Skip to main content
Managing Program Credentials

Automatic distribution of credentials

Inti avatar
Written by Inti
Updated over 7 months ago

To ensure full coverage of your application, you may want or need to provide test credentials.

When your program needs test credentials to be properly tested, it's key to ensure their accessibility is as hassle-free as possible, just as you would with any other aspect of your testing setup.

Some questions to ask yourself when setting up the test environments and credentials:

  • Do the test environments contain (fairly) representative data?

  • Are cross-tenancy issues important? In that case you may need to provide users sets for two separate environments.

  • Do I need to provide a permission matrix to make sure the roles and expected permissions are understandable? This also helps prevent false positive reports.

Please ensure you follow the guidelines below:

  • The credentials (username and password) should be unique for different users. In addition, please take care to make the passwords randomised so that researchers can't deduce the passwords assigned to other users' credentials.

  • If possible, please provide a separate set of credentials for our triage team. Please send the triage credentials to your CSM as opposed to uploading them on the platform.

A detailed overview of what to consider can be found here.

Managing credentials


Administrators, whether at the company or program level, possess the ability to oversee program credentials. Specifically, they can add, view, and delete sets of credentials through the Program > Credentials section.

Adding credentials

Program credentials can be added by uploading a CSV file, offering utmost flexibility to equip researchers with the complete set of credentials required to test your program's scope. Your CSV file can contain various key-value combinations. The keys are defined within the CSV file's header. Subsequently, multiple lines of values can be appended to the file, enabling the provision of numerous credentials within a single file.

Limitations to be taken into consideration when creating your CSV file:

  • Only the semicolon (";") is considered a delimiter.

  • Double quotation marks ("") can be used to mark values as strings.

  • The maximum number of headers is 200.

  • The headers need to be between 1 and 100 characters.

  • The values have a maximum length of 1000 characters each.

Below examples of possible CSV formats can be used as templates:


Single user role (Download example file)

email;password

user1@intigriti.com;anXiUbQZr2
user2@intigriti.com;88x0f5CSJ1

Multiple user roles (Download example file)

admin_email;admin_password;viewer_email;viewer_password

admin1@intigriti.com;anXiUbQZr2;viewer1@intigriti.com;zRmSxw8Pe5
admin2@intigriti.com;88x0f5CSJ1;viewer2@intigriti.com;GM60cBJkyb

Multiple applications (Download example file)

app_A_email;app_A_password;app_B_email;app_B_password

appA.user.1@intigriti.com;anXiUbQZr2;appB.user.1@intigriti.com;zRmSxw8Pe5
appB.user.2@intigriti.com;88x0f5CSJ1;appB.user.2@intigriti.com;GM60cBJkyb

Upon the successful import of the CSV file, the credentials will become instantly accessible to researchers.

💡Not to worry... Credentials uploaded using the old format (email address, password, URL) will continue to function. You have following options:

  1. Continue using the existing credentials and upload new ones when their current batch is depleted.

  2. Remove unclaimed credentials, then upload new ones to ensure the old ones remain functional alongside new entries within the updated format.

  3. Clear all credentials and upload new sets, rendering the old ones inaccessible and requiring researchers to obtain a fresh credential set.

Deleting credentials

Credentials can be deleted either individually ("Delete credential") or all at once ("Clear credentials"). When deleting one or more sets of credentials, they will be removed from the overview and will no longer be accessible to the researcher.

Replenishment reminders

Company administrators will receive reminders to replenish credentials. Specifically, an email notification will be sent when the count of unclaimed credentials reaches 10.

Claiming credentials

Each researcher is entitled to claim exactly one credential set, necessitating that each set contains all the required information to test your program's scope.

FAQ

Why are the uploaded credentials not shown properly?

If your credentials are not shown as expected, please check the file you uploaded by opening it with a text editor. The structure should look like this:

email;password

user1@intigriti.com;anXiUbQZr2
user2@intigriti.com;88x0f5CSJ1

It's also viable to treat values as strings by adding double quotation marks (""):

"email address";"password"

"user1@intigriti.com";"anXiUbQZr2"
"user2@intigriti.com";"88x0f5CSJ1"

However it can happen that double quotation marks ("") are added to the beginning and end of each line when saving a new file to CSV. This formatting will treat the entire line as a single string, instead of separate columns divided by a semicolon (;). The following example will not show the credentials properly:

"email;password"

"user1@intigriti.com;anXiUbQZr2"
"user2@intigriti.com;88x0f5CSJ1"

The issue can be resolved by removing the " characters and saving as CSV.

What about credentials rotation?

In situations where generating a sufficient number of test credentials (50-100) poses a challenge, an alternative approach can be considered. This involves implementing a test account rotation strategy. Rotation, in essence, entails using a .csv file that contains two instances of the same 25 account sets, rather than having a unique set of 50 accounts. When the 25th set of accounts is exhausted, the rotation cycle begins anew with the first set.

Things to consider:

  • Can users reset their password without accessing the user's mailbox? If yes, can we block them from resetting the password? If so, it's easier to rotate the credentials, less chance that researchers will (accidentally) block others out.

  • Can we cleanup the accounts automatically every month or so to make it easier to share?

  • Is 2FA available? If so, can we disable this? Again If so, it's easier to rotate the credentials, less chance that researchers will (accidentally) block others out. More about a 2FA setup can be found here.

What about 2FA?

There are 3 options for 2FA setup, depending on the restrictions on the customer side.

  1. Researchers can enter their 2FA method on first login. This is the easiest way and requires no further action.

  2. Connect the 2FA accounts with a Twilio number that we provide. This way, the codes are sent to an Intigriti-managed Discord channel where researchers can pick up the 2FA code.

  3. Preset the 2FA for the user and distribute the QR codes needed for the setup. Intigriti can then manually distribute these to the users that request them.

Is credential rotation possible with 2FA enabled? Yes, but only if:

  1. You can link the verification code to our public 2FA-discord channel via a phone number. This discord channel is publicly available and might break the confidentiality of a private program if data such as company name is included in the 2FA message.

  2. If authenticator apps are supported, we can share the QR-link with the researchers.

Did this answer your question?