandboxes or accessible to LLMs
- Each key has
allowedInDev: falseby default
- You manually toggle the switch for each API key
- Key becomes available as an environment variable in sandbox
- You maintain control over which keys are exposed
Sandbox Security & Isolation
Container Isolation
Each user session runs in a completely isolated Daytona container with multiple security boundaries. These containers can modify the code in your repo on a new branch and don’t exchange information across sessions.Isolation Details
Isolation Details
Container Isolation:
- Separate container per user session
- No shared file systems between containers
- Container-level resource limits and quotas
- User environment variables vs system environment variables
- Sandboxed processes cannot access host system or code
- Automatic deletion after 15 minutes of inactivity
- No persistent storage across sessions
- Fresh environment for each new session
- Containers cannot communicate with each other
Data Handling & Access Control
When enabling “Include in Dev Server” for API keys, you’re expanding the attack surface of your credentials. AI agent may inadvertently expose environment variables in generated code or logs. Only use this feature when necessary for development server monitoring.
Development Environment Exposure Risks
You should only use this feature if you find it useful to monitor development servers. We recommend not using your main keys and having access control for keys that you pass to sandbox environments. While the Open-SWE UI and agent exchange these using encryption, LLM may leave environment variables exposed in the code.Security Best Practices
Our team loves using Open-SWE internally and we recommend the following best practices:- Use the minimum required permissions for each API key
- Regularly rotate your API keys
- Only enable “Include in Dev Server” when necessary for specific tools
- Monitor the “Last Used” timestamps in settings
- Consider using separate development keys instead of production keys for sandbox environments
- Never enable sandbox access for production database credentials or high-privilege API keys
- Review generated code for accidentally exposed environment variables before deploying