Storing Credentials

This lesson is part of the course UiPath Automation Coding Standards . Use navigation on the left.

In this lesson, lets take a look at the best practices in storing various types of credentials used when developing an automation using UiPath.

Robot Credentials

Credentials are required by the Orchestrator to start an interactive Windows session on an unattended robot. They are defined in the Orchestrator Robot definitions. The password in stored encrypted with the 256 bit AES encryption algorithm and once set, the password cannot be displayed. There’s also the possibility of storing the passwords in CyberArk which is integrated with Orchestrator.

Application Credentials

Application credentials should not be stored in the workflows or Config files in plain text, but rather they should be loaded from safer places like local Orchestrator or Windows Credential Store.

There are three ways of dealing with credentials natively in UiPath. They are displayed in the order of recommendation:

  1. Orchestrator Credential assets: They are stored securely in the SQL Server DB, with 256 bit AES. Once set, the password can’t be displayed. They are retrieved using the Get Credential activity under Orchestrator which returns a String Username and a SecureString Password. It also supports per robot values, like normal assets. Due to the increased security in the Orchestrator and global control, this is the recommended option.
  2. In case using Orchestrator Credential assets is not possible, the second best option is to use Windows Credential Store. Apart from getting the credentials, there’s the possibility to Add and Delete a credential from the store. There’s also a Request Credential activity for an Attended robot that creates a dialog at runtime designed to accept credentials. Using the Windows Credential Store will imply the credentials are stored locally on the robots and which means that in the case of deployment of a process on multiple robots, one needs to create the same credential on all robots.
  3. Using the Get Password activity – last resort option that stores the password encrypted in the xaml file. The encryption is linked to the machine, so, for a successful decryption in deployment it requires re-typing of the password and saving the xaml file. The code cannot migrate without changes in this case.

The scope of the credential related variables, i.e. username and password should be limited to where they are needed. Never use a larger scope for these variables.

Secure String

The password output from the GetCredentials activities is returned as a SecureString datatype. This is a special class in the .NET Framework that represents text that should be kept confidential. The password is not kept in plain text in memory, but rather obfuscated (not really encrypted) which makes it difficult to find the password if someone or something is just accessing the memory. Also, once the variable scope ends, the memory is immediately released, unlike normal Strings. Once a SecureString is retrieved, it should be used to log into the applications by using the Type Secure Text activity for normal applications or the Send Keys Secure activity for Terminals.

For other activities that require authentication, like email activities or HTTP and SOAP Request activities the password input type is String. In this case there’s the following method to convert the SecureString to a String:

String UnsecurePassword
SecureString SecurePassword


UnsecurePassword = new System.Net.NetworkCredential("abc", SecurePassword).Password

The scope for the new UnsecurePassword, together with the SecureString password and String username should be limited to where it’s needed. The credential should not be used for any purpose other than the intended one.

You might be interested in the following courses:

Course Category: Robotic Process Automation

  • UiPath Automation Coding Standards

    by Ajay Kumar Konda

    Coding standards are a collection of rules, guidelines, and best practices. Coding standards are important for safety, security, and reliability. In this course, we learn the most important and UiPath recommended coding standards. Starting from naming conventions to maintaining your code in the code repository, we cover all the best practices.

  • Automation Anywhere Bot Development Best Practices

    by Ajay Kumar Konda

    This is an advanced guide to best practices that need to be followed in developing bots using Automation Anywhere. This course provides an introduction to common bot design guidelines and standards. Avoiding common mistakes and including these processes and considerations in your bot design standards, creates bots that are clean, easier to read, test, maintain, and are stable. Most of […]

  • All You Need To Know About Robotic Process Automation

    by Ajay Kumar Konda

    Robotic Process Automation(RPA) is a kind of automation where a bot performs human’s task in completing rules based jobs. Robotic Process Automation refers to a style of automation where a machine, or computer, mimics a human’s action in completing rules-based tasks. In traditional workflow automation tools, a software developer produces a list of actions to automate a task and interface to […]

Back to: UiPath Automation Coding Standards > Best Practices