Skip to main content
Instead of copying secrets into Skyvern, you can point Skyvern at your existing vault and it pulls credentials at runtime. If your organization already manages secrets in a dedicated vault, connect it as a credential source and reference items directly from workflow parameters.
External providers are configured per-organization. Once connected, any workflow in the organization can reference credentials from that provider.

Choosing a provider

SourceCredential typesSetupBest for
Skyvern (default)Password, Credit Card, SecretNone (built in)Most users, fastest setup
BitwardenPassword, Credit Card, IdentityCredential parameter configTeams already using Bitwarden (enterprise)
1PasswordPassword, Credit CardSettings page setupTeams with 1Password service accounts
Azure Key VaultPassword (with optional TOTP)Settings page setupEnterprise Azure environments
Webhook (Custom API)Password, Credit CardSettings page setupOrganizations with custom vaults
You can mix sources within the same workflow. For example, one Login block can use Skyvern-stored credentials while another uses Azure Key Vault.

1Password

Connects via a service account token. A service account is an API-only identity that accesses vault items without a human login. Supports passwords and credit cards.

One-time setup

1

Create a service account

In your 1Password admin console, go to Developer > Service Accounts and create a new service account. Grant it access to the vault that contains the credentials Skyvern needs.
2

Open Settings

In Skyvern, go to Settings and find the 1Password card.
3

Enter your service account token

Paste the service account token from the previous step.
4

Save and verify

Click Update. The status indicator turns Active once the token is validated.
If the status does not turn Active, verify that your service account token has access to the target vault and has not expired.

Using in a workflow

In the workflow editor, add a Credential Parameter and select 1Password as the source. Provide the Vault ID and Item ID. You can find both IDs in the URL when viewing an item in the 1Password web app.
Credit cards from 1Password need a custom text field named “Expire Date”, “Expiry Date”, or “Expiration Date” in MM/YYYY or MM/YY format. 1Password does not expose the native expiration field through its API, so Skyvern reads this custom text field instead.

Azure Key Vault

Pulls credentials stored as Azure secrets. Supports passwords with optional TOTP.

One-time setup

1

Open Settings

Go to Settings and find the Azure card.
2

Enter your Azure credentials

Provide your Tenant ID, Client ID, and Client Secret.
3

Save

Click Update. Skyvern will use these credentials to access your vault.

Using in a workflow

In the workflow editor, add a Credential Parameter and select Azure Key Vault as the source. Provide the vault name and the secret names that store the username, password, and optionally a TOTP secret. Enter the secret names, not the values themselves. For example, if your vault stores secrets named salesforce-username, salesforce-password, and salesforce-totp, enter those three names in the corresponding fields.

Webhook (Custom API)

Connect your own HTTP API as a credential backend. Skyvern calls your API to create, retrieve, and delete credentials, so sensitive data stays in your infrastructure.

API contract

Your service must implement three endpoints. All requests include an Authorization: Bearer {API_TOKEN} header. Create credential 
POST {API_BASE_URL}
Authorization: Bearer {API_TOKEN}
Content-Type: application/json
The request body depends on the credential type. Your API must handle all three: 
{
  "name": "Salesforce Login",
  "type": "password",
  "username": "[email protected]",
  "password": "secure_password",
  "totp": "JBSWY3DPEHPK3PXP",
  "totp_type": "authenticator"
}
The totp and totp_type fields are optional. totp_type can be "authenticator", "email", "text_message", or "none".
{
  "name": "Corporate Visa",
  "type": "credit_card",
  "card_holder_name": "Jane Doe",
  "card_number": "4111111111111111",
  "card_exp_month": "12",
  "card_exp_year": "2025",
  "card_cvv": "123",
  "card_brand": "visa"
}

{
  "name": "Stripe API Key",
  "type": "secret",
  "secret_value": "sk_live_abc123",
  "secret_label": "api-key"
}
The secret_label field is optional.
Response (all types): 
{
  "id": "cred_123456"
}
Get credential 
GET {API_BASE_URL}/{credential_id}
Authorization: Bearer {API_TOKEN}
Return the same fields that were sent during creation (minus name). Include type so Skyvern knows how to parse the response. Delete credential 
DELETE {API_BASE_URL}/{credential_id}
Authorization: Bearer {API_TOKEN}
Response: HTTP 200

Setup

1

Open Settings

Go to Settings and find the Custom Credential Service card.
2

Enter your API details

Provide the API Base URL and API Token for your credential service.
3

Save

Click Update Configuration. The status indicator turns Active once the configuration is saved.

