Incident

Your AI agent doesn't know it's in production.

It just ran a migration against your live database. With your full credentials. At 3am. While you were asleep.

Devin needs database access to test a feature. So you hand it your production credentials. Because what else are you going to do? Spin up a whole new environment for a 20-minute task?

The AI agent doesn't understand blast radius. It will run whatever query it thinks is right. With your full credentials. Against your live database. It doesn't know the difference between staging and production, and it never will.

Real credentials. Contained risk.

Ephemeral sandboxes clone only the secrets the agent needs into a temporary, isolated environment. The AI gets real credentials that actually work, but they're walled off from everything else. When the task is done, the sandbox and its secrets cease to exist.

Production

clone→

Sandbox

use→

Auto-destroy ⏱

Real credentials, fully isolated. The sandbox self-destructs when the TTL expires.

production

42 secrets

clone 3 of 42

sandbox-a7f2e1

3 secrets (isolated)

30:00

30 minutes. then it's gone.

How It Works

A playground, not the production floor.

Clone

Cherry-pick secrets from production. Only the three the agent actually needs, not all forty-two.

Isolate

The agent works with real credentials inside a walled-off environment. Production never knows it exists.

Destroy

TTL expires, the sandbox and every secret inside it cease to exist. No cleanup scripts. No forgotten credentials.

One command to isolate. Zero commands to clean up.

fyvault sandbox create

$ fyvault sandbox create \

--from=production \

--secrets=DB_URL,STRIPE_KEY,REDIS_URL \

--ttl=30m

✓ Sandbox created

Environment: sandbox-a7f2e1 (ephemeral)

Cloned from: production

Secrets: 3 of 42 (scoped)

Auto-destroy: 30 minutes

Export: FYVAULT_ENV=sandbox-a7f2e1

Use Cases

AI agents don't understand blast radius

AI coding agents

Devin needs DB access for a migration test. Give it scoped credentials that vanish the moment the task ends.

Preview deployments

Every Vercel preview gets its own isolated secrets, scoped to the branch. Merged? Secrets are already gone.

CI test suites

Fresh credentials per pipeline run. No shared state bleeding between tests. No stale tokens causing flaky failures.

Contractor access

External devs get the credentials they need for a two-week sprint. Engagement ends, access ends. Automatically.

SDK

Or spin up sandboxes from code

TypeScript

const sandbox = await fv.environments.createSandbox({
  fromEnvironment: "production",
  secrets: ["DB_URL", "STRIPE_KEY"],
  ttlMinutes: 30,
});
// 30 minutes. Then it's gone.

Python

# Create an ephemeral sandbox
sandbox = fv.environments.create_sandbox(
    from_environment="production",
    secrets=["DB_URL", "STRIPE_KEY"],
    ttl_minutes=30,
)
# 30 minutes. Then it's gone.

Security

The sandbox is a dead end, by design.

Cloned secrets are independently encrypted, not pointers to the originals. Revoking the sandbox cannot touch production.

Sandbox tokens have zero permission to read, write, or escalate to the parent environment.

Destruction is enforced server-side. It does not depend on client TTL, cron jobs, or the agent shutting down cleanly.

Every secret access during the sandbox lifetime is logged to a tamper-proof audit trail.

Give AI agents a playground, not the production floor.

Real credentials. Contained risk. 30 minutes, then it's gone.