How they are used during execution
Environment variables must be explicitly specified in your prompt or agent configuration to be accessible. When an agent calls a tool that needs credentials or config:- The agent resolves only the explicitly defined Environment Variables for the current run
- The sandboxed tool receives only those specified values (e.g., API tokens, base URLs)
- The tool fetches data or performs the requested action
- Outputs and artifacts are captured to your stored files for reuse
| Category | Example Variables |
|---|---|
| Cloud infrastructure | AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION, GCP_PROJECT_ID, AZURE_SUBSCRIPTION_ID |
| Version control | GITHUB_TOKEN, GITLAB_TOKEN, BITBUCKET_APP_PASSWORD |
| CI/CD pipelines | JENKINS_URL, JENKINS_API_TOKEN, CIRCLECI_TOKEN, BUILDKITE_API_TOKEN |
| Container registries | DOCKER_REGISTRY_URL, DOCKER_USERNAME, DOCKER_PASSWORD, ECR_REGISTRY |
| Ticketing and project management | JIRA_BASE_URL, JIRA_API_TOKEN, LINEAR_API_KEY, ASANA_ACCESS_TOKEN |
| Monitoring and observability | DATADOG_API_KEY, NEW_RELIC_API_KEY, GRAFANA_URL, PROMETHEUS_ENDPOINT |
| Communication | SLACK_WEBHOOK_URL, SLACK_BOT_TOKEN, PAGERDUTY_API_KEY, DISCORD_WEBHOOK |
| Security tools | SNYK_TOKEN, SONARQUBE_URL, SONARQUBE_TOKEN, CHECKMARX_API_KEY |
Security and access control
For security reasons, environment variables are only accessible when explicitly defined in your prompt or agent configuration. Agents and sub-agents cannot list or enumerate all available environment variables in your account. You must be specific: If you want an agent to useJIRA_TOKEN or AWS_REGION, define those exact variable names in your prompt or agent setup. This ensures:
- No accidental exposure of sensitive credentials
- Clear visibility into which secrets each agent can access
- Isolation between different agents and workflows
- Controlled access to only the environment variables needed for the task