Dorod-Sky/docs/cloud/managing-credentials/password-credentials.mdx

---
title: Password Credentials
subtitle: Store login details and use them in automated workflows
slug: cloud/managing-credentials/password-credentials
---

Password credentials store a username, password, and optional 2FA configuration. Reference them from Login blocks in your workflows, and Skyvern handles the entire sign-in flow — including entering 2FA codes.

## Creating a password credential

Click **+ Add → Password** from the Credentials page. Three fields: **Name** (a label like "Salesforce Production"), **Username or Email**, and **Password**. The password field has an eye icon to toggle visibility.

<img src="/images/cloud/credentials-add-password.png" alt="Add password credential modal" />

Save the credential and it's ready to use in a workflow.

## Adding two-factor authentication

If the site requires 2FA, expand the **Two-Factor Authentication** accordion below the password fields. Three options, depending on how the site delivers codes:

<img src="/images/cloud/credentials-2fa-setup.png" alt="2FA setup options showing Authenticator App, Email, and Text Message" />

| Method | How it works |
|--------|-------------|
| **Authenticator App** | Paste the TOTP secret key and Skyvern generates codes locally on demand — fully automated, no delay. Preferred when the site supports it. |
| **Email** | Provide the email address that receives codes. Skyvern waits for you to push the code via the [2FA tab](/cloud/managing-credentials/totp-setup) or API. Identifier auto-fills from the Username field. |
| **Text Message** | Provide the phone number that receives codes. Same push-based flow as Email. |

<Tip>
Authenticator App is always the best option when available. Email and Text require either manual code entry or setting up automatic forwarding.
</Tip>

<Accordion title="Finding your TOTP secret key">
The secret key is the base32-encoded string behind the QR code you'd scan in an authenticator app. Most password managers let you view it:

- **Bitwarden**: Edit the login → TOTP field → copy the key
- **1Password**: Edit the login → One-Time Password → copy the secret
- **Site settings**: Many sites show a "Can't scan?" link during 2FA setup that reveals the text key

If you only have a QR code, decode it to extract the `secret=` parameter from the `otpauth://totp/...?secret=BASE32KEY` URI.
</Accordion>

## Using credentials in workflows

The most common pattern is a **Login block**. Select the stored credential from the dropdown, and Skyvern navigates to the login page, enters the username and password, handles 2FA if configured, and waits for the page to confirm authentication. See [Block Reference → Login](/cloud/building-workflows/configure-blocks) for details.

For workflows that need different accounts at runtime, use a **Credential parameter** (type: `credential_id`). When someone runs the workflow, they pick which credential to use from a dropdown.

You can also pull credentials from **Bitwarden**, **1Password**, or **Azure Key Vault**. See [External Providers](/cloud/managing-credentials/credentials-overview#external-credential-providers).

## Managing credentials

Stored credentials show the name, credential ID, username (plain text), password (always masked), and 2FA method if configured.

<Warning>
Credentials can't be edited after creation. To change a password, delete the old credential and create a new one.
</Warning>

<CardGroup cols={2}>
  <Card
    title="2FA / TOTP Setup"
    icon="shield-halved"
    href="/cloud/managing-credentials/totp-setup"
  >
    Push verification codes and manage 2FA for Email and Text methods
  </Card>
  <Card
    title="Block Reference"
    icon="cube"
    href="/cloud/building-workflows/configure-blocks"
  >
    Configure Login blocks and other blocks that use credentials
  </Card>
</CardGroup>