Skip to main content

What are encrypted credentials?

Encrypted credentials let you store sensitive values (passwords, API tokens, etc.) that the Simplex agent can type into browser fields during automation — without exposing the plaintext in logs, screenshots, or your workflow definition.

How it works

  1. You store a credential via the API or the Simplex dashboard, providing a name and plaintext value
  2. The value is encrypted server-side using Evervault before being saved to the database — the raw value is never stored
  3. During a browser session, the agent calls type_secret(credential_name="...") to decrypt the value inside the secure container and type it into the focused input field
  4. The plaintext never leaves the container — it is decrypted only at the moment it’s typed, and is not included in session logs or screenshots

Storing credentials via the API

from simplex import SimplexClient

client = SimplexClient(api_key="your_api_key")

# Store a credential
client.store_credential("github_token", "ghp_xxxxxxxxxxxx")

# List all credentials
result = client.list_credentials()
for cred in result["credentials"]:
    print(f"{cred['name']} (created {cred['created_at']})")

# Delete a credential
client.delete_credential("github_token")

Using credentials in workflows

Once a credential is stored, reference it in your workflow prompt: 
Go to github.com and sign in.
Use type_secret with credential_name="github_token" to enter the password.
The agent will call the type_secret MCP tool, which:
  1. Looks up the encrypted value by name in the encrypted_credentials table
  2. Decrypts it using Evervault inside the secure container
  3. Types the plaintext into the currently focused input field

Storing credentials via the dashboard

You can also manage credentials from the Credentials page in your Simplex dashboard. From there you can:
  • Add new credentials
  • View credential names and creation dates
  • Delete credentials you no longer need

Security model

PropertyDetail
EncryptionValues are encrypted with Evervault before storage
StorageOnly the encrypted token is persisted in the database
DecryptionHappens only inside the secure browser container at type-time
LoggingPlaintext values are never included in session logs
ScreenshotsValues are typed into password fields — not visible in screenshots
AccessCredentials are scoped to your organization