orchestrator
latest
false
UiPath logo, featuring letters U and I in white

Orchestrator user guide

Last updated Oct 2, 2025

Managing credential proxies

You can create and manage proxies for your own custom credential stores, allowing you to individually control the safety of your credentials.

Proxy types

You can choose between these two types:

  • Connected proxy (Managed by Orchestrator) - when a robot requests credentials, Orchestrator retrieves them from the proxy and passes them on to the robot.
    Figure 1. Connected proxy architecture

  • Disconnected proxy (Managed by the proxy service) - when a robot requests credentials, they are retrieved directly from the proxy, without having to go through Orchestrator. This type is only compatible with Robots version 23.10+.
    Figure 2. Disconnected proxy architecture Graphical representation of the disconnected proxy architecture
    Important:
    • Enterprise The disconnected credentials proxy is only available if you are on the Enterprise - Advanced licensing plan.
    • If you want to retrieve disconnected proxy credentials, you need to use the following minimum versions: 2.0.1 for the proxy, and 24.3 for the System Activities pack.

Disconnected setup

The Orchestrator credentials proxy in the disconnected flavor works in a similar way to the connected setup, with a few key differences.

Specify in the appsettings.json file that the proxy should start in it’s disconnected mode. To do this under AppSettings set the parameter CredentialsProxyType with the value Disconnected.
This will tell the proxy to do things a bit differently at startup and to read it’s secure store configuration from the appsettings.json file. If the parameter is missing or the value is different they the proxy will start in it’s connected mode.
Specify in the appsettings.json file that the proxy should start in its disconnected mode. To do this, under AppSettings, set the CredentialsProxyType parameter with the Disconnected value. 
{
...
  "AppSettings": {
  ...
    "CredentialsProxyType": "Disconnected",
  ...
  }
}{
...
  "AppSettings": {
  ...
    "CredentialsProxyType": "Disconnected",
  ...
  }
}
This will tell the proxy to do things a bit differently at startup and to read its secure store configuration from the appsettings.json file. If the parameter is missing or the value is different, the proxy will start in its connected mode.

Secure store configurations

Each configuration entry must contain:

  • Key: unique identifier used in Orchestrator when linking stores. This must be unique in the list of configurations

  • Type: the type of secure store (such as Azure Key Vault, BeyondTrust, CyberArk, HashiCorp Vault, InMemory, and others).

  • Context: the data needed by the Secure Store implementation, which varies depending on the store type.

Check the following secure store configuration example:
{
...
  "AppSettings": {
  ...
    "SecureStoreConfigurations": [
      {
        "Key": "SecureStoreKey1",
        "Type": "AzureKeyVault (read only)",
        "Context": {
          "KeyVaultUri": "{someUri}",
          "DirectoryId": "{someDirectoryId}",
          "ClientId": "{someClientId}",
          "ClientSecret": "{someClientSecret}"
        }
      },
      {
        "Key": "SecureStoreKey2",
        "Type": "BeyondTrust Password Safe - Managed Accounts",
        "Context": {
          "Hostname": "{someHost}",
          "APIRegistrationKey": "{someApiKey}",
          "APIRunAsUsername": "{someApiUsername}",
          "DefaultManagedSystemName": "",
          "SystemAccountDelimiter": "/",
          "ManagedAccountType": "system"
        }
      },
      {
        "Key": "InMemoryKey1",
        "Type": "InMemorySecureStore",
        "Context": {
        }
      }
    ]
  ...
  }
}{
...
  "AppSettings": {
  ...
    "SecureStoreConfigurations": [
      {
        "Key": "SecureStoreKey1",
        "Type": "AzureKeyVault (read only)",
        "Context": {
          "KeyVaultUri": "{someUri}",
          "DirectoryId": "{someDirectoryId}",
          "ClientId": "{someClientId}",
          "ClientSecret": "{someClientSecret}"
        }
      },
      {
        "Key": "SecureStoreKey2",
        "Type": "BeyondTrust Password Safe - Managed Accounts",
        "Context": {
          "Hostname": "{someHost}",
          "APIRegistrationKey": "{someApiKey}",
          "APIRunAsUsername": "{someApiUsername}",
          "DefaultManagedSystemName": "",
          "SystemAccountDelimiter": "/",
          "ManagedAccountType": "system"
        }
      },
      {
        "Key": "InMemoryKey1",
        "Type": "InMemorySecureStore",
        "Context": {
        }
      }
    ]
  ...
  }
}
Note:
The SecureStoreConfigurations parameter is an array of configurations so you can have as many configurations as you want.
Multiple configurations of the same type are supported, as long as the Key values are unique.

