---
title: Credentials Overview
subtitle: Securely store login details, payment info, and secrets for your automations
slug: cloud/managing-credentials/credentials-overview
---

The **Credentials** page stores sensitive values — passwords, payment cards, and secrets — so your workflows can use them without you pasting passwords into prompts.

<Note>
Credentials **never reach the LLM**. The AI agent decides *where* to type, but the actual values are injected directly into the browser by the automation layer. Your credentials aren't exposed in prompts, logs, or model provider APIs.
</Note>

<img src="/images/cloud/credentials-overview.png" alt="Credentials page overview" />

## What you can store

**[Password credentials](/cloud/managing-credentials/password-credentials)** — username, password, and optional 2FA configuration. Used with Login blocks to automate full sign-in flows, including two-factor authentication.

**[Credit card credentials](/cloud/managing-credentials/credit-card-credentials)** — payment card details (number, expiration, CVV, cardholder name). Used in workflows that complete purchases or fill billing forms.

**Secret credentials** — a single sensitive string: API key, bearer token, encryption key, or anything you don't want hardcoded. Create one from **+ Add → Secret** and reference it in any parameter field:

```
{{ credential_name.secret_value }}
```

## External credential providers

If your organization already manages secrets in a dedicated vault, reference them directly from **Bitwarden**, **1Password**, or **Azure Key Vault** by adding credential parameters in the [workflow editor](/cloud/building-workflows/add-parameters).

### Bitwarden

Works with hosted Bitwarden and the self-hosted [Vaultwarden](https://github.com/dani-garcia/vaultwarden) fork. Supports passwords, credit cards, and identity data (SSN, address, phone numbers).

Point a credential parameter at a specific vault item using the **Collection ID** and **Item ID** from the Bitwarden web UI. Alternatively, set a **URL Parameter Key** so Bitwarden matches credentials by the target URL — useful when the same workflow runs against different sites.

For identity data, specify an **Identity Key** and a comma-separated list of **Identity Fields** (e.g., `ssn, address, phone`).

### 1Password

Connects via a service account token. Supports passwords and credit cards.

**One-time setup:** Go to **Settings** → find the **1Password** card → paste your [service account token](https://developer.1password.com/docs/service-accounts/get-started/) → click **Update**. The status indicator turns **Active** once validated.

In the workflow editor, select **1Password** as the credential source and provide the **Vault ID** and **Item ID** from your 1Password web URLs.

<Warning>
Credit cards from 1Password need a text field named **"Expire Date"** on the item in `MM/YYYY` format. This is a workaround for how 1Password structures card data.
</Warning>

### Azure Key Vault

Pulls credentials stored as Azure secrets. Supports passwords with optional TOTP.

**One-time setup:** Go to **Settings** → find the **Azure** card → enter your **Tenant ID**, **Client ID**, and **Client Secret** → click **Update**.

In the workflow editor, select **Azure Key Vault** as the credential source and point it at your vault by name. Provide the **secret names** that store the username and password (and optionally a TOTP secret for 2FA) — not the values themselves.

### Which source should you use?

| Source | Best for |
|--------|----------|
| **Skyvern built-in** | Fastest setup — create credentials directly in the UI, no external dependencies |
| **Bitwarden** | Teams already using Bitwarden who don't want to manage credentials in two places |
| **1Password** | Teams already using 1Password with service account access |
| **Azure Key Vault** | Enterprise environments with centrally managed Azure secrets |

You can mix sources within the same workflow — one Login block using Skyvern-stored credentials and another using Azure Key Vault.

## Deleting credentials

Click the **trash icon** on any credential. Deletion is permanent — the Skyvern team can't restore deleted credentials. If a workflow references a deleted credential, it will fail at the login step until you assign a replacement.

<CardGroup cols={3}>
  <Card
    title="Password Credentials"
    icon="key"
    href="/cloud/managing-credentials/password-credentials"
  >
    Store logins with optional 2FA
  </Card>
  <Card
    title="Credit Card Credentials"
    icon="credit-card"
    href="/cloud/managing-credentials/credit-card-credentials"
  >
    Store payment details for purchase workflows
  </Card>
  <Card
    title="2FA / TOTP Setup"
    icon="shield-halved"
    href="/cloud/managing-credentials/totp-setup"
  >
    Configure and manage two-factor authentication
  </Card>
</CardGroup>