Skip to main content
Skyvern supports three 2FA methods for automated logins. Authenticator App (TOTP) is fully automatic: Skyvern generates codes locally. Email and Text Message require you to push codes via the UI or API. All three are configured on the password credential itself.

Authenticator App (TOTP)

The preferred method. Skyvern generates valid 6-digit codes on demand during login flows with no delay and no manual steps.

How it works

  1. The Login block enters the username and password
  2. The site prompts for a 2FA code
  3. Skyvern generates a fresh TOTP code from the stored secret key
  4. The code is entered automatically and login completes

Setting it up

1

Create a password credential

Go to the Credentials page and create a new password credential.
2

Expand Two-Factor Authentication

Below the password fields, click the Two-Factor Authentication accordion.
3

Select Authenticator App

Choose Authenticator App from the three options.
4

Paste your TOTP secret key

Enter the secret key into the Authenticator Key field and click Save.
The secret key is the base32-encoded string behind the QR code you’d normally scan in an authenticator app. You can find it in a few places:
  • Bitwarden: Edit the login → TOTP field → copy the key
  • 1Password: Edit the login → One-Time Password → copy the secret
  • LastPass: Edit the login → Advanced Settings → copy the TOTP secret
  • Site settings: Many sites show a “Can’t scan?” link during 2FA setup that reveals the text key
If you only have a QR code, decode it to extract the secret= parameter from the otpauth://totp/...?secret=BASE32KEY URI.

Email and Text Message codes

When a site sends 2FA codes via email or SMS, someone (or something) needs to deliver the code to Skyvern before the login can complete.

How it works

  1. The Login block enters the username and password
  2. The site sends a 2FA code to the configured email or phone number
  3. You push the code to Skyvern via the 2FA tab or the API
  4. Skyvern enters the code and completes the login

Setting it up

1

Create a password credential

Go to the Credentials page and create a new password credential.
2

Expand Two-Factor Authentication

Below the password fields, click the Two-Factor Authentication accordion.
3

Select Email or Text Message

Choose the method that matches how the site delivers codes.
4

Enter the identifier

Provide the email address or phone number that receives the codes. For Email, this auto-fills from the Username field.

Pushing codes to Skyvern

Once a workflow is running and waiting for a 2FA code, you need to deliver it. There are two ways.

Via the UI

Open the 2FA tab on the Credentials page. The Push a 2FA Code form has two fields:
FieldWhat to enter
IdentifierThe email address or phone number that received the code
Verification contentThe full email/SMS body, or just the code itself. Skyvern extracts the digits automatically.
2FA tab showing the Push a 2FA Code form and code history table
If multiple workflows are running simultaneously, click Add optional metadata to link the code to a specific run using the workflow run ID, workflow ID, or task ID.

Via the API

For production, automate code delivery. Set up a forwarding rule that sends 2FA emails or texts to a script, and the script pushes the code to Skyvern: 
curl -X POST "https://api.skyvern.com/v1/credentials/totp" \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "totp_identifier": "user@example.com",
    "content": "Your verification code is 847291",
    "source": "email_forwarder"
  }'
Response: 
{
  "totp_code_id": "tc_abc123",
  "totp_identifier": "user@example.com",
  "code": "847291",
  "source": "email_forwarder",
  "created_at": "2025-01-15T10:30:00Z"
}
The source field is a free-text label for your own tracking (e.g., "email_forwarder", "twilio_webhook"). To link a code to a specific run, pass workflow_run_id, workflow_id, or task_id. This is the API equivalent of the Add optional metadata option in the UI.
This turns email-based 2FA into something nearly as automated as an authenticator app. The main difference is latency while the email arrives and gets forwarded.

Viewing past codes

The table below the push form shows all 2FA codes your organization has received: identifier, extracted code, source type, associated workflow run, and timestamps. Filter by identifier, OTP type (numeric code vs. magic link), and number of results per page. Use this for auditing and debugging: confirming that a code was received and delivered to the right run.

Password Credentials

Create credentials with 2FA methods attached

Credentials Overview

Security model, quick start, and all credential types