Skip to main content

Introduction

Agents often need to access external websites and platforms, or call third-party APIs and services, as part of their automated workflows. Instead of including sensitive information directly in prompts—which would be insecure—the Logins and Secrets section provides a safe and encrypted way to manage this data.

What are Logins and Secrets?

The Logins and Secrets section can be found under the Resources area in the left sidebar. It stores two types of Login your agents can use:
  • Logins — website and application credentials (domain, username, password, optional 2FA) Duvo uses to sign in during Runs — in the Browser and in desktop sessions over Computer Use and Windows Remote Desktop
  • Secrets — named bundles of environment variables (API keys, tokens, database URLs) for automated code and API calls
Items are organized into two groups:
  • Team — shared across your workspace; all team members can use these in their agents
  • Personal — only you can access these; not visible to other team members
All Logins are encrypted at rest and in transit using AES-256 encryption.

Adding a Login

To add a login:

Open Logins and Secrets

Navigate to the Logins and Secrets section.

Add a Login

Click Add item and select Login.

Enter the login details

Enter the following details:
  • Domain: The website URL (e.g., example.com)
  • Username or Email: Your login username or email address
  • Password: Your account password
  • One-time password secret (optional): For 2FA-enabled accounts
  • Two-factor authentication (optional): Configure if needed

Save the login

Click Save Login.
When an agent needs to log in to a site or application, it never directly accesses or “sees” the login. Instead, it calls a secure tool that fetches the correct login for the relevant domain and fills it in automatically. This ensures that sensitive data is never exposed in the agent’s context window.
Logins work the same way in desktop sessions: agents using Computer Use or Windows Remote Desktop can sign in to applications with stored logins, including one-time 2FA codes.
Stored logins are also used automatically for HTTP Basic Auth — the browser-level username/password prompts that appear on some internal portals and enterprise web apps before the page loads.

Handling Two-Factor Authentication (2FA)

If 2FA is enabled for your account, there are two ways to set it up:
You can manually enter your OTP secret key into the One-time password secret field.This secret allows the system to generate time-based one-time passwords (TOTPs) automatically whenever your agent logs in.

Adding a Secret

Secrets are named bundles of environment variables — API keys, tokens, connection strings, or any value your agent needs to call a service or run code. To add a secret:

Open Logins and Secrets

Navigate to the Logins and Secrets section.

Add a Secret

Click Add item and select Secret.

Enter a title

Enter a Title — a short name that identifies what this secret is for (e.g., Stripe API, Internal DB).

Add key-value pairs

Add one or more key-value pairs:
  • Key: The environment variable name (e.g., STRIPE_API_KEY). Must follow standard environment variable naming — uppercase letters, digits, and underscores.
  • Value: The secret value (e.g., the API key itself).

Choose sharing

Choose whether to share with your team.

Save the secret

Click Save.
When a Run starts, Duvo decrypts the secrets attached to that agent and injects them as environment variables into the secure sandbox. The agent can reference them from any code it runs during the Run.
Secret values are write-only — once saved, you can view the key names but not the values. To update a value, open the secret, enter a new value for that key, and save.

Using Logins and Secrets in the Agent Builder

Once you have added logins and secrets, you can attach specific ones to an agent so they are available when it runs. In the Agent Builder, a Logins and Secrets section appears in the builder header alongside Connections and Files. Use it to select which logins and secrets should be available to that agent:

Open your agent

Open your agent in the builder.

Open the Logins and Secrets section

In the Logins and Secrets section of the builder header, click the plus button.

Select logins and secrets

Select the logins (by domain) and secrets (by name) you want to attach.

Confirm your selection

Click Confirm to save your selection.
The selected logins and secrets are shown as pills in the builder header. The agent will have access to them during each Run.

Security

All logins and secrets are:
  • Encrypted at rest with AES-256, using keys managed by a cloud KMS.
  • Encrypted in transit over TLS 1.2 or higher.
  • Access-controlled: only your team and explicitly authorized agents can use them.
  • Not used for training: Login values are never sent to a model provider for training.
Passwords and secret values are never saved in plaintext, and agents cannot read or retrieve raw Login values directly.
For a full overview of the Login security model and how to choose between Connections, Logins, and Secrets, see Secret Management.