FyVault

Ephemeral Sandboxes

Spin up isolated copies of an environment with a TTL. Perfect for AI agents, preview deploys, and CI pipelines.

How it works

A sandbox clones all secrets from a parent environment into an isolated namespace. Changes in the sandbox never affect the parent. When the TTL expires, the sandbox and all its secrets are automatically destroyed.

CLI

# Create a sandbox from staging, TTL 1 hour
fyvault sandbox create \
  --parent staging \
  --name "pr-1234" \
  --ttl 1h

# List active sandboxes
fyvault sandbox list

# Destroy early
fyvault sandbox destroy pr-1234

Node.js

import { FyVault } from "@fyvault/sdk";

const fv = new FyVault({ accessToken: "fv_live_...", orgId: "org_acme" });

const sandbox = await fv.sandboxes.create({
  parent: "staging",
  name: "pr-1234",
  ttlSeconds: 3600,
});

// Use the sandbox environment
const dbUrl = await fv.secrets.getValueByName("DATABASE_URL", {
  environment: sandbox.name,
});

// Clean up
await fv.sandboxes.destroy(sandbox.id);

Python

from fyvault import FyVault

fv = FyVault(access_token="fv_live_...", org_id="org_acme")

sandbox = fv.sandboxes.create(
    parent="staging",
    name="pr-1234",
    ttl_seconds=3600,
)

db_url = fv.secrets.get_value_by_name("DATABASE_URL", environment=sandbox.name)

fv.sandboxes.destroy(sandbox.id)

Use cases

AI agent workflows

Give each agent run its own isolated environment that self-destructs when the task is done.

Preview deploys

Create a sandbox per PR so each preview deployment gets its own secrets without affecting staging.

CI pipelines

Spin up a sandbox at the start of a test run and destroy it when tests complete.

See also: Agent Credentials, fyvault init