User Guide – Credential Vault for Confluence

Getting Started

Adding the vault to a page

Open any Confluence page and click Edit
Type /Credential Vault in the editor body
Select Credential Vault from the macro menu
Click Save or Publish the page

The vault macro can be added to any page. Each page has its own independent vault — with its own PIN, entries, templates, and settings.

Protecting the vault page

Anyone with edit access to the Confluence page can delete the page (and the vault macro along with it). Use Confluence-native protections:

Page Restrictions: on the page, click the lock icon (or the more-actions menu → Restrictions). Set view and edit so only specific users or groups can change the page.
Space Permissions: in Space Settings → Permissions, remove the "Delete Pages" permission from all users except admins and space admins. This protects every page in the space.

Creating Your PIN

The first time you open the vault on a new page, you will be prompted to create a PIN.

Minimum 8 characters for new vaults — a live strength meter (Weak / Fair / Good / Strong) is shown as you type.
Legacy vaults created with shorter PINs (4+ characters) can still unlock with their original PIN.
Your PIN is used to derive your encryption key. It is never stored anywhere — only a salted SHA-256 hash is kept for verification.
Write your PIN down before you continue — if you forget it, your credentials cannot be recovered.

⚠ Important: A yellow warning box appears on the first-time setup screen before you proceed. Take it seriously — there is no server-side recovery. See Recovery below.

Enter your PIN, confirm it, and click Create vault. The user who creates the vault becomes the vault owner.

The Vault Interface

+-------------------------------------------------------------+
|  Credential vault       [+ Add] [Archive] [Settings] [Lock] |
|  12 entries                                                  |
|  Auto-locks after 10 min of inactivity                       |
+-------------------------------------------------------------+
|  Search name, username, URL, category...        [x]          |
|  [All] [Work] [Personal] [Cloud]      Sort: A to Z           |
|  [Expand all] [Select] [Shortcuts]                           |
+-------------------------------------------------------------+
|  * GitHub             [DevOps]  [MFA]    [pin][dup][edit]    |
|    AWS Console        [Cloud]   [MFA]    [pin][dup][edit]    |
|    Personal Gmail     [Email]            [pin][dup][edit]    |
+-------------------------------------------------------------+

Header Controls

Button	Action
+ Add	Open the templates picker, then the new credential form. Disabled at the free-tier limit.
Archive (count)	Open the Archive screen. Only shown when at least one entry is archived.
Settings (gear)	Open Settings — PIN, Activity log, Auto-lock, Archive retention, Theme, Generator, Categories, Templates, Import/Export, Transfer ownership.
Lock	Lock the vault immediately. All decrypted data is cleared from memory.

Ownership & Roles

Each vault has one owner, set automatically to the Atlassian account of the user who first creates it. Everyone else with page access is a regular user.

Action	Owner	Regular user
Unlock with PIN	Yes	Yes
View, copy, reveal entries	Yes	Yes
Add, edit, archive entries	Yes	Yes
Restore archived entries	Yes	Yes
Permanently delete entries	Yes	No (must archive)
Change PIN	Yes	No
Change auto-lock timeout	Yes	No
Change archive auto-delete window	Yes	No
Import / export CSV	Yes	No
Manage shared templates & categories	Yes	No
Transfer vault ownership	Yes	No
Manage personal "My view" templates	Yes	Yes

Owner-only actions appear in Settings for everyone but are disabled (greyed out) for regular users, with a small "Owner only" badge.

Adding Credentials

Click + Add in the header. You are first shown the templates picker — choose a template to pre-fill common fields, or click Blank.

Credential fields

Field	Required	Description
Name / site	Yes	A label for this entry, e.g. "GitHub" or "AWS Console — Prod"
Category	No	Work, Personal, Finance, Email, Cloud, Servers, Network, DevOps, Social, Other, or custom
URL	No	Protocol picker offers https, http, rdp, ssh, vnc, sftp, ftp, ftps, smb, ldap, ldaps, mysql, mssql, postgresql, mongodb, redis, telnet, smtp, smtps, imap, imaps. Dangerous schemes (`javascript:`, `data:`, `vbscript:`, `file:`) are blocked.
Username or email	Yes	The login username or email address
Password	Yes	The account password (use Generate for crypto-random)
MFA secret	No	Base32 TOTP key, or a full `otpauth://` URI
Tags	No	Freeform per-entry labels (lower-cased, hyphenated, searchable)
Notes	No	Multi-line notes — recovery codes, account numbers, hints

Password Generator

Click Generate next to the password field for a crypto-random password. Configure defaults in Settings → Password Generator:

Toggle character sets: A–Z, a–z, 0–9, symbols (#$!)
Length slider from 8 to 99 characters (default 20)
At least one character class must remain enabled

Password Strength Meter

Four coloured segments appear as you type: 🔴 Weak · 🟠 Fair · 🔵 Good · 🟢 Strong.

