Skip to main content

Isolation

Every Upstash Box runs in its own isolated container with a dedicated filesystem, process tree, and network stack. Boxes cannot communicate with or observe each other. Network access is restricted — containers cannot reach private networks, cloud metadata services, or other internal infrastructure.

Environment Variables

You can pass environment variables when creating a box. These are available to all code running inside the box, including your agent and any user-submitted code. 
const box = await Box.create({
  runtime: "node",
  env: {
    DATABASE_URL: "postgres://...",
    ANTHROPIC_API_KEY: "sk-ant-...",
  },
})
Environment variables are visible to all code running inside the box. If you run untrusted code, those secrets can be read by the untrusted code. For sensitive credentials, use Attach Headers instead.

Attach Headers

For injecting secret HTTP headers into outbound HTTPS requests without exposing them inside the container, see Attach Headers.

Blocked Environment Variables

For system security, the following environment variables cannot be set:
VariableReason
PATHPrevents binary hijacking
HOMEPrevents home directory manipulation
LD_PRELOADPrevents shared library injection
LD_LIBRARY_PATHPrevents library path hijacking
NODE_OPTIONSPrevents Node.js flag injection
All other environment variables — including ANTHROPIC_API_KEY, OPENAI_API_KEY, and their *_BASE_URL variants — are allowed. The built-in agent runner uses its own isolated environment that overrides these per-run.