Startup validation

When running in disconnected mode, the proxy performs validation at startup:

  • Validates that required configurations exist in appsettings.json.
  • Verifies that no duplicate keys are found in SecureStoreConfigurations.
  • Confirms that all Type values are valid.
  • Validates vault connectivity (calls ValidateContextAsync for each store).

Proxy level settings

Some secure credential stores require host-level configuration that need to be specified in appsettings.Production.json:
  • CyberArk: settings like CLIPasswordSDKExePath, UsePowerShellCLI, and AdditionalAllowedCharacters must be defined under AppSettings.
    {
// ...
  "AppSettings": {
    "Plugins.SecureStores.CyberArk.CLIPasswordSDKExePath": "D:\\SomePath\\CLIPasswordSDK.exe",
    // ...
  }
  // ...
}{
// ...
  "AppSettings": {
    "Plugins.SecureStores.CyberArk.CLIPasswordSDKExePath": "D:\\SomePath\\CLIPasswordSDK.exe",
    // ...
  }
  // ...
}
  • CyberArkCCP: may require Plugins.SecureStores.CyberArkCCP.KeyStorageFlags = "MachineKeySet".
    {
// ...
  "AppSettings": {
    "Plugins.SecureStores.CyberArkCCP.KeyStorageFlags": "MachineKeySet",
    // ...
  }
  // ...
}{
// ...
  "AppSettings": {
    "Plugins.SecureStores.CyberArkCCP.KeyStorageFlags": "MachineKeySet",
    // ...
  }
  // ...
}

Configuration test examples

Check the following practical appsettings.Production.json examples.

Example 1: basic

Configuration with BeyondTrust and Azure Key Vault:

{
  "Jwt": {
    "Keys": [
      "<YourKey>"
    ]
  },
  "AppSettings": {
    "CredentialsProxyType": "Disconnected",
    "SecureStoreConfigurations": [
      {
        "Key": "SecureStoreKey3",
        "Type": "BeyondTrust Password Safe - Team Passwords",
        "Context": {
          "Hostname": "<Hostname",
          "APIRegistrationKey": "<APIRegistrationKey",
          "APIRunAsUsername": "<Username>",
          "FolderPathPrefix": "/", // default is "/", but it can be changed to anything
          "FolderPasswordDelimiter": "/" // default is "/", but it can be changed to anything
        }
      }
    ]
  }
}{
  "Jwt": {
    "Keys": [
      "<YourKey>"
    ]
  },
  "AppSettings": {
    "CredentialsProxyType": "Disconnected",
    "SecureStoreConfigurations": [
      {
        "Key": "SecureStoreKey3",
        "Type": "BeyondTrust Password Safe - Team Passwords",
        "Context": {
          "Hostname": "<Hostname",
          "APIRegistrationKey": "<APIRegistrationKey",
          "APIRunAsUsername": "<Username>",
          "FolderPathPrefix": "/", // default is "/", but it can be changed to anything
          "FolderPasswordDelimiter": "/" // default is "/", but it can be changed to anything
        }
      }
    ]
  }
}

Example 2: extra logs and multiple configurations

Includes multiple vaults and advanced logging.