Checking for Known Breaches (Have I Been Pwned)

Click Check for breaches below the password field. Only the first 5 characters of a SHA-1 hash are sent to the Have I Been Pwned API (k-anonymity) — your actual password never leaves your browser.

✓ Not found — password does not appear in any known breach
⚠ Found in N breaches — you should change this password

Duplicate & password-reuse warnings

When saving, the vault shows a non-blocking warning if the entry's name or URL matches an existing entry, or if the password is already used by another entry. Tick "Don't warn me again on this device" to suppress duplicate warnings later.

Templates

Templates pre-fill the new-entry form with sensible defaults for common credential types — MSP-focused presets like M365 Admin, AWS Console, Windows RDP, Linux SSH, Firewall, Switch, Database, GitHub, and more.

Type	Scope	Who can manage
Built-in	Same in every vault	Cannot be edited; each user can hide them from their own grid
Admin (shared)	Stored server-side per vault, shared with everyone on the page	Vault owner only
Personal (My view)	Stored in your browser's local storage, visible only to you	Anyone

Choosing a template

Click + Add → the Choose a template modal opens. Click any tile to start a new entry pre-filled from that template, or click Blank to start empty.

Managing shared templates (owner only)

Open Settings → Manage templates to add, edit, rename, change icon, or remove templates that everyone using the vault will see. Built-in templates can be reset back to defaults from this screen.

My view — personal templates & hidden tiles

From the Choose a template modal, click My view (top-right). Three tabs:

Hidden: tick built-in templates you want hidden from your personal grid.
My templates: create, edit, or delete templates only you see.
Sort order: A to Z, Z to A, Team first, or Mine first.

Hidden templates and personal templates are stored in your browser's local storage — they follow your browser, not your Atlassian account.

Viewing & Using Credentials

Click any entry in the vault list to expand it. Opening an entry records a last used timestamp shown at the bottom of the expanded card.

Field	Behaviour
Username	Always visible; copy button on right
URL	Shown as clickable link; copy button on right
Password	Hidden by default. Click 👁 to reveal, or ⧉ to copy without revealing
MFA code	Hidden by default (bullets). Click 👁 to reveal, or ⧉ to copy without revealing
Notes	Shown; copy button on right
Tags	Shown as chips inside the expanded card

Tip: Use the copy button — you rarely need to reveal the password or MFA code at all.

MFA Codes & QR Re-Add

Store a TOTP secret to generate live 6-digit codes directly in the vault — no separate authenticator app needed.

Where to find your MFA secret

When enabling 2FA on any website, look near the QR code for a link that says "Can't scan the QR code?", "Enter setup key manually", or "Show secret key". That base32 string (e.g. JBSWY3DPEHPK3PXP) is your TOTP secret. Paste it into the MFA secret field. You can also paste a full otpauth:// URI — the vault parses digits, period, and algorithm from it.

MFA Countdown Timer

When an MFA secret is stored, a live 6-digit code displays with a countdown timer, a progress bar that turns amber at 10 seconds and red at 5, and auto-refresh every 30 seconds.

Re-add to Authenticator (QR code)

Click the QR-code button inside an expanded entry to open a printable QR code suitable for scanning into any standard authenticator app (Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden). The raw secret or otpauth:// URI is also shown below the QR code for manual entry.

Search, Sort & Filter

Multi-chip search

Type any text and press Enter to convert it into a search chip — this allows multiple search terms (AND logic).
Backspace in an empty search input removes the last chip.
Click the ✕ on a chip to remove it; click the main ✕ to clear everything.

Searches match against entry name, username, URL, category, notes, and tags.

Sort options

Option	Description
A → Z	Alphabetical by name (default)
Z → A	Reverse alphabetical
Category	Grouped by category in the category-list order
Newest first	Most recently created entries at top
Oldest first	Original creation order
Recently used	Entries you opened most recently appear first

Pinned entries always appear at the top within the active sort.

