> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rallied.ai/llms.txt
> Use this file to discover all available pages before exploring further.
# Onetime Secret
> Connect Onetime Secret so the agent shares temporary passwords as self-destructing links instead of plain text.
Connect [Onetime Secret](https://onetimesecret.com) so when the agent needs to deliver a temporary password or other sensitive credential to an end user, it generates a one-time link instead of pasting the value into a ticket note or email. The recipient opens the link, sees the secret once, and the data is destroyed.
Onetime Secret is configured in **MSP Settings → Integrations**.
## When to use Onetime Secret
Use Onetime Secret if you want the agent to share temporary passwords, recovery codes, or other short-lived credentials without leaving the cleartext value in your PSA, Slack history, or email.
Common cases:
* **Password resets** — after the agent resets a user's password, the new temporary password is delivered as a one-time link the user opens on their own device.
* **MFA recovery codes** — when the agent regenerates backup codes, they're shared as a one-time link rather than posted to the ticket.
* **First-time credentials** — onboarding logins for a new hire's account.
If Onetime Secret is not connected, the agent falls back to redacting the secret in customer-visible notes and asking a technician to deliver it through another channel.
## How to connect
You'll need an API key from your Onetime Secret account before starting.
Sign in to [Onetime Secret](https://onetimesecret.com) with the account you want the agent to share secrets from. Open **Account** in the top-right menu, then click **API Key** to generate (or reveal) your key.
Copy the API key and the email address on the account — you'll paste both into Rallied.ai.
In the Rallied.ai dashboard, navigate to **MSP Settings → Integrations**.
Find the Onetime Secret card and click **Connect**. A credentials form appears.
Fill in:
* **Account email** — the email address on the Onetime Secret account.
* **API key** — the key you copied from the Onetime Secret account page.
* **Link expiration** — how long each generated link remains valid before it expires (default: **24 hours**).
* **Require passphrase** — when enabled, the agent generates a separate passphrase and asks the technician to deliver it through a different channel. Off by default.
Click **Save**. Rallied.ai validates the credentials against the Onetime Secret API. The card shows **Connected** when complete.
## How it works
When the agent needs to share a credential with an end user:
The agent creates a Onetime Secret entry containing the temporary password (or other value), scoped to the configured expiration and — if enabled — a generated passphrase.
The one-time link is delivered through the same channel the ticket runs on:
* **PSA ticket** — posted as a customer-visible note on the ticket.
* **Voice agent** — read out or sent via SMS/email follow-up, depending on the configured handoff.
* **Microsoft Teams / Slack** — sent as a direct message to the requester.
The cleartext value is never written to the ticket, transcript, or message body.
The user clicks the link, sees the secret, and Onetime Secret destroys it. Subsequent opens return a "secret already viewed" message.
The agent posts an internal note on the ticket recording that a one-time link was sent, the expiration time, and whether the recipient opened it (Onetime Secret reports the view back on the next poll).
## Link expiration
| Option | Behavior |
| ------------------------ | ------------------------------------------------------------------------------------------ |
| **1 hour** | Tightest setting — good for live-call resets where the user opens the link within minutes. |
| **24 hours** *(default)* | Balances delivery flexibility with short exposure window. |
| **7 days** | Use only if delivery may be delayed (e.g. user is on PTO). |
If the user does not open the link before it expires, the agent flags the ticket for technician follow-up and does not auto-regenerate the secret.
## Passphrase mode
When **Require passphrase** is enabled, Onetime Secret links cannot be opened without a separate passphrase the agent generates alongside the secret. The agent delivers the passphrase through a different channel from the link itself — for example, the link goes to the ticket and the passphrase is read to the user over the voice call, or sent by SMS.
Use this for high-sensitivity credentials (domain admin accounts, banking portals) where you want defense-in-depth against the link being intercepted.
## Limits and behavior
* The connected Onetime Secret account is subject to your Onetime Secret plan's rate limits. The agent retries with backoff on rate-limit responses and falls back to a technician handoff if the limit is exhausted.
* Secrets generated by the agent are tagged with the originating Rallied.ai ticket or session ID so they're identifiable in your Onetime Secret dashboard for auditing.
* The cleartext value of the secret is never persisted in Rallied.ai's logs — only the resulting one-time URL, the expiration, and the view status.
If Onetime Secret is connected but the API returns an error when the agent tries to generate a link, the agent does **not** fall back to posting the cleartext value. Instead, it pauses the action and posts an internal note asking a technician to deliver the credential manually.