vikarti.anatra/Skyvern
1
0
Fork 0
mirror of https://github.com/Skyvern-AI/skyvern.git synced 2026-04-28 11:40:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

suchintan's feedback + changelog (#4947)
Some checks are pending
Run tests and pre-commit / Run tests and pre-commit hooks (push) Waiting to run
Details
Run tests and pre-commit / Frontend Lint and Build (push) Waiting to run
Details
Publish Fern Docs / run (push) Waiting to run
Details

Browse source 
Co-authored-by: Ritik Sahni <ritiksahni0203@gmail.com>
This commit is contained in:
Naman 2026-03-03 00:11:31 +05:30 committed by GitHub
parent a4d9c9dd22
commit 59cd1e10bb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
29 changed files with 885 additions and 148 deletions
Download patch file Download diff file Expand all files Collapse all files

130
docs/cloud/managing-credentials/credentials-overview.mdx
View file

@ -4,74 +4,99 @@ subtitle: Securely store login details, payment info, and secrets for your autom
slug: cloud/managing-credentials/credentials-overview
---
The **Credentials** page stores sensitive values — passwords, payment cards, and secrets — so your workflows can use them without you pasting passwords into prompts.
<Note>
Credentials **never reach the LLM**. The AI agent decides *where* to type, but the actual values are injected directly into the browser by the automation layer. Your credentials aren't exposed in prompts, logs, or model provider APIs.
</Note>
The **Credentials** page stores sensitive values (passwords, payment cards, and secrets) so your workflows can use them without embedding secrets in prompts or parameters. Skyvern stores credentials by default with no external service required.
<img src="/images/cloud/credentials-overview.png" alt="Credentials page overview" />
## How Skyvern keeps credentials secure
Sensitive credential data never reaches the LLM, logs, or API responses.
<Steps>
<Step title="Encrypted at rest">
When you save a credential, the sensitive data (passwords, card numbers, CVVs, and TOTP secrets) is sent to a secure vault that provides encryption at rest. Skyvern supports multiple vault backends: Bitwarden, 1Password, Azure Key Vault, and custom webhook providers. Skyvern's own database stores only non-sensitive metadata: credential name, username, card last four digits, card brand, TOTP method, and similar identifiers. Passwords, full card numbers, CVVs, and TOTP secrets are stored exclusively in the vault.
</Step>
<Step title="Placeholders during execution">
When a workflow runs, the LLM receives only placeholder IDs like `placeholder_Xk9m_password`. The AI decides *where* to type on the page, but never sees the real values. No third party, including the LLM provider, ever accesses your actual credentials.
</Step>
<Step title="Just-in-time injection">
At the browser level, the automation layer resolves placeholders to real values and types them directly into the page. After execution, credential values that appear in HTTP Request block responses, block context snapshots, and conditional evaluation outputs are automatically masked before storage.
</Step>
</Steps>
---
## Quick start
<Steps>
<Step title="Navigate to the Credentials page">
Click **Credentials** in the left sidebar under **General**.
<img src="/images/cloud/credentials-sidebar-nav.png" alt="Credentials option in the left sidebar under General" />
</Step>
<Step title="Click + Add">
Choose the credential type: **Password**, **Credit Card**, or **Secret**.
<img src="/images/cloud/credentials-add-dropdown.png" alt="Add dropdown showing Password, Credit Card, and Secret options" />
</Step>
<Step title="Fill in the details and save">
Enter the required fields and click **Save**. The credential is immediately available for use in workflows.
</Step>
</Steps>
---
## What you can store
**[Password credentials](/cloud/managing-credentials/password-credentials)** — username, password, and optional 2FA configuration. Used with Login blocks to automate full sign-in flows, including two-factor authentication.
<CardGroup cols={3}>
<Card
title="Password Credentials"
icon="key"
href="/cloud/managing-credentials/password-credentials"
>
Username, password, and optional 2FA configuration for automated logins
</Card>
<Card
title="Credit Card Credentials"
icon="credit-card"
href="/cloud/managing-credentials/credit-card-credentials"
>
Payment card details for purchase and checkout workflows
</Card>
<Card
title="Secret Credentials"
icon="file-shield"
href="#secret-credentials"
>
A single sensitive string such as an API key, bearer token, or any value you don't want hardcoded
</Card>
</CardGroup>
**[Credit card credentials](/cloud/managing-credentials/credit-card-credentials)** — payment card details (number, expiration, CVV, cardholder name). Used in workflows that complete purchases or fill billing forms.
Password and Credit Card credentials have their own pages. Secrets are simpler and documented here.
