Introduction
Agents often need to access external websites and platforms, or call third-party APIs and services, as part of their automated workflows. Instead of including sensitive information directly in prompts—which would be insecure—the Logins and Secrets section provides a safe and encrypted way to manage this data.What are Logins and Secrets?
The Logins and Secrets section can be found under the Resources area in the left sidebar. It stores two types of Login your agents can use:- Logins — website and application credentials (domain, username, password, optional 2FA) Duvo uses to sign in during Runs — in the Browser and in desktop sessions over Computer Use and Windows Remote Desktop
- Secrets — named bundles of environment variables (API keys, tokens, database URLs) for automated code and API calls
- Team — shared across your workspace; all team members can use these in their agents
- Personal — only you can access these; not visible to other team members
All Logins are encrypted at rest and in transit using AES-256 encryption.
Adding a Login
To add a login:Open Logins and Secrets
Navigate to the Logins and Secrets section.
Add a Login
Click Add item and select Login.
Enter the login details
Enter the following details:
- Domain: The website URL (e.g.,
example.com) - Username or Email: Your login username or email address
- Password: Your account password
- One-time password secret (optional): For 2FA-enabled accounts
- Two-factor authentication (optional): Configure if needed
Save the login
Click Save Login.
Logins work the same way in desktop sessions: agents using Computer Use or Windows Remote Desktop can sign in to applications with stored logins, including one-time 2FA codes.
Handling Two-Factor Authentication (2FA)
If 2FA is enabled for your account, there are two ways to set it up:- One-time Password (OTP) Secret
- Import from Google Authenticator
You can manually enter your OTP secret key into the One-time password secret field.This secret allows the system to generate time-based one-time passwords (TOTPs) automatically whenever your agent logs in.
Adding a Secret
Secrets are named bundles of environment variables — API keys, tokens, connection strings, or any value your agent needs to call a service or run code. To add a secret:Open Logins and Secrets
Navigate to the Logins and Secrets section.
Add a Secret
Click Add item and select Secret.
Enter a title
Enter a Title — a short name that identifies what this secret is for (e.g.,
Stripe API, Internal DB).Add key-value pairs
Add one or more key-value pairs:
- Key: The environment variable name (e.g.,
STRIPE_API_KEY). Must follow standard environment variable naming — uppercase letters, digits, and underscores. - Value: The secret value (e.g., the API key itself).
Choose sharing
Choose whether to share with your team.
Save the secret
Click Save.
Secret values are write-only — once saved, you can view the key names but not the values. To update a value, open the secret, enter a new value for that key, and save.
Using Logins and Secrets in the Agent Builder
Once you have added logins and secrets, you can attach specific ones to an agent so they are available when it runs. In the Agent Builder, a Logins and Secrets section appears in the builder header alongside Connections and Files. Use it to select which logins and secrets should be available to that agent:Open your agent
Open your agent in the builder.
Open the Logins and Secrets section
In the Logins and Secrets section of the builder header, click the plus button.
Select logins and secrets
Select the logins (by domain) and secrets (by name) you want to attach.
Confirm your selection
Click Confirm to save your selection.
Security
All logins and secrets are:- Encrypted at rest with AES-256, using keys managed by a cloud KMS.
- Encrypted in transit over TLS 1.2 or higher.
- Access-controlled: only your team and explicitly authorized agents can use them.
- Not used for training: Login values are never sent to a model provider for training.