Search chips, category filter, and sort all work together — only entries matching every active filter are shown, then sorted.

Pin, Duplicate, Edit, Archive

Each entry header shows these icon buttons on the right:

Icon	Action
★ Star	Pin to top. Pinned entries float above the sort order. Click again to unpin.
⎘ Duplicate	Open a pre-filled copy of the entry. The name is prefixed with "(copy)".
✎ Edit	Open the edit form. All fields can be changed. Modified updates on save.
📦 Archive	Soft-delete the entry to the Archive. See Archive below.
› Expand	Toggle the expanded view of this entry.

Timestamps

Each entry tracks four timestamps shown at the bottom of the expanded card: Created, Modified, Password changed, and Last used. Hover any timestamp for the full date and time. Timestamps are included in CSV exports.

Bulk Actions

Click Select in the toolbar to enter selection mode. A checkbox appears on every entry; tick the ones you want to act on.

The toolbar shows Delete N (which archives the selected entries in bulk).
Click Cancel to leave selection mode without changes.

Bulk delete moves entries to the Archive — they can be restored before they are auto-purged. Only the vault owner can permanently delete from the Archive.

Archive (Soft Delete)

Clicking the archive icon on an entry soft-deletes it — the entry is hidden from the main list but still encrypted and stored. You can restore it before it is auto-purged.

Opening the archive

When at least one entry is archived, an Archive button appears in the header showing the count. You can also reach it from Settings → View archive.

Restoring an archived entry

Click Restore. The entry returns to the main list with its Modified timestamp updated. If the name already exists on another live entry, "(restored)" is appended automatically.

Permanent deletion (owner only)

Inside the Archive, the owner sees a small red ✕ next to each entry. Clicking it permanently deletes the entry after a confirmation prompt. Regular users cannot hard-delete; the button is hidden for them.

Auto-delete after N days (owner only)

In Settings → Auto-delete after, the owner picks a retention window: Never, 7, 14, 30, 60, 90 (default), 180, or 365 days. When an entry's archive timestamp is older than this window, it is permanently and silently deleted the next time the vault is unlocked.

When you archive an entry while auto-delete is enabled, a one-time notice reminds you of the retention window. Tick "Don't warn me again on this device" to suppress it in future.

Password History

Whenever you change an entry's password, the previous password is added to that entry's password history. Up to the last 5 previous passwords are kept per entry, along with the date each was changed.

Viewing history

Inside an expanded entry, click the clock icon next to the password field to open the Password history modal. Each row shows when the password was changed, the masked password with a reveal toggle and a copy button, and a Restore button.

Restoring a previous password

Clicking Restore on a history row sets that old value back as the live password. The current password is pushed into history (so you can undo the restore). If the restored password was already in history, it is removed from the list since it is now active again.

Settings

Click the gear icon in the header to open the Settings panel.

Section	Contents
Security	Change PIN (owner), Activity log, Transfer vault ownership (owner), Auto-lock timeout (owner)
Archive	View archive (with count), Auto-delete after N days (owner)
Appearance	Theme — Light, Auto, Dark
Password Generator	Toggle character sets (A–Z, a–z, 0–9, #$!), Length 8 to 99
Categories	Manage categories (owner), Manage templates (owner)
Data	Export to CSV (owner), Import from CSV (owner)
About	Current auto-lock, encryption details, support links

Change PIN (owner only)

Open Settings → Change PIN
Enter your current PIN to verify
Enter and confirm your new PIN (minimum 8 characters)
Click Set new PIN

All entries are immediately re-encrypted with the new PIN and a fresh per-vault salt. The old PIN no longer works.

⚠ Important: Write down your new PIN before saving. Like the original, it cannot be recovered if forgotten.

Auto-lock timeout (owner only)

Pick from 1, 3, 5, 10 (default), 15, 30, or 60 minutes. A 60-second countdown banner appears before locking (20 seconds for the 1-minute setting) with a Stay unlocked button.

Theme

Choose Light, Auto (follows your OS preference), or Dark. The setting is stored per browser, per user.

Activity Log

Open Settings → Activity log to see the most recent vault events. The log is PIN-protected on the server — opening it requires your PIN hash, so a user with page access but not the PIN cannot read it.

