Quickstart

Prerequisites

A running Oshu Vault instance (see deployment guide)
An API key for the proxy’s management API
A sandbox provider account (E2B or Daytona)

Install the SDK

E2B
Daytona

npm install @oshu/vault-sdk @e2b/code-interpreter

npm install @oshu/vault-sdk @daytonaio/sdk

E2B
Daytona

First, build the custom template with the CA cert and Claude Code baked in.

Create a session with your secrets

import { Sandbox } from "@e2b/code-interpreter";
import { SecretsProxyClient } from "@oshu/vault-sdk";

const client = new SecretsProxyClient({
  baseUrl: "https://pv.oshu.dev",
  apiKey: process.env.SECRETS_PROXY_API_KEY!,
});

const session = await client.createSession({
  secrets: {
    ANTHROPIC_API_KEY: process.env.ANTHROPIC_API_KEY!,
  },
});

Create the sandbox from the template

const proxyUrl = `https://${session.session_id}:${session.token}@pv.oshu.dev`;

const sandbox = await Sandbox.create("oshu-vault-claude", {
  envs: {
    ANTHROPIC_API_KEY: session.sealed_secrets["ANTHROPIC_API_KEY"],
    HTTP_PROXY: proxyUrl,
    HTTPS_PROXY: proxyUrl,
  },
});

Run code — secrets are injected automatically

The template already has Claude Code installed and the CA cert trusted. Just run:

try {
  const result = await sandbox.commands.run(
    `claude -p "Write a hello world program in Python"`,
    { timeoutMs: 120_000 },
  );
  console.log(result.stdout);
} finally {
  await client.deleteSession(session.session_id);
  await sandbox.kill();
}

Create a session with your secrets

import { Daytona, Image } from "@daytonaio/sdk";
import { SecretsProxyClient } from "@oshu/vault-sdk";

const client = new SecretsProxyClient({
  baseUrl: "https://pv.oshu.dev",
  apiKey: process.env.SECRETS_PROXY_API_KEY!,
});

const session = await client.createSession({
  secrets: {
    ANTHROPIC_API_KEY: process.env.ANTHROPIC_API_KEY!,
  },
});

The response includes sealed tokens and proxy configuration:

{
  "session_id": "sess_abc123...",
  "token": "tok_def456...",
  "sealed_secrets": {
    "ANTHROPIC_API_KEY": "SEALED_aaa111..."
  },
  "env_vars": {
    "HTTP_PROXY": "https://sess_abc123:[email protected]",
    "HTTPS_PROXY": "https://sess_abc123:[email protected]"
  },
  "ca_cert": "-----BEGIN CERTIFICATE-----\n..."
}

Build an image and create the sandbox

Daytona’s declarative image builder lets you bake tools and the proxy CA certificate into the image. The image is cached for 24 hours.

const PROXY_BASE_URL = "https://pv.oshu.dev";
const proxyUrl = `https://${session.session_id}:${session.token}@pv.oshu.dev`;

const image = Image.base("node:22-slim").runCommands(
  "apt-get update && apt-get install -y curl ca-certificates && rm -rf /var/lib/apt/lists/*",
  `curl -fsSL ${PROXY_BASE_URL}/v1/ca.pem -o /usr/local/share/ca-certificates/proxy-ca.crt && update-ca-certificates`,
  "npm install -g @anthropic-ai/claude-code",
);

const daytona = new Daytona({ apiKey: process.env.DAYTONA_KEY });

const sandbox = await daytona.create({
  image,
  envVars: {
    ANTHROPIC_API_KEY: session.sealed_secrets["ANTHROPIC_API_KEY"],
    HTTP_PROXY: proxyUrl,
    HTTPS_PROXY: proxyUrl,
    NODE_EXTRA_CA_CERTS: "/etc/ssl/certs/ca-certificates.crt",
  },
});

Run code — secrets are injected automatically

Any outbound request containing a sealed token will have it transparently replaced with the real secret:

try {
  // Run Claude Code — ANTHROPIC_API_KEY=SEALED_xxx is swapped for the real key
  const result = await sandbox.process.executeCommand(
    `claude -p "Write a hello world program in Python"`,
  );
  console.log(result.result);
} finally {
  await client.deleteSession(session.session_id);
  await daytona.delete(sandbox);
}

Next Steps

See the full integration examples for more details:

E2B

Full E2B example with header, body, and Claude Code tests

Daytona

Full Daytona example with image caching and snapshots

Getting Started

Examples

Quickstart

Prerequisites

Install the SDK

Quickstart

Next Steps

E2B

Daytona

Getting Started

Examples

​Prerequisites

​Install the SDK

​Quickstart

​Next Steps

E2B

Daytona

Prerequisites

Install the SDK

Quickstart

Next Steps