Secure Credential Sharing
How to ask a client to send their credentials securely using One Time Secret โ and what to do when you receive the link.
Why we use this
When clients email credentials, they're stored permanently in both inboxes. One Time Secret links are end-to-end encrypted, self-destruct after one view, and are never stored in our systems. The client doesn't need to create an account.
Step 1 โ Send This Message to the Client
Copy and paste this into HelpScout, email or Slack when you need credentials from a client:
๐ Copy & Paste Template
Hi [Client name],
To keep your login details secure, could you please share them using the following method instead of sending them via email:
1. Go to: https://onetimesecret.com
2. Type your login details into the "Secret content" box
3. Set the Lifetime to 1 day
4. Click "Create a secret link"
5. Copy the link and reply to this message with it
The link can only be opened once and then permanently deletes itself โ no account or signup required on your end.
Step 2 โ When You Receive the Link
Open the link immediately
Click the link the client sent. Do not forward it to anyone โ it can only be opened once.
Copy the credentials immediately
The credentials will be displayed on screen. Copy them right away โ you cannot return to this page once it's been viewed.
Save to Bitwarden immediately
Open vault.bitwarden.com and add or update the vault item. Bitwarden is the only permanent storage for client credentials.
Confirm with the client
Reply to confirm you have received the credentials. Do not repeat the credentials back in your reply.
Do not store anywhere else
Credentials should only exist in Bitwarden. Never paste them into HelpScout notes, Slack, emails or any other system.
Accidentally closed the tab?
If you closed the tab before saving to Bitwarden, the link is gone permanently. Ask the client to create a fresh One Time Secret and send a new link.
Rules Summary
| Rule | Why |
|---|---|
| Never forward a One Time Secret link | It can only be opened once โ forwarding risks the wrong person seeing it first |
| Always save to Bitwarden immediately after viewing | Once the link is gone, the credentials are only in Bitwarden |
| Never paste credentials into HelpScout notes | Notes are stored permanently and visible to the team |
| Do not confirm credentials in reply | Just confirm you received them โ don't echo them back in writing |