Skip to main content

Oshu Vault

Oshu Vault is an HTTP/HTTPS proxy that injects secrets into requests on-the-fly. Your secrets never touch untrusted code — sandboxed environments only see opaque sealed tokens like SEALED_abc123, which the proxy transparently replaces with real values as traffic passes through.

Why?

When running AI-generated code in sandboxes (E2B, Daytona, etc.), you often need the code to access external APIs. But you can’t trust the sandbox with your real API keys — it might exfiltrate them. Oshu Vault solves this:
  1. You register secrets via the management API and get back sealed tokens
  2. The sandbox gets sealed tokens as environment variables — they look like API keys but are useless on their own
  3. All traffic routes through the proxy via standard HTTP_PROXY / HTTPS_PROXY env vars
  4. The proxy swaps sealed tokens for real secrets in headers and request bodies before forwarding to the destination
The sandbox never sees the real secret. The proxy handles HTTPS via MITM with a custom CA certificate.

Features

  • Header + body replacement — sealed tokens are replaced in both HTTP headers and request bodies (streaming, no buffering)
  • HTTPS MITM proxy — full TLS interception with a custom CA cert
  • Session-scoped — each sandbox gets its own session with isolated secrets and optional host allowlists
  • Sliding TTL — sessions auto-expire after inactivity
  • Multi-tenant — API key authentication for tenant isolation
  • Works with any sandbox — E2B, Daytona, or anything that supports HTTP_PROXY