Environment variables

Pass configuration, secrets, and runtime settings to your sandboxes using environment variables.

Command and process variables

Pass environment variables when executing commands or starting processes:

// Commands
await sandbox.exec("node app.js", {
  env: {
    NODE_ENV: "production",
    API_KEY: env.API_KEY, // Pass from Worker env
    PORT: "3000",
  },
});

// Background processes (same syntax)
await sandbox.startProcess("python server.py", {
  env: {
    DATABASE_URL: env.DATABASE_URL,
    SECRET_KEY: env.SECRET_KEY,
  },
});

Session-level variables

Set environment variables for all commands in a session:

const session = await sandbox.createSession();

await session.setEnvVars({
  DATABASE_URL: env.DATABASE_URL,
  SECRET_KEY: env.SECRET_KEY,
});

// All commands in this session have these vars
await session.exec("python migrate.py");
await session.exec("python seed.py");

Common patterns

Pass Worker secrets to sandbox

Securely pass secrets from Worker environment:

interface Env {
  Sandbox: DurableObjectNamespace;
  OPENAI_API_KEY: string; // Set with `wrangler secret put`
  DATABASE_URL: string;
}

export default {
  async fetch(request: Request, env: Env): Promise<Response> {
    const sandbox = getSandbox(env.Sandbox, "user-sandbox");

    const result = await sandbox.exec("python analyze.py", {
      env: {
        OPENAI_API_KEY: env.OPENAI_API_KEY,
        DATABASE_URL: env.DATABASE_URL,
      },
    });

    return Response.json({ result });
  },
};

Default values with spreading

Combine default and command-specific variables:

const defaults = {
  NODE_ENV: env.ENVIRONMENT || "production",
  LOG_LEVEL: "info",
  TZ: "UTC",
};

await sandbox.exec("npm start", {
  env: {
    ...defaults,
    PORT: "3000", // Command-specific override
    API_KEY: env.API_KEY,
  },
});

Environment variable precedence

When the same variable is set at multiple levels:

Command-level (highest) - Passed to exec() or startProcess()
Session-level - Set with setEnvVars()
Container default - Built into the Docker image
System default (lowest) - Operating system defaults

Example:

// In Dockerfile: ENV NODE_ENV=development
// In session: await sandbox.setEnvVars({ NODE_ENV: 'staging' });

// In command (overrides all):
await sandbox.exec("node app.js", {
  env: { NODE_ENV: "production" }, // This wins
});

Security best practices

Never hardcode secrets

Bad - Secrets in code:

await sandbox.exec("python app.py", {
  env: {
    API_KEY: "sk-1234567890abcdef", // NEVER DO THIS
  },
});

Good - Secrets from Worker environment:

await sandbox.exec("python app.py", {
  env: {
    API_KEY: env.API_KEY, // From Wrangler secret
  },
});

Set secrets with Wrangler:

wrangler secret put API_KEY

Debugging

List all environment variables:

const result = await sandbox.exec("env");
console.log(result.stdout);

Check specific variable:

const result = await sandbox.exec("echo $NODE_ENV");
console.log("NODE_ENV:", result.stdout.trim());

Troubleshooting

Variable not set

Verify the variable is being passed:

console.log("Worker env:", env.API_KEY ? "Set" : "Missing");

const result = await sandbox.exec("env | grep API_KEY", {
  env: { API_KEY: env.API_KEY },
});
console.log("Sandbox:", result.stdout);

Shell expansion issues

Use runtime-specific access instead of shell variables:

// Instead of: await sandbox.exec('echo $NODE_ENV')
await sandbox.exec('node -e "console.log(process.env.NODE_ENV)"', {
  env: { NODE_ENV: "production" },
});

Wrangler configuration - Setting Worker-level environment
Secrets - Managing sensitive data
Sessions API - Session-level environment variables
Security model - Understanding data isolation

Was this helpful?

Community
X
Discord
YouTube
GitHub