Skip to main content

Overview

Agent Gateways let your agents call LLM APIs like Anthropic and OpenAI without ever seeing your API keys. Your real credentials stay secure on Runloop’s servers—the agent only gets a temporary gateway token. Example: using Claude Code with a gateway When you create a devbox with a gateway configuration, Runloop sets environment variables like $ANTHROPIC_URL and $ANTHROPIC inside the devbox. Any LLM client can use them. For example, to run Claude Code inside the devbox with the gateway:
Claude Code works normally — it makes API calls to the gateway URL using the gateway token, and the Agent Gateway injects your real API key server-side:
Your agent never sees your real sk-ant-... key. Even printing all environment variables only reveals useless gateway tokens:
Using the gateway in code is just as straightforward — point any LLM SDK at the gateway URL:
The Agent Gateway intercepts each request and injects your real API key server-side. The request reaches Anthropic with x-api-key: sk-ant-... but your agent never sees it. This protects your API keys from:
  • Prompt injection attacks — Even if an attacker tricks your agent into printing all environment variables, they only get useless gateway tokens
  • Malicious code — Code running in the devbox cannot access your real credentials
  • End users — Users of your AI product cannot extract your API keys through social engineering

How It Works

  1. Configure a Gateway: Define the target endpoint (e.g., https://api.anthropic.com) and how credentials should be applied
  2. Store the Secret: Create an account secret containing your actual API key
  3. Launch with Gateway: Create a devbox with the gateway configuration—it receives a gateway URL and token, not your real API key
  4. Make Requests: Your agent uses the gateway URL and token to make API calls; the gateway injects your real credentials server-side

Why Use Agent Gateways?

Credential Isolation

The most important benefit is that your API keys never enter the devbox. The agent only sees:
  • A gateway URL (e.g., $ANTHROPIC_URL)
  • A gateway token (e.g., $ANTHROPIC)
Gateway tokens are bound to a specific devbox. Even if someone extracts a gateway token, it only works from within that particular devbox—it cannot be used from any other machine or network location. This means a leaked token is useless outside the devbox it was issued for. Even if an attacker gains full access to the devbox or tricks your agent into revealing all environment variables, they cannot obtain your actual API keys.

Defense Against Prompt Injection

Sophisticated prompt injection attacks try to manipulate AI agents into revealing secrets. With Agent Gateways:

Quick Start: Setting Up a Gateway for Anthropic

This example shows how to create a gateway config for the Anthropic API, store your API key as a secret, and use them together in a devbox.

Step 1: Create a Gateway Config

First, create a gateway config that defines the target endpoint and authentication mechanism.

Step 2: Create a Secret for Your API Key

Store your LLM provider API key as an account secret. Use the secret_name defined in Step 1.

Step 3: Create a Devbox with the Gateway

Create a devbox using your gateway config and secret. The secret field must match the name of the secret you created in Step 2.

Step 4: Use the Gateway in Your Agent

When you create a devbox with a gateway configuration, Runloop automatically sets environment variables on the devbox:
  • $ANTHROPIC_URL — The gateway endpoint URL
  • $ANTHROPIC — A gateway token (not your real API key)
Any LLM client running inside the devbox can use these to make API calls through the gateway. Claude Code — launch with the gateway environment variables:
Anthropic SDK — point at the gateway URL:

Gateway Configuration Options

Authentication Mechanisms

Gateway configs support two authentication types:

Common Gateway Configurations

OpenAI Gateway

Custom API Gateway

Multiple Gateways

You can configure multiple gateways for a single devbox, allowing your agent to securely access multiple APIs.

Managing Gateway Configs

List Gateway Configs

Update a Gateway Config

Delete a Gateway Config

Deleting a gateway config is permanent and cannot be undone. Ensure no devboxes are actively using the gateway before deletion.

Using Agent Gateways with LLM Clients

Most LLM client libraries and tools support custom base URLs. Set them to your gateway environment variables.

Claude Code

Or to make it persistent for the session:

OpenAI SDK

Codex (OpenAI)

Codex supports custom API base URLs via environment variables. Set up an OpenAI gateway and configure the devbox:
See the Codex authentication docs and non-interactive auth for details on supported environment variables and alternative providers.

OpenCode

OpenCode supports multiple LLM providers. Configure a gateway for your preferred provider:
See the OpenCode providers docs for the full list of supported providers and their configuration.

Gemini CLI

Gemini CLI authenticates with a Gemini API key or Vertex AI credentials. Set up a Google AI gateway:
See the Gemini CLI docs for API key auth and Vertex AI auth.

DeepAgents

DeepAgents supports multiple LLM providers. Configure gateways for the providers you need:
See the DeepAgents quickstart for the full list of supported API key environment variables.

Security Best Practices

1. Prefer Agent Gateways Over Direct Secrets

For any sensitive API credentials—especially LLM provider keys—use Agent Gateways instead of passing secrets directly to devboxes. Gateways ensure your real API keys are never exposed to the agent, protecting against prompt injection, credential leaks, and malicious code. Avoid:
  • Passing API keys directly to devboxes via the secrets parameter
  • Hardcoding API keys in code that runs inside devboxes
  • Storing API keys in files within devboxes
Instead, configure an Agent Gateway so the devbox only ever receives a gateway token—never your real credentials.

2. Combine with Network Policies

For maximum security, combine Agent Gateways with Network Policies to restrict which endpoints your devbox can reach. Set allow_agent_gateway to enable gateway traffic without opening up all of *.runloop.ai.

3. Use Descriptive Gateway Names

The gateway name becomes the prefix for environment variables. Use clear, uppercase names:
  • ANTHROPIC, OPENAI, INTERNAL_API
  • my-gateway, apiKey1, test

4. Rotate Secrets Regularly

Update your account secrets periodically. When you update a secret, all new devboxes using that secret will automatically use the new value.

5. Monitor Gateway Usage

Review which gateways are being used and audit access patterns to detect potential misuse.

Comparison: Agent Gateways vs. Direct Secrets

Common Use Cases

AI Coding Agent

Secure your coding agent that needs access to multiple LLM providers:

Multi-Tenant AI Platform

When building an AI platform serving multiple customers, use gateways to isolate credentials. You can reuse the same gateway config with different secrets for each customer: