Every now and then we may want Devin to access a protected web resource. While Devin is working, it may ask you to provide credentials (API keys, logins, etc.) within the current conversation, like so…
Alternatively, you can set sessions secrets yourself:
Other times you might prefer to store secrets that persist to future sessions.
This is now possible in the Settings & Library > Secrets. Note that any secrets you share here will be usable by Devin in all future Devin sessions within your organization. All secrets are encrypted at rest. New secrets are only available to Devin in sessions created after you added the secret.
There are 3 types of secrets available:
Plain Text
This is most suitable for secrets with a single value, such as an API key or an SSH key. Just paste in the value directly.
Key-Value
Use this for more multi-variable logins. For instance, to sign into Amazon, Devin needs both an email and a password to sign in successfully. Add the field name under ‘Key’ (e.g. email, username, password, etc.) and add the input Devin should use under ‘Value’. ‘Value’ is always masked and cannot be viewed by any other user in your organization.
Site Cookies
In addition to Key-Value and Plain Text secrets, you can also add site cookies. Cookies “hold” your authenticated state; if you are logged into some site, then giving Devin your cookies for that site will make it so that Devin is automatically logged in for the same site.
We support both key-value secrets and cookies because cookies can sometimes be insufficient by themselves. For example, on Amazon, Devin may be logged into the site while shopping or adding to cart, but Amazon might require an additional layer of password confirmation when it comes time to check out.
Cookies are stored as a base64 encoded string of ; delimited JSON array in the standard chromium cookie format. This is important to know if you need to manually encode cookies rather than exporting them directly from Chrome.
Once a secret has been configured in Devin, your application may access it like a normal ENV variable (as long as the session was started after your secret was configured). This applies to global secrets, session-specific secrets, and of course to repo-secrets defined in your snapshot environment.
Devin performs some text conversion to ensure that your Secrets are valid ENV variables:
It removes invalid characters by replacing anything other than a letter, digit, or underscore with another underscore. For example, the secret named Abc%123 would become the ENV variable Abc_123
If your secret name does not begin with a letter, Devin adds an underscore to the begining of the name. For example, the secret 123MYVAR would become the ENV variable _123MYVAR
If your secret is of the key-value type, Devin will concatenate the secret name and key name and set a list of ENV variables with each set up as secretname_keyname=value
If you have two secrets with the same name, Devin will add a counter to the end. For example, if you have two secrets named MY_SECRET you would end up with two ENV variables named MY_SECRET and MY_SECRET_2 and so on.
You may then access your secrets using your application’s preferred method of reading ENV variables.
Devin can use its own login credentials to access platforms that require authentication, either in its Browser or via the command line. We recommend setting up a dedicated account for Devin to use (e.g. devin@company.com) on each service that it needs access to. You may then save Devin’s username and password as Secrets on your account, so that it can log in as part of your future sessions.
If you’re not using Chrome or need to manually encode cookies, note that Devin expects cookies in a base64 encoded string of ; delimited JSON objects in the standard chromium cookie format.
(1) export the cookie using the extension (2) test that importing the cookie in another chrome profile works - meaning you become logged in after importing the cookie (3) add the cookie to the Secrets page
When using cookies, Devin should find that it’s already logged in when it navigates to the site(s) that you provided cookies for. Tell Devin to give it a try!
Devin can now handle two-factor authentication (2FA) using a one-time password (OTP). To do this, you’ll need to give Devin the information provided at the time 2FA is set up on Devin’s account for the specific application:
Access Devin’s account for the service that requires 2FA.
Go to the account security settings and look for an option to regenerate or view the QR code. This may be called Set up or Replace Authenticator.
If the application allows, select the option to view the QR code.
Once the QR code is displayed on your screen, take a screenshot.
Go to Devin’s Secrets, click on the “Add Secret” button, and change the Secret type to “One-time Password”. Put a descriptive name. Click the small QR code icon in the top right of the Value input box and upload your QR code screenshot.
Only provide 2FA codes associated with accounts that were specifically set up for Devin’s use only. We do not recommend giving Devin any 2FA codes to your personal accounts.