Credential vault for synthetic monitors

The credential vault is a centralized repository where you securely store and manage all synthetic monitoring credentials (username/password pairs and certificates) for browser as well as HTTP monitors.

The credential vault is accessible from the navigation bar at Settings > Web and mobile monitoring > Credential vault.

Credential security

Credentials are stored in Advanced Encryption Standard–encrypted form (AES-256). Access to the data is encrypted using TLS 1.2. This means that the content of credentials in the vault are not visible to any user, including the creator; they are visible only to the synthetic monitors that reference them. Credential content can only be overwritten by the owner/creator.

Owner-access versus public credentials

Credentials are access-controlled; when initially created (whether in the vault or in the course of synthetic monitor creation or editing), they are designated as "owner access only." The owner/creator may then change a credential's permissions in the vault to "public" (see Create credentials in the vault and Credential permissions below).

Whether a credential is "owner access only" or "public" determines who can use it in a synthetic monitor. An "owner access only" credential is one that only the credential creator can use to create or edit a synthetic monitor. A public credential is available to all users to create or edit a synthetic monitor. Read more below in Credential permissions.

View the credential vault

You can only see credentials that you have access to in the vault (Settings > Web and mobile monitoring > Credential vault). These are public credentials or owner-access credentials created by you, each listed with the name of the Owner or creator.

The stored credential types are username/password pairs and certificates. Filter the list by Type or credential Name.

Credential vault

You can see the description and metadata of a credential, but the sensitive information is available only for overwriting by the owner/creator. Note that only credentials created by you can be deleted. See Who can edit or overwrite a credential below.

Credential metadata

Select HTTP or Browser next to a credential to see the associated monitors on the Synthetic monitors page. The list is automatically filtered by the names of the associated credential and its owner.

Synthetic monitors filtered for credentials

Create credentials in the vault

Credentials can be created directly in the vault or in the course of synthetic monitor creation and editing. (See Synthetic Monitoring for creating and using credentials during monitor creation.)

You can create these types of credentials:

Username and password pairs

Username and password pairs can be used for basic as well as web form authentication, in single-URL browser monitors, browser clickpaths, and HTTP monitors.

To create login credentials in the vault

  1. Select Add user and password credential at the top right.
  2. Enter the Username and Password. The password is automatically masked as you type.
  3. Provide a Credential name and optional Description.
  4. Credentials are set to Owner access only by default. Disable this control to make the credential public. Read more below in Credential permissions.
  5. Save your entries. Note that, once created, the contents of the credential are no longer visible to anyone. Only the owner can overwrite the contents or delete the credential.

Create a username and password pair in the vault

Certificate credentials

Certificate credentials are used in HTTP monitors.

To create a certificate credential in the vault

  1. Select Add certificate credential at the top right.
  2. Select certificate. Allowed file formats are .pfx, .p12, and .pem.
  3. Provide a Credential name and optional Description.
  4. Credentials are set to Owner access only by default. Disable this control to make the credential public. Read more below in Credential permissions.
  5. Save your entries. Note that, once created, only the credential metadata and description are visible to anyone. Only the owner can overwrite the data or delete the credential.

Create a certificate credential

Credential permissions

Whether a credential is designated "owner access only" or "public" determines who can use the credential to:

Only the owner/creator can delete/overwrite/edit credential permissions.

Who can use a credential with a monitor

When creating a synthetic monitor or when editing an existing monitor that doesn't have any associated credentials, you can:

  • Use an existing credential stored in the vault in the monitor—you can only select public or owner-access credentials created by you.
  • Create a new credential as part of the monitor creation/editing workflow. The credential is automatically designated as "owner access only" and is stored to the vault. If you want to change the access level to "public," you must do so from the vault after monitor creation.
  • You have the option to store passwords captured in recorded clickpaths to the vault (with a companion username). These are stored as "owner access only." Alternatively, you can edit the recorded event to use an existing credential from the vault or create one of your own. See how to use the Keystroke event.

Who can edit a monitor that has an associated credential

  • If a monitor is associated with a public credential, anyone on your team can edit and save changes to it.
  • If a monitor is associated with an owner-access credential, only the owner of the credential can edit and save changes to it using that credential. Anyone else must provide a credential that they have permission to use in order to edit and save any changes to the monitor.
  • If a monitor is associated with an owner-access credential, only the owner of the credential can copy/duplicate the monitor and save it with that credential. Anyone else must provide a credential that they have permission to use in order to copy the monitor.

If you're unable to edit a monitor that has an associated credential, you can search for the owner of the credential to discuss changes or request access.

Who can edit or overwrite a credential

The content of credentials are visible only to the synthetic monitors referencing them. You can see the description and metadata of a credential, but the sensitive information is available only for overwriting.

Only the owner/creator of a credential (whether "public" or "owner access only"), can overwrite, delete, or change access level from owner-access to public or vice versa.

Select Overwrite credential to provide new contents. You can also enable/disable Owner access only.

Overwrite a credential

You can delete your own credentials. Note that you can't delete a credential that's in use by a monitor.

Delete a credential

How to search for the owner of a credential

Even though the credential vault shows only your owner-access credentials and public credentials created by others, you can search for other credential owners in the Synthetic monitors page.

You can filter for monitors using a specific credential (Associated credential) and/or the credential owners (Associated credential owner). Note that these filters are only available when at least one credential from the vault is used in a monitor. The filters show you all the credentials (and their owners) currently used in monitors, regardless of whether the credentials are "public" or "owner access only."

Synthetic monitor filters for credentials

When you open a monitor using an owner-access credential, the owner's name is highlighted in the script event or HTTP request.

Credential owner name in script

Credential vault API

You can access the credential vault by API, which lets you integrate it with external credential storage systems. This lends itself to a vast range of automation use cases.

Important

If you use the API to edit or update a monitor with a credential, the API token must be owned by someone who has access to the credentials assigned to the monitor.