{
  "Logging": {
    "LogLevel": {
      "Default": "Trace",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information",
      "Microsoft.AspNetCore.HttpLogging.HttpLoggingMiddleware": "Information"
    }
  },
  "Jwt": {
    "Keys": [ "<YourKey>" ]
  },
  "AppSettings": {
    "Plugins.SecureStores": "UiPath.Orchestrator.CyberArk.dll;UiPath.Orchestrator.AzureKeyVault.SecureStore.dll;UiPath.Orchestrator.SecureStore.CyberArkCCP.dll;UiPath.Orchestrator.SecureStore.HashiCorpVault.dll;UiPath.Orchestrator.SecureStore.ThycoticSecretServer.dll;UiPath.Orchestrator.SecureStore.BeyondTrust.dll;UiPath.Orchestrator.SecureStore.AWSSecretsManager.dll",
    "UseInMemorySecureStore": "true",
    "CredentialsProxyType": "Disconnected",
    "SkipValidateSecureStoreConfigurations": "false", // for Testing only; never to be shown to clients or used in prod
    "SecureStoreConfigurations": [
      // AzureKeyVault owned by <username>; contact for more info
      // Robot externalName: "<name>"
      // The expected value of this secret is "<name>"
      {
        "Key": "SecureStoreKey1",
        "Type": "AzureKeyVault (read only)",
        "Context": {
          "KeyVaultUri": "<VaultURL>",
          "DirectoryId": "<DirectoryID>",
          "ClientId": "<ClientID>",
          "ClientSecret": "<ClientSecret>"
        }
      },
      // In case this fails, check our internal documentation on checking if BeyondTrust is down
      // <InternalDocsURL>
      // Robot externalName: "<ExternalName>"
      {
        "Key": "SecureStoreKey2",
        "Type": "BeyondTrust Password Safe - Managed Accounts",
        "Context": {
          "Hostname": "<Hostname>",
          "APIRegistrationKey": "<APIRegistrationKey>",
          "APIRunAsUsername": "<Username>",
          "DefaultManagedSystemName": "",
          "SystemAccountDelimiter": "/",
          "ManagedAccountType": "system"
        }
      },
      // In case this fails, check our internal documentation on checking if BeyondTrust is down
      // <InternalDocsURL>
      // Robot externalName: "<ExternalName>"
      {
        "Key": "SecureStoreKey3",
        "Type": "BeyondTrust Password Safe - Team Passwords",
        "Context": {
          "Hostname": "<Hostname>",
          "APIRegistrationKey": "<APIRegistrationKey>",
          "APIRunAsUsername": "<Username>",
          "FolderPathPrefix": "/", // default is "/", but it can be changed to anything
          "FolderPasswordDelimiter": "/" // default is "/", but it can be changed to anything
        }
      },
      {
        // asset external name: Operating System-WinDomain
        // password: <password>
        "Key": "SecureStoreKey1",
        "Type": "CyberArk Conjur Cloud (read only)",
        "Context": {
          "ServiceUrl": "<ServiceURL>",
          "LoginName": "<LoginName>",
          "ApiKey": "<APIKey>",
          "VariableIdPrefix": "data/vault/Safe"
        }
      },
      // Must have an empty context
      // No values on startup; should add values using the endpoints before trying trying to get anything
      {
        "Key": "InMemoryKey1",
        "Type": "InMemorySecureStore",
        "Context": {
        }
      }
    ]
  }
}{
  "Logging": {
    "LogLevel": {
      "Default": "Trace",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information",
      "Microsoft.AspNetCore.HttpLogging.HttpLoggingMiddleware": "Information"
    }
  },
  "Jwt": {
    "Keys": [ "<YourKey>" ]
  },
  "AppSettings": {
    "Plugins.SecureStores": "UiPath.Orchestrator.CyberArk.dll;UiPath.Orchestrator.AzureKeyVault.SecureStore.dll;UiPath.Orchestrator.SecureStore.CyberArkCCP.dll;UiPath.Orchestrator.SecureStore.HashiCorpVault.dll;UiPath.Orchestrator.SecureStore.ThycoticSecretServer.dll;UiPath.Orchestrator.SecureStore.BeyondTrust.dll;UiPath.Orchestrator.SecureStore.AWSSecretsManager.dll",
    "UseInMemorySecureStore": "true",
    "CredentialsProxyType": "Disconnected",
    "SkipValidateSecureStoreConfigurations": "false", // for Testing only; never to be shown to clients or used in prod
    "SecureStoreConfigurations": [
      // AzureKeyVault owned by <username>; contact for more info
      // Robot externalName: "<name>"
      // The expected value of this secret is "<name>"
      {
        "Key": "SecureStoreKey1",
        "Type": "AzureKeyVault (read only)",
        "Context": {
          "KeyVaultUri": "<VaultURL>",
          "DirectoryId": "<DirectoryID>",
          "ClientId": "<ClientID>",
          "ClientSecret": "<ClientSecret>"
        }
      },
      // In case this fails, check our internal documentation on checking if BeyondTrust is down
      // <InternalDocsURL>
      // Robot externalName: "<ExternalName>"
      {
        "Key": "SecureStoreKey2",
        "Type": "BeyondTrust Password Safe - Managed Accounts",
        "Context": {
          "Hostname": "<Hostname>",
          "APIRegistrationKey": "<APIRegistrationKey>",
          "APIRunAsUsername": "<Username>",
          "DefaultManagedSystemName": "",
          "SystemAccountDelimiter": "/",
          "ManagedAccountType": "system"
        }
      },
      // In case this fails, check our internal documentation on checking if BeyondTrust is down
      // <InternalDocsURL>
      // Robot externalName: "<ExternalName>"
      {
        "Key": "SecureStoreKey3",
        "Type": "BeyondTrust Password Safe - Team Passwords",
        "Context": {
          "Hostname": "<Hostname>",
          "APIRegistrationKey": "<APIRegistrationKey>",
          "APIRunAsUsername": "<Username>",
          "FolderPathPrefix": "/", // default is "/", but it can be changed to anything
          "FolderPasswordDelimiter": "/" // default is "/", but it can be changed to anything
        }
      },
      {
        // asset external name: Operating System-WinDomain
        // password: <password>
        "Key": "SecureStoreKey1",
        "Type": "CyberArk Conjur Cloud (read only)",
        "Context": {
          "ServiceUrl": "<ServiceURL>",
          "LoginName": "<LoginName>",
          "ApiKey": "<APIKey>",
          "VariableIdPrefix": "data/vault/Safe"
        }
      },
      // Must have an empty context
      // No values on startup; should add values using the endpoints before trying trying to get anything
      {
        "Key": "InMemoryKey1",
        "Type": "InMemorySecureStore",
        "Context": {
        }
      }
    ]
  }
}