Example: minimal FastAPI implementation

from fastapi import FastAPI, HTTPException, Depends, Header
from pydantic import BaseModel
from typing import Optional
import uuid

app = FastAPI()
credentials_store = {}

class CreateCredentialRequest(BaseModel):
    name: str
    type: str  # "password", "credit_card", or "secret"
    # Password fields
    username: Optional[str] = None
    password: Optional[str] = None
    totp: Optional[str] = None
    totp_type: Optional[str] = None
    # Credit card fields
    card_holder_name: Optional[str] = None
    card_number: Optional[str] = None
    card_exp_month: Optional[str] = None
    card_exp_year: Optional[str] = None
    card_cvv: Optional[str] = None
    card_brand: Optional[str] = None
    # Secret fields
    secret_value: Optional[str] = None
    secret_label: Optional[str] = None

class CredentialResponse(BaseModel):
    id: str

def verify_token(authorization: str = Header(...)):
    if not authorization.startswith("Bearer "):
        raise HTTPException(401, "Invalid authorization header")
    token = authorization.split("Bearer ")[1]
    if token != "your_expected_api_token":
        raise HTTPException(401, "Invalid API token")

@app.post("/api/v1/credentials", response_model=CredentialResponse)
async def create_credential(
    request: CreateCredentialRequest,
    _: None = Depends(verify_token)
):
    credential_id = f"cred_{uuid.uuid4().hex[:12]}"
    credentials_store[credential_id] = request.model_dump()
    return CredentialResponse(id=credential_id)

@app.get("/api/v1/credentials/{credential_id}")
async def get_credential(
    credential_id: str,
    _: None = Depends(verify_token)
):
    if credential_id not in credentials_store:
        raise HTTPException(404, "Credential not found")
    return credentials_store[credential_id]

@app.delete("/api/v1/credentials/{credential_id}")
async def delete_credential(
    credential_id: str,
    _: None = Depends(verify_token)
):
    if credential_id not in credentials_store:
        raise HTTPException(404, "Credential not found")
    del credentials_store[credential_id]
    return {"status": "deleted"}

Self-hosted configuration (environment variables)

For self-hosted Skyvern deployments, set these environment variables instead of using the Settings UI: 
CREDENTIAL_VAULT_TYPE=custom
CUSTOM_CREDENTIAL_API_BASE_URL=https://credentials.company.com/api/v1/credentials
CUSTOM_CREDENTIAL_API_TOKEN=your_api_token_here
Restart Skyvern after setting these variables.

Troubleshooting

ProblemWhat to check
Status stays InactiveVerify the API base URL is a valid URL and the API token is not empty. The configuration is validated on save but does not make a live request to your server.
Credentials not createdReview your API logs for auth errors. Ensure the response includes an id field. Skyvern expects HTTP 200 for all operations.
Credentials not retrievedEnsure the GET response includes all required fields for the credential type (username and password for passwords, all card fields for credit cards, secret_value for secrets).
Env config not workingRestart Skyvern after setting variables. Verify CREDENTIAL_VAULT_TYPE=custom is set and both URL and token are provided. The default vault type is bitwarden, so this variable must be explicitly set.

Credentials Overview

Built-in credential storage, security model, and quick start

Password Credentials

Store login details with optional 2FA

Bitwarden Integration

Connect Bitwarden for enterprise credential management

Build docs developers (and LLMs) love

Get started for freeTalk to us