What’s supported
Credential types: passwords (with optional TOTP secret bundled in), credit cards for checkout automations, and arbitrary secrets or API keys. 2FA methods:- TOTP / authenticator apps store the secret once and Skyvern generates valid codes on every run.
- Email or SMS codes can be pushed to Skyvern via API, or you can expose an endpoint that Skyvern polls every 10 seconds until the code arrives.
- Magic links work the same way: push the one-time login URL and Skyvern detects and follows it automatically.
- Multi-field TOTP handles split-box layouts (one digit per input) by filling all fields with the same code.
How credentials stay safe
When a run needs a credential, Skyvern fetches it from your vault, injects it directly into the browser’s form field, and discards it as soon as the field is filled. The value never enters an LLM prompt, never lands in a log line, and never gets written to any persistent Skyvern storage. You’ll see this in practice: run recordings, action timelines, and LLM prompts show stable placeholder tokens likeBW_PASSWORD, BW_USERNAME, and BW_TOTP wherever real credentials were used. The prefix reflects the vault source (BW_ for Bitwarden, OP_ for 1Password, AZ_ for Azure Key Vault, SK_ for Skyvern’s built-in vault) so you can audit which credential fired without the secret ever leaving your vault.
Learn more
Store credentials
Create passwords, cards, and secrets. Wire up Bitwarden, 1Password, Azure, or a custom vault.
Handle 2FA
TOTP setup, pushed codes, polled endpoints, and magic links.
Troubleshoot logins
Debug 2FA and login failures.
SDK reference
agent.login(), send_totp_code(), and the credentials API.