Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

Configuring credentials stored using DPAPI

Updated on October 19, 2022

Credentials are needed to authenticate with Pega Robot Manager, Windows, and applications throughout unattended Pega Robotic Automation sessions. The default, built-in credential provider for unattended Pega Robotic Automation sessions is Microsoft's DPAPI (Data Protection Application Programming Interface).

DPAPI is a cryptographic application programming interface that is available as a built-in component in Microsoft Windows. By default, Pega Robotic Automation uses DPAPI to securely store credentials for unattended automations.Note: For attended automations, the automation user supplies the credentials, in accordance with your organization’s security procedures.

DPAPI keeps all credentials on the local system in a storage vault that is created by the robotic automation component that you are using. For instance, the ASO Manager has a vault for that is accessible only by the logged in user. The Credential Store component has a separate vault that also is only accessible to the logged in user. If multiple users work on a computer, each user will have a vault. This means that when you need to update credentials, you must log in to each unattended Robot Runtime system and update the credentials for each user. Note: DPAPI encrypts data by using a key that is created using industry-standard encryption algorithms.

For nearly all cryptosystems, one of the challenges is managing the keys — for example, how to store the decryption key. If you store the key in plain text, then any user who can access the key can access the encrypted data. If you encrypt the key, then you need another key, and on and on.

DPAPI allows you to encrypt keys using a symmetric key that is derived from the user's login secrets, or in the case of system encryption, by using the system's domain authentication secrets.

The DPAPI keys used for encrypting the user's RSA keys are stored in the following folder, where {SID} is the Security Identifier of the user:


Windows stores the DPAPI key in the same file as the master key that protects the users’ private keys. The DPAPI key typically contains 64 bytes of random data.

The following diagram shows the tasks you must perform to use DPAPI to authenticate credentials:

Using DPAPI to authenticate credentials
The tasks you perform to use DPAPI to authenticate credentials.

For more information, see the following articles:

  • Previous topic Integrating credential providers in your automation
  • Next topic Enabling the credential store to use DPAPI

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us