How Skyvern keeps credentials secure
Sensitive credential data never reaches the LLM, logs, or API responses.Encrypted at rest
When you save a credential, the sensitive data (passwords, card numbers, CVVs, and TOTP secrets) is sent to a secure vault that provides encryption at rest. Skyvern supports multiple vault backends: Bitwarden, 1Password, Azure Key Vault, and custom webhook providers. Skyvern’s own database stores only non-sensitive metadata: credential name, username, card last four digits, card brand, TOTP method, and similar identifiers. Passwords, full card numbers, CVVs, and TOTP secrets are stored exclusively in the vault.
Placeholders during execution
When a workflow runs, the LLM receives only placeholder IDs like
placeholder_Xk9m_password. The AI decides where to type on the page, but never sees the real values. No third party, including the LLM provider, ever accesses your actual credentials.Just-in-time injection
At the browser level, the automation layer resolves placeholders to real values and types them directly into the page. After execution, credential values that appear in HTTP Request block responses, block context snapshots, and conditional evaluation outputs are automatically masked before storage.
Quick start
Create a credential
Use the API to create a password, credit card, or secret credential. See the Password Credentials or Credit Cards pages for examples.
Reference in workflows
Pass the
credential_id to a Login block or Browser Action block. Skyvern fills in the username, password, and 2FA code (if configured) automatically.What you can store
Password Credentials
Username, password, and optional 2FA configuration for automated logins
Credit Card Credentials
Payment card details for purchase and checkout workflows
Secret Credentials
A single sensitive string such as an API key, bearer token, or any value you don’t want hardcoded
Secret credentials
Secrets store a single sensitive value (an API key, bearer token, or similar). Create one via the API:Python
parameter_key with the key assigned to the credential parameter in the workflow editor (e.g., credentials, credentials_1).
API endpoints
Skyvern provides a comprehensive REST API for credential management:| Method | Endpoint | Description |
|---|---|---|
POST | /v1/credentials | Create a new credential |
GET | /v1/credentials | List all credentials for the organization |
GET | /v1/credentials/{credential_id} | Get a specific credential |
POST | /v1/credentials/{credential_id}/update | Update credential data |
PATCH | /v1/credentials/{credential_id} | Rename credential |
POST | /v1/credentials/{credential_id}/delete | Delete a credential |
POST | /v1/credentials/{credential_id}/test | Test a credential with a login |
GET | /v1/credentials/{credential_id}/test/{workflow_run_id} | Get test status |
POST | /v1/credentials/{credential_id}/test/{workflow_run_id}/cancel | Cancel a credential test |
POST | /v1/credentials/test-login | Test login with inline credentials |
POST | /v1/credentials/totp | Send TOTP/2FA code |
GET | /v1/credentials/totp | List TOTP codes |
Deleting credentials
Deletion is permanent and cannot be undone. If a workflow references a deleted credential, the run will fail during initialization until you assign a replacement.Python
Password Credentials
Store logins with optional 2FA
Credit Card Credentials
Store payment details for checkout workflows
TOTP / 2FA Setup
Configure and manage two-factor authentication
Bitwarden Integration
Connect Bitwarden for enterprise credential management