cloud ui docs + cookbooks (#4759)

Co-authored-by: Ritik Sahni <ritiksahni0203@gmail.com>
Co-authored-by: Kunal Mishra <kunalm2345@gmail.com>

docs/cloud/managing-credentials/totp-setup.mdx

@@ -0,0 +1,81 @@
+---
+title: 2FA / TOTP Setup
+subtitle: Configure two-factor authentication for automated logins
+slug: cloud/managing-credentials/totp-setup
+---
+
+Skyvern handles 2FA through two mechanisms. **Authenticator App (TOTP)** generates codes locally from your secret key — fully automatic. **Email/SMS** waits for you to push the code via the UI or API. Both are configured on the [password credential](/cloud/managing-credentials/password-credentials) itself.
+
+## Authenticator App (TOTP)
+
+The preferred method. Store a TOTP secret key in a password credential, and Skyvern generates valid 6-digit codes on demand during login flows. The Login block enters credentials, detects the 2FA prompt, generates a fresh code, and enters it — all automatic.
+
+**Setup:** Create a password credential → expand **Two-Factor Authentication** → select **Authenticator App** → paste the TOTP secret key into the **Authenticator Key** field.
+
+The secret key is the base32-encoded string behind the QR code you'd normally scan. Copy it from your password manager (Bitwarden: TOTP field; 1Password: One-Time Password field) or look for a "Can't scan the QR code?" link during the site's 2FA setup.
+
+## Email and SMS codes
+
+When a site sends codes via email or text, someone (or something) needs to deliver the code to Skyvern.
+
+The flow:
+
+1. Login block enters username and password
+2. Site sends a 2FA code to the configured email or phone
+3. You push the code to Skyvern via the **2FA tab** or the API
+4. Skyvern enters the code and completes the login
+
+### Pushing a code manually
+
+Open the **2FA** tab on the Credentials page. The **Push a 2FA Code** form has two fields:
+
+| Field | What to enter |
+|-------|--------------|
+| **Identifier** | The email address or phone number that received the code |
+| **Verification content** | The full email/SMS body, or just the code itself — Skyvern extracts the digits automatically |
+
+<Tip>
+If multiple workflows are running simultaneously, click **Add optional metadata** to link the code to a specific run using the workflow run ID, workflow ID, or task ID.
+</Tip>
+
+### Pushing codes via API
+
+For production, automate code delivery. Set up a forwarding rule that sends 2FA emails/texts to a script, and the script calls:
+
+```bash
+curl -X POST "https://api.skyvern.com/v1/credentials/totp" \
+  -H "x-api-key: YOUR_API_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "totp_identifier": "user@example.com",
+    "content": "Your verification code is 847291",
+    "source": "email_forwarder"
+  }'
+```
+
+The `source` field is a free-text label for your own tracking (e.g., `"email_forwarder"`, `"twilio_webhook"`).
+
+This turns email-based 2FA into something nearly as automated as authenticator app — the main difference is latency while the email arrives and gets forwarded.
+
+## Viewing past codes
+
+The table below the push form shows all 2FA codes your organization has received: identifier, extracted code, source type, associated workflow run, and timestamps. Filter by identifier, OTP type (numeric code vs. magic link), and number of results per page.
+
+Use this for auditing and debugging — confirming that a code was received and delivered to the right run.
+
+<CardGroup cols={2}>
+  <Card
+    title="Password Credentials"
+    icon="key"
+    href="/cloud/managing-credentials/password-credentials"
+  >
+    Create credentials with 2FA methods attached
+  </Card>
+  <Card
+    title="Credentials Overview"
+    icon="lock"
+    href="/cloud/managing-credentials/credentials-overview"
+  >
+    All credential types, external providers, and security model
+  </Card>
+</CardGroup>