Sealed-box encryption is an authenticated public-key encryption construction popularised by the libsodium / NaCl family. It combines X25519 key agreement with an authenticated stream cipher (XSalsa20-Poly1305 in the original construction) so that a sender can encrypt a message for a recipient using only the recipient's public key, and only the holder of the corresponding secret key can decrypt.
In AI-SPM platforms, sealed-box encryption is the standard for storing customer secrets (API tokens, OAuth credentials, webhook signing secrets) at rest. The encryption key lives outside the application repository in a restricted-access configuration store; only the application process at runtime can decrypt, and a database-level leak does not expose plaintext secrets.
Sealed-box is preferred over symmetric encryption with a shared key for secret-store use cases because it avoids the operational problem of distributing the symmetric key to every service that needs to write secrets.