Skip to main content
Some Jobs need credentials to do their work — an API key passed as an environment variable, or a username and password for a website the browsing agent signs into. The CLI lets you store these securely and attach them to a specific Revision of an Assignment. Values you store are encrypted at rest and never echoed back — listing a secret or login shows you which fields are set, not their values. Secrets and logins are personal by default. Pass --shared when creating one to make it available to the whole team (requires a manager role).

Env-var secrets

A secret holds one or more environment variables that are injected into a Job at runtime. 
duvo secrets list                                           # list secrets you can see
duvo secrets get <id>                                       # show one secret (which keys are set, not their values)
duvo secrets create \
  --name "Stripe API" \
  --value STRIPE_API_KEY=sk_live_...                        # create a personal secret (repeat --value for multiple vars)
duvo secrets create \
  --name "Shared analytics" \
  --value SEGMENT_KEY=... \
  --shared                                                  # create a team-shared secret (requires manager role)
duvo secrets update <id> --name "New name"                  # rename or re-scope a secret
duvo secrets delete <id>                                    # delete a secret (prompts unless -y)
--value takes a KEY=VALUE pair and can be repeated to store several variables under one secret. Use --service-slug <slug> to tag a secret with the service it belongs to.

Browser logins

A browser login holds a website credential — domain, username, password, and optional TOTP secret — that the browsing agent uses to sign in during a Job. 
duvo credentials list                                       # list logins you can see
duvo credentials list --domain example.com                  # filter by domain
duvo credentials get <id>                                   # show one login (which fields are set, not their values)
duvo credentials create \
  --domain example.com \
  --username alice@example.com \
  --password "<password>"                                   # create a personal login
duvo credentials create \
  --domain example.com \
  --username alice@example.com \
  --otp-secret "<totp-secret>" \
  --shared                                                  # create a team-shared login (requires manager role)
duvo credentials update <id> --password "<new-password>"    # update a login
duvo credentials delete <id>                                # delete a login (prompts unless -y)
At least one of --password or --otp-secret must be provided when creating a login. The TOTP secret lets the agent generate one-time codes for sites that require two-factor authentication.

Attaching to a Revision

Storing a secret or login doesn’t make it available to a Job on its own — you attach it to the specific Revision of an Assignment whose Jobs should use it.

Attach an env-var secret

duvo revision-secrets list \
  --agent <agent-id> --revision <revision-id>               # list secrets attached to a Revision
duvo revision-secrets attach \
  --agent <agent-id> --revision <revision-id> \
  --secret <secret-id>                                      # attach a secret
duvo revision-secrets detach <secret-id> \
  --agent <agent-id> --revision <revision-id> [-y]          # detach a secret (prompts unless -y)

Attach a browser login

duvo revision-logins list \
  --agent <agent-id> --revision <revision-id>               # list logins attached to a Revision
duvo revision-logins attach \
  --agent <agent-id> --revision <revision-id> \
  --credential <login-id>                                   # attach a login
duvo revision-logins detach <login-id> \
  --agent <agent-id> --revision <revision-id> [-y]          # detach a login (prompts unless -y)
Use duvo secrets list and duvo credentials list to find the IDs to attach, and duvo revisions list --agent <agent-id> to find Revision IDs.