Quickstart
Get up and running in 5 minutes
Prerequisites
- A running Oshu Vault instance (see deployment guide)
- An API key for the proxy's management API
- A sandbox provider account (E2B or Daytona)
Install the SDK
npm install @oshu/vault-sdk @e2b/code-interpreternpm install @oshu/vault-sdk @daytonaio/sdkQuickstart
First, build the custom template with the CA cert and Claude Code baked in.
Create a session with your secrets
import { Sandbox } from "@e2b/code-interpreter";
import { SecretsProxyClient } from "@oshu/vault-sdk";
const client = new SecretsProxyClient({
baseUrl: "https://pv.oshu.dev",
apiKey: process.env.SECRETS_PROXY_API_KEY!,
});
const session = await client.createSession({
secrets: {
ANTHROPIC_API_KEY: process.env.ANTHROPIC_API_KEY!,
},
});Create the sandbox from the template
const proxyUrl = `https://${session.session_id}:${session.token}@pv.oshu.dev`;
const sandbox = await Sandbox.create("oshu-vault-claude", {
envs: {
ANTHROPIC_API_KEY: session.sealed_secrets["ANTHROPIC_API_KEY"],
HTTP_PROXY: proxyUrl,
HTTPS_PROXY: proxyUrl,
},
});Run code — secrets are injected automatically
The template already has Claude Code installed and the CA cert trusted. Just run:
try {
const result = await sandbox.commands.run(
`claude -p "Write a hello world program in Python"`,
{ timeoutMs: 120_000 },
);
console.log(result.stdout);
} finally {
await client.deleteSession(session.session_id);
await sandbox.kill();
}Create a session with your secrets
import { Daytona, Image } from "@daytonaio/sdk";
import { SecretsProxyClient } from "@oshu/vault-sdk";
const client = new SecretsProxyClient({
baseUrl: "https://pv.oshu.dev",
apiKey: process.env.SECRETS_PROXY_API_KEY!,
});
const session = await client.createSession({
secrets: {
ANTHROPIC_API_KEY: process.env.ANTHROPIC_API_KEY!,
},
});The response includes sealed tokens and proxy configuration:
{
"session_id": "sess_abc123...",
"token": "tok_def456...",
"sealed_secrets": {
"ANTHROPIC_API_KEY": "SEALED_aaa111..."
},
"env_vars": {
"HTTP_PROXY": "https://sess_abc123:tok_def456@pv.oshu.dev",
"HTTPS_PROXY": "https://sess_abc123:tok_def456@pv.oshu.dev"
},
"ca_cert": "-----BEGIN CERTIFICATE-----\n..."
}Build an image and create the sandbox
Daytona's declarative image builder lets you bake tools and the proxy CA certificate into the image. The image is cached for 24 hours.
const PROXY_BASE_URL = "https://pv.oshu.dev";
const proxyUrl = `https://${session.session_id}:${session.token}@pv.oshu.dev`;
const image = Image.base("node:22-slim").runCommands(
"apt-get update && apt-get install -y curl ca-certificates && rm -rf /var/lib/apt/lists/*",
`curl -fsSL ${PROXY_BASE_URL}/v1/ca.pem -o /usr/local/share/ca-certificates/proxy-ca.crt && update-ca-certificates`,
"npm install -g @anthropic-ai/claude-code",
);
const daytona = new Daytona({ apiKey: process.env.DAYTONA_KEY });
const sandbox = await daytona.create({
image,
envVars: {
ANTHROPIC_API_KEY: session.sealed_secrets["ANTHROPIC_API_KEY"],
HTTP_PROXY: proxyUrl,
HTTPS_PROXY: proxyUrl,
NODE_EXTRA_CA_CERTS: "/etc/ssl/certs/ca-certificates.crt",
},
});Run code — secrets are injected automatically
Any outbound request containing a sealed token will have it transparently replaced with the real secret:
try {
// Run Claude Code — ANTHROPIC_API_KEY=SEALED_xxx is swapped for the real key
const result = await sandbox.process.executeCommand(
`claude -p "Write a hello world program in Python"`,
);
console.log(result.result);
} finally {
await client.deleteSession(session.session_id);
await daytona.delete(sandbox);
}Next Steps
See the full integration examples for more details: