CodeWallDocs
Settings

Credentials

Create and manage reusable gray-box test credentials, including authenticator (TOTP) and email OTP / magic-link logins.

The Credentials page (admin/owner only) stores reusable, encrypted credentials a pentest agent uses to authenticate to a target. Credentials are project-scoped and can be attached to any number of tests.

When to use this page

Simple credentials (bearer token, basic auth, custom headers) can be entered directly in the test wizard. You create them here when you want to reuse them, or when the type requires it:

  • TOTP Authenticator, Email OTP, and Email Magic Link can only be created here, then selected in the wizard via Saved Credential.

See Define Authentication for what each type is and when to choose it.

Creating a credential

  1. Open Settings → Credentials, choose the project, and click Add Credential
  2. Pick the type and fill in the fields:
    • TOTP Authenticator — the account's base32 setup key (and optionally username/password)
    • Email OTP / Email Magic Link — the login username/password, plus a mailbox:
      • CodeWall inbox — we mint a unique receiving address for this credential
      • Customer IMAP — your IMAP host/port/username/app-password for a dedicated test mailbox
    • Optional: label, origin URLs (scope the credential to specific origins), expiry
  3. Save

CodeWall inbox address

When you save an Email credential that uses a CodeWall inbox, a unique receiving address is shown once. Copy it and set the email on the target's test account to that address so login codes/links reach the agent. The address is not retrievable later — if you lose it, create a new credential.

Using a saved credential in a test

In the new pentest wizard, step 3 (Authentication), choose Saved Credential, then pick it from the list (filtered to the selected project).

Revoking

Revoke a credential from this page at any time. Revoked credentials can no longer be attached to tests, and revoking a CodeWall-inbox email credential also stops its address from receiving further mail.

Security

  • All credential payloads (tokens, passwords, TOTP secrets, IMAP credentials) are encrypted at rest
  • Secrets are never shown in prompts, findings, reports, or the credential list — only metadata is displayed
  • For email logins, the agent reads only messages produced by its own login attempt (scoped by time and sender/subject); reads are audit-logged
  • CodeWall-inbox messages are encrypted, deleted once used, and purged after a short retention window
  • Access to this page is restricted to organization admins/owners

Authentication (SSO)

Configure single sign-on with Google, Microsoft, Okta, or any OIDC/SAML provider.

Notifications

Configure how and when you receive alerts from CodeWall.

On this page

When to use this pageCreating a credentialCodeWall inbox addressUsing a saved credential in a testRevokingSecurity