Example 3: custom log path and InMemoryStore

{
  "NLog": {
    "throwConfigExceptions": true,
    "targets": {
      "logfile": {
        "type": "File",
        "maxArchiveFiles": 180,
        "fileName": "<FileName>",
        "layout": "${longdate} ${logger} ${message}${onexception:${newline}${exception:maxInnerExceptionLevel=10:format=shortType,message,stacktrace:separator=*:innerExceptionSeparator=&#xD;&#xA;&#x9;}}"
      }
    },
    "rules": [
      {
        "logger": "*",
        "minLevel": "Information",
        "writeTo": "logconsole,logfile,eventLog"
      }
    ]
  },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "Jwt": {
    "Keys": [
      "<YourKey>"
    ]
  },
  "AppSettings": {
    "Plugins.SecureStores": "UiPath.Orchestrator.CyberArk.dll;UiPath.Orchestrator.AzureKeyVault.SecureStore.dll;UiPath.Orchestrator.SecureStore.CyberArkCCP.dll;UiPath.Orchestrator.SecureStore.CyberArkConjur.dll;UiPath.Orchestrator.SecureStore.HashiCorpVault.dll;UiPath.Orchestrator.SecureStore.ThycoticSecretServer.dll;UiPath.Orchestrator.SecureStore.BeyondTrust.dll;UiPath.Orchestrator.SecureStore.AWSSecretsManager.dll",
    "UseInMemorySecureStore": "true",
    "CredentialsProxyType": "Disconnected",
    "SkipValidateSecureStoreConfigurations": "true",
    "SecureStoreConfigurations": [
      {
        "Key": "InMemoryKey1",
        "Type": "InMemorySecureStore",
        "Context": {}
      }
    ]
  }
}{
  "NLog": {
    "throwConfigExceptions": true,
    "targets": {
      "logfile": {
        "type": "File",
        "maxArchiveFiles": 180,
        "fileName": "<FileName>",
        "layout": "${longdate} ${logger} ${message}${onexception:${newline}${exception:maxInnerExceptionLevel=10:format=shortType,message,stacktrace:separator=*:innerExceptionSeparator=&#xD;&#xA;&#x9;}}"
      }
    },
    "rules": [
      {
        "logger": "*",
        "minLevel": "Information",
        "writeTo": "logconsole,logfile,eventLog"
      }
    ]
  },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "Jwt": {
    "Keys": [
      "<YourKey>"
    ]
  },
  "AppSettings": {
    "Plugins.SecureStores": "UiPath.Orchestrator.CyberArk.dll;UiPath.Orchestrator.AzureKeyVault.SecureStore.dll;UiPath.Orchestrator.SecureStore.CyberArkCCP.dll;UiPath.Orchestrator.SecureStore.CyberArkConjur.dll;UiPath.Orchestrator.SecureStore.HashiCorpVault.dll;UiPath.Orchestrator.SecureStore.ThycoticSecretServer.dll;UiPath.Orchestrator.SecureStore.BeyondTrust.dll;UiPath.Orchestrator.SecureStore.AWSSecretsManager.dll",
    "UseInMemorySecureStore": "true",
    "CredentialsProxyType": "Disconnected",
    "SkipValidateSecureStoreConfigurations": "true",
    "SecureStoreConfigurations": [
      {
        "Key": "InMemoryKey1",
        "Type": "InMemorySecureStore",
        "Context": {}
      }
    ]
  }
}

Creating a credentials proxy

Once you have installed the Orchestrator Credentials Proxy, you can create a custom proxy, which holds your custom credential stores.

Figure 3. Add Credentials Proxy page Screenshot of the Add Credentials Proxy page
To do that, follow the steps below:
  1. At the tenant level, click Credentials > Proxies > Add Credentials Proxy. The Add Credentials Proxy window is displayed.
  2. Choose either Connected proxy (Managed by Orchestrator) or Disconnected proxy (Managed by the proxy service).
  3. Add a name for your proxy.
  4. Add the URL pertaining to the virtual machine included in the Orchestrator Credentials Proxy setup.
  5. Add the key.

    For the connected proxy, depending on the installation method, this is either the secret key generated by the .msi installer, or the one held by the Jwt:Keys parameter.

    For the disconnected proxy, this must be a key that already exists in one of the disconnected proxy's local configuration files.

    The information you provide at steps 4 and 5 create the link between Orchestrator and the installation which contains your custom credential store plugins.

  6. Click Create.

    You can then add the desired store as follows:

  7. At the tenant level, click Credentials > Stores > Add credential store.
  8. From the Proxy list, select the proxy that you have just created.
  9. From the Type list, select the third party credential store defined by your plugin.

Editing a credentials proxy

To edit a proxy, click More Actions > Edit. The Edit Credentials Proxy page is displayed, allowing you to change the name, URL, or key as needed.

Deleting a credentials proxy

To delete a proxy, select More Actions > Remove. If the selected proxy is in use, a warning dialog is displayed, listing the number of robots and assets that will be affected. Select Yes to confirm the removal or No to abort.

Figure 4. Proxies tab

Was this page helpful?

Support and Services
Get The Help You Need
UiPath Academy
Learning RPA - Automation Courses
UiPath Forum
UiPath Community Forum
Uipath Logo
Trust and Security
Terms of Use
Privacy Policy
Cookies Policy
© 2005-2025 UiPath. All rights reserved.