Client Credential Sharing

How to Share Credentials with a Client Securely and Professionally

Agencies, consultants, MSPs, developers and IT providers frequently need to exchange credentials with clients. A professional handover should not place administrator passwords, API tokens or recovery codes directly in email threads that may include many participants.

Encrypted secret sharing gives the client a simple delivery experience while reducing plaintext exposure. It also helps service providers establish a repeatable onboarding and offboarding process.

Deliver client credentials through a protected link

Create an encrypted handover, verify the recipient and share the passkey through a separate channel.

Create a Secure Secret

Credentials commonly exchanged with clients

  • Website and content-management administrator accounts.
  • Hosting, DNS and domain registrar credentials.
  • Cloud-console, analytics and advertising access.
  • API keys, webhook secrets and integration tokens.
  • VPN, remote-support and temporary service accounts.
  • Recovery codes and emergency access information.

A client handover should be a controlled process

Credential transfer is not just a message; it is a change of responsibility. Define who owns the account, which individual is authorized to receive access, where the credential will be stored and whether your team should retain access afterward.

For shared services, prefer inviting named client users rather than handing over a generic administrator password. When a password must be transferred, create a unique value and require the client to change it after first login.

Professional step-by-step credential delivery

  1. Confirm the authorized client contact using known details.
  2. Prepare an inventory of accounts being transferred.
  3. Remove obsolete users and reduce unnecessary privileges.
  4. Rotate any credential previously shared inside your team.
  5. Create one encrypted secret per logical account or handover package.
  6. Send links through the project channel and passkeys separately.
  7. Ask the client to store credentials in an approved vault.
  8. Document acceptance and remove your access when the contract requires it.

Why one huge credential document is risky

A spreadsheet containing every password creates a single high-impact target. It is likely to be downloaded, duplicated and retained indefinitely. If one recipient only needs access to one system, the document violates least privilege.

Separate secrets by system, recipient or sensitivity. This allows shorter expiration, targeted rotation and cleaner evidence of what was delivered.

Security architecture behind the handover

AES-256-GCM encrypts and authenticates the secret. PBKDF2-HMAC-SHA-256 derives the encryption key from a strong passkey and random salt. The recipient enters the passkey in the browser and the readable value is decrypted locally.

The encrypted link and passkey should travel through different channels. This is especially important when the client mailbox itself is being configured or recovered.

Client offboarding and project closure

At project completion, review every account created for the provider. Remove personal users who no longer need access, rotate shared credentials, revoke API tokens and transfer ownership of domains, cloud resources and billing accounts.

A secure handover protects the transfer moment; good offboarding ensures the access model remains correct afterward. Include this process in contracts, project checklists and managed-service procedures.

Frequently Asked Questions

What is the best way to send a password to a client?

Use an encrypted expiring link, verify the authorized recipient, send the passkey separately and require rotation after first login where possible.

Should agencies keep copies of client passwords?

Only when contractually required and operationally necessary. Retained credentials should be stored in an approved vault with controlled access.

Can I send all client credentials in one spreadsheet?

Avoid it. A single file concentrates risk and often grants more information than each recipient requires.

How should a client confirm receipt?

Ask for confirmation that access worked without asking the client to repeat the secret in email or chat.

What should happen when the engagement ends?

Remove provider accounts, rotate shared credentials, revoke tokens, transfer ownership and document completion of the offboarding process.

Use Secure Secret Share

Protect passwords, files and confidential text with encrypted links, a separate passkey and browser-side decryption.

Start Secure Sharing

Related Secure Sharing Guides

Content reviewed on 14 July 2026. Security requirements should be adapted to your organization’s risk, policy and regulatory obligations.