Events logged: vault_created, pin_change, add / edit / delete (with entry name), archive / restore / bulk_archive / archive_purge, csv_export / csv_import, ownership_transferred, restore_password.

Each row shows when, what, and who (display name plus account ID on hover). The log is capped at the most recent 2,000 events per vault. You can export the log to CSV from the modal footer.

Locking & Auto-Lock

Lock immediately

Click the lock icon in the header at any time. All decrypted credentials and the session key are cleared from memory; the lock screen returns.

Auto-lock

The vault automatically locks after the configured idle timeout (default 10 minutes). Idle means no mouse movement, keystrokes, scrolls, or touch events. A 60-second countdown banner is shown before locking, with a Stay unlocked button. The vault also locks when you navigate away from the page or refresh it.

Import & Export

Export to CSV (owner only)

Open Settings → Export to CSV
Read the security warning carefully
Click Download CSV to confirm

The export is generated entirely in your browser. Every export is recorded in the Activity log so other team members can see who exported and when.

⚠ Security notice: The exported CSV is not encrypted. Treat it like a master password list. Delete it once you have finished using it. Tags and password history are not currently included in the export.

CSV columns

Column	Contents
Name	Entry name
Category	Entry category, if set
URL	Login URL, if set
Username	Username or email
Password	Password in plain text
MFA Secret (TOTP Key)	Raw base32 TOTP secret
Notes	Notes field
Created / Modified / Last Used	Timestamps

Importing MFA secrets into another app

Google Authenticator — + → Enter a setup key → paste
Authy — Add account → Enter key manually → paste
Microsoft Authenticator — + → Other account → Enter code manually
1Password — Edit item → Add field → One-Time Password → paste
Bitwarden — Edit item → TOTP → paste

Import from CSV (owner only)

Open Settings → Import from CSV
Click Select CSV file
The vault parses the file and shows the entry count
Click Import N entries to merge them into the vault

Imported entries are merged — nothing is overwritten. The CSV must include at least the Name, Username, and Password columns. Unsafe URL protocols are silently stripped during import; the credential itself is still saved. On the free tier, an import is blocked if it would push you above the 3-entry cap.

Transfer Vault Ownership

The vault owner can hand off ownership to another Atlassian user on the same site — useful for staff handovers, account closures, or rotating duties.

Open Settings → Transfer vault ownership
Read the warning carefully — the change cannot be undone by you
Click Continue, search for the new owner by name, and select them
Click Transfer ownership

You lose owner-only rights immediately. The new owner can permanently delete entries from the Archive, change the PIN / idle timeout / archive retention, import and export CSV, manage shared templates and categories, and transfer ownership again. The event is recorded in the Activity log as ownership_transferred.

Recovery If You Forget Your PIN

⚠ There is no server-side recovery. Your PIN is never stored — only a salted SHA-256 hash is kept for verification. Without the correct PIN, the AES-GCM encrypted data cannot be decrypted.

Before you are locked out

If the owner is still logged in, open Settings → Change PIN and set a new PIN you will remember
The owner can export credentials via Settings → Export to CSV as a backup

If you have already forgotten your PIN

The encrypted credentials cannot be recovered. This is intentional — it means nobody else can recover them either, including Atlassian and CowboyMSP. The owner can recreate the vault on a new page and re-enter the credentials from any backup.

Prevention

Store your vault PIN in your personal password manager (1Password, Bitwarden, LastPass)
Keep a printed or written copy in a secure physical location
Always heed the "write this down" warning on first setup and PIN changes
Owners should export to CSV periodically and store the file securely

Plans & Licensing

Capability	Free	Paid
Credential entries	Up to 3	Unlimited
AES-GCM 256 encryption	✓	✓
Change PIN	✓	✓
MFA / TOTP generation	✓	✓
QR re-add to authenticator	✓	✓
Password generator	✓	✓
Have I Been Pwned breach check	✓	✓
Categories, tags, search, sort	✓	✓
Pin to top, duplicate, archive	✓	✓
Password history (last 5)	✓	✓
Templates (built-in / admin / personal)	✓	✓
Activity log (last 2,000 events)	✓	✓
Configurable auto-lock	✓	✓
Light / Auto / Dark theme	✓	✓
CSV import & export	✓	✓
Ownership & transfer	✓	✓
Price	Free	$2 / user / month
Trial	—	30-day free trial

When you reach the 3-entry free-tier cap, the + Add button is disabled until a licence is active. Existing entries can still be viewed, copied, edited, and archived — only adding new entries is blocked.

