Skip to main content
TinyFish can log into websites on your behalf using credentials from your existing password manager. Connect your vault once, then select which credentials to use for each run.
Vault credentials are currently supported in the Playground and REST API. Python SDK, TypeScript SDK, and CLI support is coming soon.

How It Works

Connect your password manager account, TinyFish syncs your vault items, and then you select specific credentials for each run. Each run only gets the credentials you explicitly choose, so no run has access to your full vault. Vault settings page with Connect a password manager button

Connect Your Provider

More providers coming soon.
In TinyFish, go to Settings > Vault and click Connect a password manager.Provider selection dialog showing 1Password and Bitwarden options

1Password

Paste your Service Account Token (starts with ops_), then click Connect.1Password credentials form with Service Account Token fieldYour items sync automatically. Confirm they appear grouped by vault name.Vault settings with connected 1Password showing credentials grouped by vault
Need a token? Create a service account with read access to your vault. See the 1Password service account docs.
Enter your Client ID, Client Secret, and Master Password, then click Connect.Use the format user.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx for the Client ID.Bitwarden credentials form with Client ID, Client Secret, and Master Password fieldsIf you use a self-hosted instance, toggle Self-hosted server and enter your server URL.Vault settings with connected Bitwarden showing synced credentials
Find your API key in Bitwarden under Settings > Security > Keys > View API Key. See the Bitwarden personal API key guide.
The first sync may take up to 15 seconds. Subsequent syncs are faster.

Managing Your Vault

Sync

Click Sync to fetch the latest items from your connected provider.

Disconnect

Click Disconnect and confirm to remove the provider. All cached credentials are removed immediately, but runs already in progress are not affected. You can reconnect at any time.

Using the Vault API

Quick start

Connect a provider, retrieve item IDs, and start a run with specific credentials: 
# 1. Connect your vault (one-time setup)
curl -X POST https://agent.tinyfish.ai/v1/vault/connections \
  -H "X-API-Key: $TINYFISH_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "provider": "1password", "token": "ops_your_token" }'
# → returns connectionId and initial items

# 2. List available credentials (reads from cache — fast)
curl -s https://agent.tinyfish.ai/v1/vault/items \
  -H "X-API-Key: $TINYFISH_API_KEY"
# → grab the itemId for the credential you need

# 3. Start a run with that credential
curl -X POST https://agent.tinyfish.ai/v1/automation/run \
  -H "X-API-Key: $TINYFISH_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://www.linkedin.com",
    "goal": "Log in and capture the latest 3 posts from the feed",
    "use_vault": true,
    "credential_item_ids": [
      "cred:a1b2c3d4-5678-90ab-cdef-1234567890ab:Work:item-linkedin"
    ]
  }'

Matching credentials to URLs

Filter items by the domains field to find the right credential for your target site: 
curl -s https://agent.tinyfish.ai/v1/vault/items \
  -H "X-API-Key: $TINYFISH_API_KEY" \
  | jq '.items[] | select(.domains[] | contains("linkedin.com")) | .itemId'
Scoping to specific credential_item_ids is more reliable than use_vault: true alone — it prevents the agent from picking the wrong login when you have multiple accounts on the same domain.

When to sync

GET /v1/vault/items reads from a local cache and is fast. You don’t need to sync before every run. Call POST /v1/vault/items/sync when:
  • You’ve recently changed a password in your vault
  • You’ve added new credentials you want to use
  • A run failed to log in and you suspect stale credentials
For most pipelines, syncing once at startup or on a daily schedule is sufficient.

Handling expired connections

Provider tokens can expire. When they do, POST /v1/vault/items/sync returns a 401. Your pipeline should:
  1. Catch the 401 from sync
  2. Re-connect with POST /v1/vault/connections using a fresh token
  3. Retry the sync
1Password service account tokens don’t expire unless revoked. Bitwarden tokens may expire based on your server configuration.

Troubleshooting

For 1Password, verify the token starts with ops_ and has read access to the vault you want to sync.For Bitwarden, verify that the Client ID and Client Secret match the same API key.The API returns a 400 with "Invalid vault token" when credentials fail validation.
Vault items must have website URLs in your password manager to sync into TinyFish.Credentials without URLs are not synced.
Ensure the server URL includes https:// and that the server is accessible from TinyFish.
Provider tokens can expire. Disconnect the provider, then reconnect using a fresh token or updated credentials.POST /v1/vault/items/sync returns a 401 when all connections require reconnect and no items can be returned.
The first Bitwarden sync can take up to 15 seconds while the connection initializes. Subsequent syncs are faster.
You can connect a maximum of 2 providers at the same time.
No vault connections exist yet. Connect a provider first with POST /v1/vault/connections.
The vault integration is unavailable or the backing vault service returned an error.

Vault Credentials

Learn how credentials are selected and used in runs

Authentication

Understand TinyFish authentication methods