Agencies, consultants, MSPs, developers and IT providers frequently need to exchange credentials with clients. A professional handover should not place administrator passwords, API tokens or recovery codes directly in email threads that may include many participants.
Encrypted secret sharing gives the client a simple delivery experience while reducing plaintext exposure. It also helps service providers establish a repeatable onboarding and offboarding process.
Create an encrypted handover, verify the recipient and share the passkey through a separate channel.
Create a Secure SecretCredential transfer is not just a message; it is a change of responsibility. Define who owns the account, which individual is authorized to receive access, where the credential will be stored and whether your team should retain access afterward.
For shared services, prefer inviting named client users rather than handing over a generic administrator password. When a password must be transferred, create a unique value and require the client to change it after first login.
A spreadsheet containing every password creates a single high-impact target. It is likely to be downloaded, duplicated and retained indefinitely. If one recipient only needs access to one system, the document violates least privilege.
Separate secrets by system, recipient or sensitivity. This allows shorter expiration, targeted rotation and cleaner evidence of what was delivered.
AES-256-GCM encrypts and authenticates the secret. PBKDF2-HMAC-SHA-256 derives the encryption key from a strong passkey and random salt. The recipient enters the passkey in the browser and the readable value is decrypted locally.
The encrypted link and passkey should travel through different channels. This is especially important when the client mailbox itself is being configured or recovered.
At project completion, review every account created for the provider. Remove personal users who no longer need access, rotate shared credentials, revoke API tokens and transfer ownership of domains, cloud resources and billing accounts.
A secure handover protects the transfer moment; good offboarding ensures the access model remains correct afterward. Include this process in contracts, project checklists and managed-service procedures.
Use an encrypted expiring link, verify the authorized recipient, send the passkey separately and require rotation after first login where possible.
Only when contractually required and operationally necessary. Retained credentials should be stored in an approved vault with controlled access.
Avoid it. A single file concentrates risk and often grants more information than each recipient requires.
Ask for confirmation that access worked without asking the client to repeat the secret in email or chat.
Remove provider accounts, rotate shared credentials, revoke tokens, transfer ownership and document completion of the offboarding process.
Protect passwords, files and confidential text with encrypted links, a separate passkey and browser-side decryption.
Start Secure SharingContent reviewed on 14 July 2026. Security requirements should be adapted to your organization’s risk, policy and regulatory obligations.