**Secret credentials** — a single sensitive string: API key, bearer token, encryption key, or anything you don't want hardcoded. Create one from **+ Add → Secret** and reference it in any parameter field:
### Secret credentials
Secrets store a single sensitive value (an API key, bearer token, or similar). Create one from **+ Add → Secret**, give it a name and value, then reference it in HTTP Request, Code, or Workflow Trigger blocks using the credential parameter's key:
```
{{ credential_name.secret_value }}
{{ parameter_key.secret_value }}
```
## External credential providers
Replace `parameter_key` with the **key** assigned to the credential parameter in the workflow editor (e.g., `credentials`, `credentials_1`).
If your organization already manages secrets in a dedicated vault, reference them directly from **Bitwarden**, **1Password**, or **Azure Key Vault** by adding credential parameters in the [workflow editor](/cloud/building-workflows/add-parameters).
---
### Bitwarden
## Using credentials in workflows
Works with hosted Bitwarden and the self-hosted [Vaultwarden](https://github.com/dani-garcia/vaultwarden) fork. Supports passwords, credit cards, and identity data (SSN, address, phone numbers).
The most common pattern is a **Login block**. A Login block is a workflow step that signs into a website using stored credentials. Select a credential from the dropdown, and Skyvern fills in the username, password, and 2FA code (if configured) automatically. See [Block Reference](/cloud/building-workflows/configure-blocks) for details.
Point a credential parameter at a specific vault item using the **Collection ID** and **Item ID** from the Bitwarden web UI. Alternatively, set a **URL Parameter Key** so Bitwarden matches credentials by the target URL — useful when the same workflow runs against different sites.
For workflows that need different credentials at runtime, add a **Credential parameter** (type: `credential_id`). When someone runs the workflow, they pick which credential to use from a dropdown. See [Workflow Parameters](/cloud/building-workflows/add-parameters) for setup.
For identity data, specify an **Identity Key** and a comma-separated list of **Identity Fields** (e.g., `ssn, address, phone`).
### 1Password
Connects via a service account token. Supports passwords and credit cards.
**One-time setup:** Go to **Settings** → find the **1Password** card → paste your [service account token](https://developer.1password.com/docs/service-accounts/get-started/) → click **Update**. The status indicator turns **Active** once validated.
In the workflow editor, select **1Password** as the credential source and provide the **Vault ID** and **Item ID** from your 1Password web URLs.
<Warning>
Credit cards from 1Password need a text field named **"Expire Date"** on the item in `MM/YYYY` format. This is a workaround for how 1Password structures card data.
</Warning>
### Azure Key Vault
Pulls credentials stored as Azure secrets. Supports passwords with optional TOTP.
**One-time setup:** Go to **Settings** → find the **Azure** card → enter your **Tenant ID**, **Client ID**, and **Client Secret** → click **Update**.
In the workflow editor, select **Azure Key Vault** as the credential source and point it at your vault by name. Provide the **secret names** that store the username and password (and optionally a TOTP secret for 2FA) — not the values themselves.
### Which source should you use?
| Source | Best for |
|--------|----------|
| **Skyvern built-in** | Fastest setup — create credentials directly in the UI, no external dependencies |
| **Bitwarden** | Teams already using Bitwarden who don't want to manage credentials in two places |
| **1Password** | Teams already using 1Password with service account access |
| **Azure Key Vault** | Enterprise environments with centrally managed Azure secrets |
You can mix sources within the same workflow — one Login block using Skyvern-stored credentials and another using Azure Key Vault.
---
## Deleting credentials
Click the **trash icon** on any credential. Deletion is permanent — the Skyvern team can't restore deleted credentials. If a workflow references a deleted credential, it will fail at the login step until you assign a replacement.
Click the **trash icon** on any credential row. Deletion is permanent and cannot be undone. If a workflow references a deleted credential, the run will fail during initialization until you assign a replacement.
<CardGroup cols={3}>
<CardGroup cols={2}>
<Card
title="Password Credentials"
icon="key"
@ -84,7 +109,7 @@ Click the **trash icon** on any credential. Deletion is permanent — the Skyver
icon="credit-card"
href="/cloud/managing-credentials/credit-card-credentials"
>
Store payment details for purchase workflows
Store payment details for checkout workflows
</Card>
<Card
title="2FA / TOTP Setup"
@ -93,4 +118,11 @@ Click the **trash icon** on any credential. Deletion is permanent — the Skyver
>
Configure and manage two-factor authentication
</Card>
<Card
title="External Providers"
icon="vault"
href="/cloud/managing-credentials/external-providers"
>
Connect Bitwarden, 1Password, Azure Key Vault, or a custom API
</Card>
</CardGroup>