Managing Secrets

Securely store credentials for authenticated testing.

Managing Secrets

Store credentials securely for testing applications that require authentication.

Overview

Secrets are encrypted credentials that Plaintest uses during:

  • Exploration: To access authenticated areas of your app
  • Test execution: To log in before running tests

Adding Secrets

  1. Go to Project Settings > Secrets
  2. Click Add Secret
  3. Enter a name (e.g., USERNAME, PASSWORD)
  4. Enter the value
  5. Click Save

The value is encrypted and stored securely. You won't be able to see it again.

Common Secrets

| Name | Description | Example | |------|-------------|---------| | USERNAME | Login username/email | test@example.com | | PASSWORD | Login password | •••••••• | | API_KEY | API authentication | sk_test_... | | MFA_SECRET | TOTP secret for 2FA | JBSWY3DPEHPK3PXP |

Using Secrets in Tests

Secrets are automatically available as environment variables:

// In generated tests
await page.getByLabel('Email').fill(process.env.USERNAME!);
await page.getByLabel('Password').fill(process.env.PASSWORD!);

Security

Encryption

  • Secrets are encrypted with AES-256-GCM
  • Encryption keys are managed separately from data
  • Values are never logged or exposed in UI

Access Control

  • Only project admins can view/edit secrets
  • Secrets are project-scoped (not shared between projects)
  • API keys have limited permissions

Best Practices

  1. Use test accounts: Create dedicated test accounts
  2. Limit permissions: Test accounts should have minimal access
  3. Rotate regularly: Change passwords periodically
  4. Don't share production credentials: Use staging/test environments

Test Account Recommendations

For testing, create accounts that:

  • Have realistic but non-sensitive data
  • Can be reset easily
  • Don't trigger rate limits
  • Are clearly marked as test accounts

Handling 2FA/MFA

If your app requires two-factor authentication:

TOTP (Authenticator Apps)

  1. Generate a TOTP secret for your test account
  2. Store it as a secret (e.g., MFA_SECRET)
  3. The AI will use it to generate codes

SMS/Email Codes

These are harder to automate. Options:

  • Disable 2FA for test accounts
  • Use a test phone number service
  • Bypass 2FA in test environments

Environment-Specific Secrets

If you test multiple environments (staging, production):

  1. Create separate projects for each environment
  2. Or use branch URL mapping with the same secrets
  3. Ensure test accounts exist in all environments

Deleting Secrets

  1. Go to Project Settings > Secrets
  2. Find the secret to delete
  3. Click Delete
  4. Confirm the deletion

Note: Deleting a secret may break tests that depend on it.

Troubleshooting

Login failures

  • Verify credentials are correct
  • Check if password has expired
  • Ensure test account is not locked

Secret not found

  • Check the secret name matches exactly
  • Ensure the secret was saved successfully
  • Verify you're in the correct project

Permission errors

  • Test account may lack required permissions
  • Some areas may need additional credentials

Next Steps