Secret Management #103
Description
Hi,
I'm loving sprites so far, thank you for building this!
I have a use case that I'm not sure is supported, and I'd be curious if anything like this was on your roadmap or close to being supported.
I'd like to use some sort of Secret Management system that allows me to protect the Claude Code API key itself from the agent running in the Sprite.
My best idea for this is to:
- set ANTHROPIC_API_KEY to a bogus/unique string inside the sprite's Claude Code instance
- route outbound network traffic to the Anthropic API through a proxy
- in the proxy, replace the token with the real Anthropic API key
The problem with this is I need some way to identify the Sprite. I was hoping to use some sort of internal network identifier to verify that the traffic from Sprite A was coming from one of "my" sprites, but I don't see a way to verify that, as I don't think the sprites are "in my network".
Perhaps I'm thinking about this too narrowly, and perhaps there's a more tried-and-true pattern for this.
Put another way, the more general problem is: how do I protect secrets from the agent itself?
Thanks!
Dan