Overview
Agent Gateways let your agents call LLM APIs like Anthropic and OpenAI without ever seeing your API keys. Your real credentials stay secure on Runloop’s servers—the agent only gets a temporary gateway token.
Example: using Claude Code with a gateway
When you create a devbox with a gateway configuration, Runloop sets environment variables like $ANTHROPIC_URL and $ANTHROPIC inside the devbox. Any LLM client can use them. For example, to run Claude Code inside the devbox with the gateway:
Claude Code works normally — it makes API calls to the gateway URL using the gateway token, and the Agent Gateway injects your real API key server-side:
Your agent never sees your real sk-ant-... key. Even printing all environment variables only reveals useless gateway tokens:
Using the gateway in code is just as straightforward — point any LLM SDK at the gateway URL:
The Agent Gateway intercepts each request and injects your real API key server-side. The request reaches Anthropic with x-api-key: sk-ant-... but your agent never sees it.
This protects your API keys from:
- Prompt injection attacks — Even if an attacker tricks your agent into printing all environment variables, they only get useless gateway tokens
- Malicious code — Code running in the devbox cannot access your real credentials
- End users — Users of your AI product cannot extract your API keys through social engineering
How It Works
- Configure a Gateway: Define the target endpoint (e.g.,
https://api.anthropic.com) and how credentials should be applied
- Store the Secret: Create an account secret containing your actual API key
- Launch with Gateway: Create a devbox with the gateway configuration—it receives a gateway URL and token, not your real API key
- Make Requests: Your agent uses the gateway URL and token to make API calls; the gateway injects your real credentials server-side
Why Use Agent Gateways?
Credential Isolation
The most important benefit is that your API keys never enter the devbox. The agent only sees:
- A gateway URL (e.g.,
$ANTHROPIC_URL)
- A gateway token (e.g.,
$ANTHROPIC)
Gateway tokens are bound to a specific devbox. Even if someone extracts a gateway token, it only works from within that particular devbox—it cannot be used from any other machine or network location. This means a leaked token is useless outside the devbox it was issued for.
Even if an attacker gains full access to the devbox or tricks your agent into revealing all environment variables, they cannot obtain your actual API keys.
Defense Against Prompt Injection
Sophisticated prompt injection attacks try to manipulate AI agents into revealing secrets. With Agent Gateways:
Quick Start: Setting Up a Gateway for Anthropic
This example shows how to create a gateway config for the Anthropic API, store your API key as a secret, and use them together in a devbox.
Step 1: Create a Gateway Config
First, create a gateway config that defines the target endpoint and authentication mechanism.
Step 2: Create a Secret for Your API Key
Store your LLM provider API key as an account secret. Use the secret_name defined in Step 1.
Step 3: Create a Devbox with the Gateway
Create a devbox using your gateway config and secret. The secret field must match the name of the secret you created in Step 2.
Step 4: Use the Gateway in Your Agent
When you create a devbox with a gateway configuration, Runloop automatically sets environment variables on the devbox:
$ANTHROPIC_URL — The gateway endpoint URL
$ANTHROPIC — A gateway token (not your real API key)
Any LLM client running inside the devbox can use these to make API calls through the gateway.
Claude Code — launch with the gateway environment variables:
Anthropic SDK — point at the gateway URL:
Gateway Configuration Options
Authentication Mechanisms
Gateway configs support two authentication types:
Common Gateway Configurations
OpenAI Gateway
Custom API Gateway
Multiple Gateways
You can configure multiple gateways for a single devbox, allowing your agent to securely access multiple APIs.
Managing Gateway Configs
List Gateway Configs
Update a Gateway Config
Delete a Gateway Config
Deleting a gateway config is permanent and cannot be undone. Ensure no devboxes are actively using the gateway before deletion.
Using Agent Gateways with LLM Clients
Most LLM client libraries and tools support custom base URLs. Set them to your gateway environment variables.
Claude Code
Or to make it persistent for the session:
OpenAI SDK
Codex (OpenAI)
Codex supports custom API base URLs via environment variables. Set up an OpenAI gateway and configure the devbox:
See the Codex authentication docs and non-interactive auth for details on supported environment variables and alternative providers.
OpenCode
OpenCode supports multiple LLM providers. Configure a gateway for your preferred provider:
See the OpenCode providers docs for the full list of supported providers and their configuration.
Gemini CLI
Gemini CLI authenticates with a Gemini API key or Vertex AI credentials. Set up a Google AI gateway:
See the Gemini CLI docs for API key auth and Vertex AI auth.
DeepAgents
DeepAgents supports multiple LLM providers. Configure gateways for the providers you need:
See the DeepAgents quickstart for the full list of supported API key environment variables.
Security Best Practices
1. Prefer Agent Gateways Over Direct Secrets
For any sensitive API credentials—especially LLM provider keys—use Agent Gateways instead of passing secrets directly to devboxes. Gateways ensure your real API keys are never exposed to the agent, protecting against prompt injection, credential leaks, and malicious code.
Avoid:
- Passing API keys directly to devboxes via the
secrets parameter
- Hardcoding API keys in code that runs inside devboxes
- Storing API keys in files within devboxes
Instead, configure an Agent Gateway so the devbox only ever receives a gateway token—never your real credentials.
2. Combine with Network Policies
For maximum security, combine Agent Gateways with Network Policies to restrict which endpoints your devbox can reach. Set allow_agent_gateway to enable gateway traffic without opening up all of *.runloop.ai.
3. Use Descriptive Gateway Names
The gateway name becomes the prefix for environment variables. Use clear, uppercase names:
- ✅
ANTHROPIC, OPENAI, INTERNAL_API
- ❌
my-gateway, apiKey1, test
4. Rotate Secrets Regularly
Update your account secrets periodically. When you update a secret, all new devboxes using that secret will automatically use the new value.
5. Monitor Gateway Usage
Review which gateways are being used and audit access patterns to detect potential misuse.
Comparison: Agent Gateways vs. Direct Secrets
Common Use Cases
AI Coding Agent
Secure your coding agent that needs access to multiple LLM providers:
When building an AI platform serving multiple customers, use gateways to isolate credentials. You can reuse the same gateway config with different secrets for each customer: