Credentials
Encrypted vault secrets, TOTP, captcha solving, session persistence, and session-aware login patterns.
Credentials and authentication settings are configured per agent-platform binding. They are encrypted in the vault and exposed in DSL only inside in <handler> { ... } blocks.
Vault secrets
When you attach a platform to an agent, add fields to the vault:
| Vault field | DSL reference |
|---|---|
username | $secrets.username |
password | $secrets.password |
| Custom fields | $secrets.field_name |
Secrets are:
- Encrypted at rest
- Only available inside
in handler { ... }blocks for that platform - Never sent to LLM helpers (
decide/infermust not include$secretsinwithclauses)
Example:
flow {
in portal {
fill { css "#email" } $secrets.username
fill { css "#password" } $secrets.password
click { css "button[type='submit']" }
}
}
TOTP
If a platform requires two-factor authentication, store a TOTP seed in the vault. reArray generates time-based codes automatically — reference them as $secrets.totp (or your custom field name) in DSL.
Captcha solving
For sites with CAPTCHAs, enable captcha solving on the agent-platform binding and call solve_captcha in your script:
flow {
in portal {
click { css "#login" }
solve_captcha
wait visible { css "#dashboard" } timeout 30000
}
}
Captcha solving requires a configured solver API key in your deployment.
Session persistence
Agent browser state persists within an active agent session. Cookies and local storage remain available across task steps and consecutive executions on the same session.
This means:
- A login step may not be needed on every run if the session is still authenticated
- Tasks should handle both signed-in and signed-out states gracefully
Session-aware login pattern
Always guard login with conditions so tasks work whether the session is fresh or already authenticated:
flow {
in my_site {
// If we already have an authenticated session, skip login.
if visible { css "#dashboard" } {
// Already signed in; continue.
} else {
// Only attempt credentials when login UI is present.
if visible { css "#login-form" } {
fill { css "#username" } $secrets.username
fill { css "#password" } $secrets.password
click { css "button[type='submit']" }
}
// Assert auth state before proceeding.
wait visible { css "#dashboard" } timeout 30000
}
}
}
Pattern guidelines
- Check post-login indicator first — If a dashboard or profile element is visible, skip login.
- Check login form before filling credentials — Avoid errors when the form is not present.
- Assert auth before proceeding — Use
wait visibleon a reliable post-login element. - Handle auth errors — If login fails, the execution reports an error with the DSL location.
Security notes
- Vault secrets are scoped to the agent-platform binding — different agents cannot read each other's vaults.
- Secrets never appear in execution results, video recordings metadata, or webhook payloads.
- API keys for the Integration API are separate from platform vault credentials.