External credential vault in RPA Hub

  • Versão de lançamento: Australia
  • Atualizado 12 de mar. de 2026
  • 2 min. de leitura

    • With the external credential vault feature, you can retrieve robot credentials, application credentials, or Time-based One-time Password (TOTP) seed.

    External credential vault integration with RPA Hub

    The following diagram shows the integration of an external credential vault with RPA Hub.

    A robot resides in the customers' environment. If the robot requires sensitive data during the automation execution, then the robot makes a GraphQL Application Programming Interface (API) call to the RPA Hub. An example of the sensitive data is user name and password details while logging in to an SAP application.

    Based on the input provided in the External Credential check box, either on a robot credential form, an application credential form, or a TOTP authenticator form:
    • If the input is false (if the check box isn’t selected), the credentials are saved or retrieved from the instance.
    • If the input is true (if the check box is selected in the robot credential form, an application credential form), the credentials are fetched from a configured external credential vault. If the check box is selected in the TOTP authenticator form, the seed is fetched from a configured external credential vault.
    For more information about configuring these fields, see Create a robot credential in RPA Hub, Create an application credential in RPA Hub, and Create a TOTP authenticator in RPA Hub.

    Examples of an external credential vault are CyberArk, Azure key Vault, and so on.

    If the External Credential check box isn’t enabled, the API returns the data stored in the Password2 field of the ServiceNow instance and then the robot uses the sensitive data for the automation execution.

    If the External Credential check box is enabled, the credentials are fetched from a configured external credential vault. In this scenario, the API internally triggers a subflow. This subflow makes a REST API call to the external credential vault. You can route this REST API call via MID Server. Or, you can directly establish a connection with the external credential vault. This implementation is dependent on your organizational requirements. The MID Server resides in the customers' environment. For more information about MID Server, see MID Server.

    After the REST API call fetches the credential from the vault, the credentials are sent to the robot.

    Figura 1. Integration of external credential vault with RPA Hub
    Integration of external credential vault with RPA Hub.

    Important information

    You must configure the external credential settings appropriately, so that the data isn’t stored or logged in the ServiceNow instance.

    Verify that the value of the Reporting field is set to Off for the subflow of your external credential vault, for example Demo CyberArk Subflow. This setting verifies that the sensitive data isn’t captured or logged. For more information about configuring this setting, see Activate flow reporting.

    To configure the external credential vault in RPA Hub, see Steps to configure an external credential vault in RPA Hub.

    Outbound request logging enables you to understand what third party services your instance accesses and the volume of outbound requests. Additionally, logging can provide valuable information when debugging outbound integrations. For more information about system logging or outbound logging, see Configure outbound logging and Outbound web service logging properties.