Skip to main content
Connect Onetime Secret so when the agent needs to deliver a temporary password or other sensitive credential to an end user, it generates a one-time link instead of pasting the value into a ticket note or email. The recipient opens the link, sees the secret once, and the data is destroyed.
Onetime Secret is configured in MSP Settings → Integrations.

When to use Onetime Secret

Use Onetime Secret if you want the agent to share temporary passwords, recovery codes, or other short-lived credentials without leaving the cleartext value in your PSA, Slack history, or email. Common cases:
  • Password resets — after the agent resets a user’s password, the new temporary password is delivered as a one-time link the user opens on their own device.
  • MFA recovery codes — when the agent regenerates backup codes, they’re shared as a one-time link rather than posted to the ticket.
  • First-time credentials — onboarding logins for a new hire’s account.
If Onetime Secret is not connected, the agent falls back to redacting the secret in customer-visible notes and asking a technician to deliver it through another channel.

How to connect

You’ll need an API key from your Onetime Secret account before starting.
1

Get your Onetime Secret API key

Sign in to Onetime Secret with the account you want the agent to share secrets from. Open Account in the top-right menu, then click API Key to generate (or reveal) your key.Copy the API key and the email address on the account — you’ll paste both into Rallied.ai.
2

Open MSP Integrations

In the Rallied.ai dashboard, navigate to MSP Settings → Integrations.
3

Connect Onetime Secret

Find the Onetime Secret card and click Connect. A credentials form appears.
4

Enter your credentials

Fill in:
  • Account email — the email address on the Onetime Secret account.
  • API key — the key you copied from the Onetime Secret account page.
  • Link expiration — how long each generated link remains valid before it expires (default: 24 hours).
  • Require passphrase — when enabled, the agent generates a separate passphrase and asks the technician to deliver it through a different channel. Off by default.
Click Save. Rallied.ai validates the credentials against the Onetime Secret API. The card shows Connected when complete.

How it works

When the agent needs to share a credential with an end user:
1

Agent generates the secret

The agent creates a Onetime Secret entry containing the temporary password (or other value), scoped to the configured expiration and — if enabled — a generated passphrase.
2

Link is posted to the user

The one-time link is delivered through the same channel the ticket runs on:
  • PSA ticket — posted as a customer-visible note on the ticket.
  • Voice agent — read out or sent via SMS/email follow-up, depending on the configured handoff.
  • Microsoft Teams / Slack — sent as a direct message to the requester.
The cleartext value is never written to the ticket, transcript, or message body.
3

Recipient opens the link once

The user clicks the link, sees the secret, and Onetime Secret destroys it. Subsequent opens return a “secret already viewed” message.
4

Agent logs the outcome

The agent posts an internal note on the ticket recording that a one-time link was sent, the expiration time, and whether the recipient opened it (Onetime Secret reports the view back on the next poll).
OptionBehavior
1 hourTightest setting — good for live-call resets where the user opens the link within minutes.
24 hours (default)Balances delivery flexibility with short exposure window.
7 daysUse only if delivery may be delayed (e.g. user is on PTO).
If the user does not open the link before it expires, the agent flags the ticket for technician follow-up and does not auto-regenerate the secret.

Passphrase mode

When Require passphrase is enabled, Onetime Secret links cannot be opened without a separate passphrase the agent generates alongside the secret. The agent delivers the passphrase through a different channel from the link itself — for example, the link goes to the ticket and the passphrase is read to the user over the voice call, or sent by SMS. Use this for high-sensitivity credentials (domain admin accounts, banking portals) where you want defense-in-depth against the link being intercepted.

Limits and behavior

  • The connected Onetime Secret account is subject to your Onetime Secret plan’s rate limits. The agent retries with backoff on rate-limit responses and falls back to a technician handoff if the limit is exhausted.
  • Secrets generated by the agent are tagged with the originating Rallied.ai ticket or session ID so they’re identifiable in your Onetime Secret dashboard for auditing.
  • The cleartext value of the secret is never persisted in Rallied.ai’s logs — only the resulting one-time URL, the expiration, and the view status.
If Onetime Secret is connected but the API returns an error when the agent tries to generate a link, the agent does not fall back to posting the cleartext value. Instead, it pauses the action and posts an internal note asking a technician to deliver the credential manually.