> ## Documentation Index
> Fetch the complete documentation index at: https://docs.duvo.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Logins and Secrets

> Store website Logins and named Secret bundles in an encrypted vault so agents can sign in and call services without exposing sensitive values in their context.

## Introduction

Agents often need to access external websites and platforms, or call third-party APIs and services, as part of their automated workflows. Instead of including sensitive information directly in prompts—which would be insecure—the **Logins and Secrets** section provides a safe and encrypted way to manage this data.

## What are Logins and Secrets?

The **Logins and Secrets** section can be found under the *Resources* area in the left sidebar. It stores two types of Login your agents can use:

* **Logins** — website and application credentials (domain, username, password, optional 2FA) Duvo uses to sign in during Runs — in the [Browser](/user-guide/connections/available-connections/browser) and in desktop sessions over [Computer Use](/user-guide/connections/available-connections/computer-use) and [Windows Remote Desktop](/user-guide/connections/available-connections/windows-remote-desktop)
* **Secrets** — named bundles of environment variables (API keys, tokens, database URLs) for automated code and API calls

Items are organized into two groups:

* **Team** — shared across your workspace; all team members can use these in their agents
* **Personal** — only you can access these; not visible to other team members

<Note>
  All Logins are encrypted at rest and in transit using AES-256 encryption.
</Note>

***

## Adding a Login

To add a login:

<Steps>
  <Step title="Open Logins and Secrets" icon="key">
    Navigate to the **Logins and Secrets** section.
  </Step>

  <Step title="Add a Login" icon="plus">
    Click **Add item** and select **Login**.
  </Step>

  <Step title="Enter the login details" icon="pen">
    Enter the following details:

    * **Domain**: The website URL (e.g., `example.com`)
    * **Username or Email**: Your login username or email address
    * **Password**: Your account password
    * **One-time password secret** (optional): For 2FA-enabled accounts
    * **Two-factor authentication** (optional): Configure if needed
  </Step>

  <Step title="Save the login" icon="save">
    Click **Save Login**.
  </Step>
</Steps>

When an agent needs to log in to a site or application, it never directly accesses or "sees" the login. Instead, it calls a secure tool that fetches the correct login for the relevant domain and fills it in automatically. This ensures that sensitive data is never exposed in the agent's context window.

<Note>
  Logins work the same way in desktop sessions: agents using [Computer Use](/user-guide/connections/available-connections/computer-use) or [Windows Remote Desktop](/user-guide/connections/available-connections/windows-remote-desktop) can sign in to applications with stored logins, including one-time 2FA codes.
</Note>

Stored logins are also used automatically for HTTP Basic Auth — the browser-level username/password prompts that appear on some internal portals and enterprise web apps before the page loads.

***

## Handling Two-Factor Authentication (2FA)

If 2FA is enabled for your account, there are two ways to set it up:

<Tabs>
  <Tab title="One-time Password (OTP) Secret">
    You can manually enter your **OTP secret key** into the *One-time password secret* field.

    This secret allows the system to generate time-based one-time passwords (TOTPs) automatically whenever your agent logs in.
  </Tab>

  <Tab title="Import from Google Authenticator">
    If your 2FA codes are already managed through **Google Authenticator**, you can easily import them using the **Import from Authenticator** feature.

    To do this:

    <Steps>
      <Step title="Choose Import from Authenticator" icon="qr-code">
        Choose **Import from Authenticator**.
      </Step>

      <Step title="Export your codes" icon="smartphone">
        Follow the step-by-step tutorial to export your codes from the Google Authenticator app.

        * Open Google Authenticator
        * Tap the three dots menu
        * Select "Transfer accounts" → "Export accounts"
        * Select the accounts to export
        * A QR code will be displayed
      </Step>

      <Step title="Provide the secret to Duvo" icon="camera">
        Once the tutorial is complete (or skipped), you'll be prompted to either:

        * **Scan QR Code**: Use your device camera to scan the QR code from Google Authenticator
        * **Enter Secret Manually**: Type the secret key if you have it
      </Step>

      <Step title="Finalize the import" icon="check">
        Click **Import** to finalize.
      </Step>
    </Steps>
  </Tab>
</Tabs>

***

## Adding a Secret

Secrets are named bundles of environment variables — API keys, tokens, connection strings, or any value your agent needs to call a service or run code.

To add a secret:

<Steps>
  <Step title="Open Logins and Secrets" icon="key">
    Navigate to the **Logins and Secrets** section.
  </Step>

  <Step title="Add a Secret" icon="plus">
    Click **Add item** and select **Secret**.
  </Step>

  <Step title="Enter a title" icon="tag">
    Enter a **Title** — a short name that identifies what this secret is for (e.g., `Stripe API`, `Internal DB`).
  </Step>

  <Step title="Add key-value pairs" icon="list">
    Add one or more **key-value pairs**:

    * **Key**: The environment variable name (e.g., `STRIPE_API_KEY`). Must follow standard environment variable naming — uppercase letters, digits, and underscores.
    * **Value**: The secret value (e.g., the API key itself).
  </Step>

  <Step title="Choose sharing" icon="users">
    Choose whether to share with your team.
  </Step>

  <Step title="Save the secret" icon="save">
    Click **Save**.
  </Step>
</Steps>

When a Run starts, Duvo decrypts the secrets attached to that agent and injects them as environment variables into the secure sandbox. The agent can reference them from any code it runs during the Run.

<Note>
  Secret values are write-only — once saved, you can view the key names but not the values. To update a value, open the secret, enter a new value for that key, and save.
</Note>

***

## Using Logins and Secrets in the Agent Builder

Once you have added logins and secrets, you can attach specific ones to an agent so they are available when it runs.

In the **Agent Builder**, a **Logins and Secrets** section appears in the builder header alongside Connections and Files. Use it to select which logins and secrets should be available to that agent:

<Steps>
  <Step title="Open your agent" icon="bot">
    Open your agent in the builder.
  </Step>

  <Step title="Open the Logins and Secrets section" icon="plus">
    In the **Logins and Secrets** section of the builder header, click the **plus button**.
  </Step>

  <Step title="Select logins and secrets" icon="square-check">
    Select the logins (by domain) and secrets (by name) you want to attach.
  </Step>

  <Step title="Confirm your selection" icon="check">
    Click **Confirm** to save your selection.
  </Step>
</Steps>

The selected logins and secrets are shown as pills in the builder header. The agent will have access to them during each Run.

***

## Security

All logins and secrets are:

* **Encrypted at rest** with AES-256, using keys managed by a cloud KMS.
* **Encrypted in transit** over TLS 1.2 or higher.
* **Access-controlled:** only your team and explicitly authorized agents can use them.
* **Not used for training:** Login values are never sent to a model provider for training.

<Warning>
  Passwords and secret values are **never saved in plaintext**, and agents **cannot read or retrieve** raw Login values directly.
</Warning>

For a full overview of the Login security model and how to choose between Connections, Logins, and Secrets, see [Secret Management](/user-guide/resources/secret-management).
