From f278dbfff4a3bb962dc9a2244eb6d71e4b6d7787 Mon Sep 17 00:00:00 2001
From: David Karlsson <35727626+dvdksn@users.noreply.github.com>
Date: Thu, 19 Feb 2026 15:25:05 +0100
Subject: [PATCH] sandboxes: clarify security implications for auth methods

Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
---
 content/manuals/ai/sandboxes/get-started.md |  6 +++---
 content/manuals/ai/sandboxes/workflows.md   | 16 ++++++++++++++++
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/content/manuals/ai/sandboxes/get-started.md b/content/manuals/ai/sandboxes/get-started.md
index bd6f17b86e..bc6b4b0def 100644
--- a/content/manuals/ai/sandboxes/get-started.md
+++ b/content/manuals/ai/sandboxes/get-started.md
@@ -46,9 +46,9 @@ Follow these steps to run a sandbox with Claude Code:
    2. Restart Docker Desktop so the daemon picks up the new environment variable.
 
    Alternatively, you can skip this step and authenticate interactively when
-   Claude Code starts. If no credentials are found, you'll be prompted to log
-   in. Note that interactive authentication requires you to authenticate for
-   each workspace separately.
+   Claude Code starts. Interactive authentication is less secure and requires
+   you to re-authenticate for each workspace. See
+   [Credential security](workflows.md#credential-security) for details.
 
 2. Create and run a sandbox for Claude Code for your workspace:
 
diff --git a/content/manuals/ai/sandboxes/workflows.md b/content/manuals/ai/sandboxes/workflows.md
index bf76270989..2b57790792 100644
--- a/content/manuals/ai/sandboxes/workflows.md
+++ b/content/manuals/ai/sandboxes/workflows.md
@@ -117,6 +117,22 @@ To preserve a configured environment, create a [Custom template](templates.md).
 
 ## Security considerations
 
+### Credential security
+
+Set API keys as environment variables on the host rather than authenticating
+interactively inside a sandbox. When you set credentials on the host, Docker
+Sandboxes proxies API calls from the sandbox through the host daemon, so the
+agent never has direct access to the raw key.
+
+When you authenticate interactively, credentials are stored inside the sandbox
+where the agent can read them directly. This creates a risk of credential
+exfiltration if the agent is compromised or behaves unexpectedly.
+
+Interactive authentication also requires you to re-authenticate for each
+workspace separately.
+
+### Workspace trust
+
 Agents running in sandboxes automatically trust the workspace directory without
 prompting. This enables agents to work freely within the isolated environment.