Credential Templates
Define shared credential identities for a property and map environment-specific credentials so the same workflows can run across staging, production, sandboxes, and local environments.
A persona is a shared test-user identity for an application — a role like Admin user, Buyer account, or Support agent — rather than one environment-specific login. You map the persona to a real credential in each environment, then reference the persona in your flows. The same flow runs in staging, production, sandboxes, and local without editing its login steps.
Personas were previously called credential templates; the CLI keeps
canary credential-templateas an alias.
01When to use a persona
Reach for a persona when a flow needs the same kind of account in multiple environments but the actual logins differ. Instead of selecting a different credential per environment, you create one persona and map each environment to its credential. Personas are useful to:
- Run one flow across staging, production, sandbox, and local
- Standardize shared test-user identities for an application
- Cut maintenance when a credential changes in a single environment
- Avoid duplicating flows just to swap accounts
02How it fits together
| Piece | What it is |
|---|---|
| Persona | The shared identity your flows reference |
| Environment mapping | The link between the persona and a saved credential for one environment |
| Credential | The actual environment-specific login used to authenticate |
A persona has one mapping per environment. At run time, when a login step (or scenario) resolves to a persona, Cofactor looks up the mapping for the selected environment and uses the linked credential. A scenario can also supply a credential directly, in which case no mapping lookup happens.
If the selected environment has no mapping, Cofactor can't resolve the persona and surfaces an actionable message — add the mapping, then rerun.
03Create and map a persona
- Open your application's Test Users tab and click New persona.
- Name it by role, not environment (
QA Admin,Standard Buyer), and add any context your team needs. - Save, then add a mapping per environment: choose the environment and the saved credential for it. Repeat for each environment you want to support.
Editing a mapping points the persona at a different credential; removing one stops flows from resolving the persona in that environment until you replace it.
04Use a persona in a flow
Select the persona in a Login node instead of a single credential. At run time Cofactor resolves it against the run environment and uses the mapped credential — so one login step works everywhere the persona is mapped. Sandbox targets resolve personas against the sandbox environment the same way.
05Best practices
- Name by role or purpose, never by environment.
- Add a mapping for every environment a flow is expected to run in.
- Reuse personas across flows to keep credential management in one place.
- Review mappings whenever you rotate credentials, add an environment, or switch a flow between live and sandbox targets.
- After rotating a credential's secret, re-verify the affected login steps — changing a secret clears the verified-login indicator.