This feature is currently in public preview and is not recommended for production use.
Header injection
api.stripe.com normally - the proxy intercepts the request, injects the Authorization and Stripe-Version headers with the resolved secret, and forwards it. The sandbox never sees the raw API key.
Body injection (POST requests)
Multiple routing rules
Global catch-all rule
["*"] destination matches all proxied traffic.
Proxy bypass
Domains listed inbypass skip the proxy tunnel entirely (direct connection):
Secret interpolation
Secrets are referenced in headers and body values using the{{SECRET:name}} syntax:
- Multiple
{{SECRET:...}}placeholders can appear in a single value - Secrets are resolved server-side by the proxy — the sandbox runtime never sees raw secret values
- Secrets are write-only: the
secretsfield is stripped from API responses - Secrets are scoped per routing rule: a secret defined on route A cannot be resolved by route B
- User code inside the sandbox can also send
{{SECRET:name}}in its own request headers or body — the proxy will resolve them if the secret exists on the matching route
