2FA Support (TOTP)

How to send TOTP codes (2FA/MFA/Verification Code) to Skyvern

Skyvern supports logging into websites that require a 2FA/MFA/Verification code. There are 5 kinds of 2FA we support today:

Option 1: Google Authenticator (TOTP)

Step 1: Save your username and password in Skyvern Credential. See Password Management for more details.

Step 2: Add your account by manually entering the secret key (extracted from the QR code). Not sure how to get it? Follow this guide.

💡 Don’t have the key? Contact Skyvern Support and we can help you get it.

Option 2: Email Verification Code

Email verification codes require you to set up a forwarding rule that forwards these emails to a Skyvern endpoint.

The forwarding rule can be set up using Gmail + Zapier or similar tools. (instructions below)

💡 Coming Soon: We plan to provide email forwarding addresses that make this easier to set up

You can pass totp_identifier when running a task or a workflow. When the TOTP code arrives at your inbox, all you need to do is to send the email/message to Skyvern’s TOTP endpoint.

Forwarding Your Email To Skyvern (Gmail + Zapier)

This setup requires a Zapier Pro plan account.

Step 1. Create a Zapier Zap

Go to https://zapier.com/app/home and create new Zaps

In the newly created Zap draft, Click the “Trigger” button

Click Email by Zapier

In the Email “Setup”, pick New Inbound Email in the Trigger event selection. Click Continue to complete the “Setup”

In Email “Configure”, create an email address which will be used to forward emails for TOTP codes. Click “Continue”.

Let’s add the Action to complete the Zapier setup before coming back to test it. Click the “Action” button and add Webhooks by Zapier

In the Setup, choose “POST” under the Action event selection. Then click “Continue”.

In the “Configure”, set up these in order to make a POST request to Skyvern’s TOTP API:

  • URL: https://api.skyvern.com/v1/credentials/totp
  • Payload Type: json
  • Data:
    • totp_identifier: choose Raw To Email after clicking the “+” sign
    • content: choose Body Plain after clicking the “+” sign
    • source: email
  • Headers:
    • x-api-key: Your Skyvern API Key

Click Continue

Step 2. Add forwarding email and create a filter in Gmail

Go to Gmail Settings → Forwarding and POP/IMAP (https://mail.google.com/mail/u/0/#settings/fwdandpop) → click “Add a forwarding address” → enter the zapier email address you just created. There might be some verifications, including a verification email from Zapier, you have to complete here.

After setting up the forwarding email address, go to “Filters and Blocked Addresses” (https://mail.google.com/mail/u/0/#settings/filters). Click “Create a new filter” and set up your email filtering rule for your TOTP (2FA/MFA) emails. Click “Create filter”. Check “Forward it to” and pick the new email address and update filter.

Step 3. Test it end to end!

You can forward any previous TOTP (2FA/MFA) email to the Zapier email address you created in Step 1.

In Zapier: under the “Test” of the Webhooks action, send a request to test it out. If your test is successful, you should see a A request was sent to Webhooks by Zapier message

Option 3: Phone Verification Code

Phone verification codes are supported the same way as email verification codes. You will need to set up a forwarding rule that forwards these messages to a Skyvern endpoint.

A good solution to set up this forwarding rule is to use virtual phone number services such as Twilio or Pilvo.

Make sure you pass totp_identifier when running a task or a workflow. When the TOTP code arrives at your virtual phone number, all you need to do is to send the message to Skyvern’s TOTP endpoint.

You can use the following code to forward the message to Skyvern:

1// Twilio Function to post 2FA data to Skyvern API
2
3exports.handler = async function(context, event, callback) {
4 const axios = require('axios');
5 const apiUrl = 'https://api.skyvern.com/v1/credentials/totp';
6 const apiKey = '{{your api key}}';
7 const totpIdentifier = '{{your totp identifier (could be phone number)}}';
8
9 const requestBody = {
10 totp_identifier: totpIdentifier,
11 content: event.Body || "Default 2FA message",
12 source: "phone"
13 };
14
15 const response = new Twilio.Response();
16 response.appendHeader('Content-Type', 'application/json');
17
18 try {
19 const apiResponse = await axios.post(apiUrl, requestBody, {
20 headers: {
21 'Content-Type': 'application/json',
22 'x-api-key': apiKey
23 }
24 });
25
26 response.setStatusCode(200);
27 response.setBody({
28 status: 'success',
29 message: '2FA message sent',
30 data: apiResponse.data
31 });
32 } catch (error) {
33 response.setStatusCode(500);
34 response.setBody({
35 status: 'error',
36 message: error.message,
37 details: error.response?.data || null
38 });
39 }
40
41 return callback(null, response);
42};

Option 4: Let Skyvern get the code from your server (webhook)

You can pass totp_url when running a task or a workflow. Inside this endpoint hosted by you, you have to conform to the following schema:

Set Up Your TOTP Endpoint

For websites that requires a verification code to complete a task, you have to set up a TOTP endpoint for Skyvern to fetch the verification code.

Here’s the TOTP endpoint contract you should use:

Request (POST):

ParameterTypeRequired?Sample ValueDescription
task_idStringyestsk_123The task ID that needs the verification to be done

Response:

ParameterTypeRequired?Sample ValueDescription
task_idStringyestsk_123The task ID that needs the verification to be done
verification_codeStringno123456The verification code

Validate The Sender of The Request

Same as the webhook API, your server needs to make sure it’s Skyvern that’s making the request.

  • a python example for how to generate and validate the signature:
1def validate_skyvern_request_headers(request: Request) -> bool:
2 header_skyvern_signature = request.headers["x-skyvern-signature"]
3 payload = request.body() # this is a bytes
4 hash_obj = hmac.new(SKYVERN_API_KEY.encode("utf-8"), msg=payload, digestmod=hashlib.sha256)
5 client_generated_signature = hash_obj.hexdigest()
6 return header_skyvern_signature == client_generated_signature

SKYVERN_API_KEY: you can get the API KEY from Skyvern Settings.

One time login links are supported by breaking your workflow / task into two parts:

  1. Login to trigger the one time login link
  2. Trigger the rest of your task / workflow based on the one time login link as the starting point

You will need to set up something (e.g. Zapier) that monitors the email inbox for incoming magic links. Once you get the link, you can use it to trigger the rest of your task / workflow.

When triggering the rest of your task / workflow, you can pass the one time login link as the starting point (e.g. url parameter), and Skyvern will start the new session already logged in.