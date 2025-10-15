Pass configuration, secrets, and runtime settings to your sandboxes using environment variables.

Command and process variables

Pass environment variables when executing commands or starting processes:

TypeScript // Commands await sandbox . exec ( "node app.js" , { env : { NODE_ENV : "production" , API_KEY : env . API_KEY , // Pass from Worker env PORT : "3000" , }, } ) ; // Background processes (same syntax) await sandbox . startProcess ( "python server.py" , { env : { DATABASE_URL : env . DATABASE_URL , SECRET_KEY : env . SECRET_KEY , }, } ) ;

Session-level variables

Set environment variables for all commands in a session:

TypeScript const session = await sandbox . createSession () ; await session . setEnvVars ( { DATABASE_URL : env . DATABASE_URL , SECRET_KEY : env . SECRET_KEY , } ) ; // All commands in this session have these vars await session . exec ( "python migrate.py" ) ; await session . exec ( "python seed.py" ) ;

Common patterns

Pass Worker secrets to sandbox

Securely pass secrets from Worker environment:

TypeScript interface Env { Sandbox : DurableObjectNamespace ; OPENAI_API_KEY : string ; // Set with `wrangler secret put` DATABASE_URL : string ; } export default { async fetch ( request : Request , env : Env ) : Promise < Response > { const sandbox = getSandbox ( env . Sandbox , "user-sandbox" ) ; const result = await sandbox . exec ( "python analyze.py" , { env : { OPENAI_API_KEY : env . OPENAI_API_KEY , DATABASE_URL : env . DATABASE_URL , }, } ) ; return Response . json ( { result } ) ; }, };

Default values with spreading

Combine default and command-specific variables:

TypeScript const defaults = { NODE_ENV : env . ENVIRONMENT || "production" , LOG_LEVEL : "info" , TZ : "UTC" , }; await sandbox . exec ( "npm start" , { env : { ... defaults , PORT : "3000" , // Command-specific override API_KEY : env . API_KEY , }, } ) ;

Environment variable precedence

When the same variable is set at multiple levels:

Command-level (highest) - Passed to exec() or startProcess() Session-level - Set with setEnvVars() Container default - Built into the Docker image System default (lowest) - Operating system defaults

Example:

TypeScript // In Dockerfile: ENV NODE_ENV=development // In session: await sandbox.setEnvVars({ NODE_ENV: 'staging' }); // In command (overrides all): await sandbox . exec ( "node app.js" , { env : { NODE_ENV : "production" }, // This wins } ) ;

Security best practices

Never hardcode secrets

Bad - Secrets in code:

TypeScript await sandbox . exec ( "python app.py" , { env : { API_KEY : "sk-1234567890abcdef" , // NEVER DO THIS }, } ) ;

Good - Secrets from Worker environment:

TypeScript await sandbox . exec ( "python app.py" , { env : { API_KEY : env . API_KEY , // From Wrangler secret }, } ) ;

Set secrets with Wrangler:

Terminal window wrangler secret put API_KEY

Debugging

List all environment variables:

TypeScript const result = await sandbox . exec ( "env" ) ; console . log ( result . stdout ) ;

Check specific variable:

TypeScript const result = await sandbox . exec ( "echo $NODE_ENV" ) ; console . log ( "NODE_ENV:" , result . stdout . trim ()) ;

Troubleshooting

Variable not set

Verify the variable is being passed:

TypeScript console . log ( "Worker env:" , env . API_KEY ? "Set" : "Missing" ) ; const result = await sandbox . exec ( "env | grep API_KEY" , { env : { API_KEY : env . API_KEY }, } ) ; console . log ( "Sandbox:" , result . stdout ) ;

Shell expansion issues

Use runtime-specific access instead of shell variables:

TypeScript // Instead of: await sandbox.exec('echo $NODE_ENV') await sandbox . exec ( 'node -e "console.log(process.env.NODE_ENV)"' , { env : { NODE_ENV : "production" }, } ) ;

Related resources