No data loss when a trial ends: if you exceed 3 entries during a trial and the trial ends, your entries are preserved and remain viewable, editable, and deletable.

Keyboard Shortcuts

When the vault is unlocked and no modal is open:

Key	Action
`/`	Focus the search input
`N`	Open the templates picker to add a new entry (disabled at free-tier limit)
`Esc`	Collapse all expanded entries

The toolbar also has a small ⌨ ? button that reveals this list inline.

Security Summary

Property	Detail
Encryption	AES-GCM 256-bit, client-side only
Key derivation	PBKDF2 · 200,000 iterations · per-vault random salt
PIN hash	Salted SHA-256. The PIN itself is never stored or transmitted
Minimum PIN	8 characters for new vaults (4+ accepted on legacy unlocks)
TOTP generation	HMAC-SHA-1 / SHA-256 / SHA-512 via Web Crypto API, entirely in-browser
Breach checking	k-anonymity via Have I Been Pwned (5-char SHA-1 prefix only)
Storage	Encrypted blobs in Atlassian Forge KV Storage
External egress	Manifest allow-lists only `api.pwnedpasswords.com`
Auto-lock	Configurable 1–60 min idle, with a 60-second pre-lock warning
Activity log	PIN-gated read, capped at 2,000 events per vault
Concurrency	Optimistic version checks & stale-PIN-hash detection on save
Owner-only writes	PIN change, hard delete, import/export, retention, templates
URL protocol allow-list	`javascript:`, `data:`, `vbscript:`, `file:` are blocked
Data scope	Per Confluence page; shared among users with page access
Page-context safety	Vault operations hard-fail without a page context

Frequently Asked Questions

Can Atlassian read my credentials?

No. Credentials are encrypted in your browser using AES-GCM 256-bit before being sent to Forge storage. Only encrypted blobs reach Atlassian's servers. Without your PIN, the data cannot be decrypted — not by Atlassian, not by CowboyMSP.

What happens if I forget my PIN?

Your credentials cannot be recovered without the PIN. See Recovery. Always store your PIN in a personal password manager.

Can I change my PIN without losing data?

Yes. Open Settings → Change PIN. All entries are re-encrypted with the new PIN immediately. Owner only.

How does the breach check work?

Only the first 5 characters of a SHA-1 hash of your password are sent to the Have I Been Pwned API (k-anonymity). Your actual password and the full hash never leave your browser.

Can I use the vault on mobile?

Yes. The vault works in any modern browser, including Confluence's mobile browser experience.

Why does the MFA code sometimes show dashes?

The MFA secret stored for that entry is invalid or incorrectly formatted. Edit the entry and verify the secret is a valid base32 string with no spaces. You can also paste a full otpauth:// URI.

How do I give someone else access to the vault?

Give them the Confluence page URL and the vault PIN. They need Confluence page view access and the PIN to decrypt.

Can I have multiple vaults?

Yes — each Confluence page with the macro added has its own independent vault, PIN, entries, templates, and settings.

Is the CSV export encrypted?

No. The CSV is plain text for portability. Delete it after use. Every export is recorded in the Activity log.

What happens to deleted entries?

They go to the Archive (soft delete). The vault owner can permanently delete archived entries from there. Archived entries are also auto-deleted after the retention window you choose in Settings (default 90 days).

Can I recover an old password if I changed it?

Yes, if it is one of the last 5 passwords for that entry. Click the clock icon next to the password field in the expanded card to open Password history, then click Restore.

What's the difference between Categories and Tags?

Categories come from a fixed list managed by the vault owner. Tags are freeform per-entry labels typed by the user. Both are searchable.

How do I hand the vault over when someone leaves?

The current owner opens Settings → Transfer vault ownership and picks the new owner from the Confluence user search. The handover is immediate and audited.

Why is the Change PIN option greyed out for me?

You are a regular user, not the vault owner. PIN, auto-lock, archive retention, import, export, templates, and categories are owner-only. View, copy, add, edit, and archive remain available to everyone with the PIN.

Still have questions? Email us at [email protected] — we respond to all Marketplace app support requests.

Credential Vault for ConfluenceUser Guide