Managing Credentials

How credentials work in Finalizo

The credentials section of a handover pack is where you store and transfer all logins your client needs to take ownership of their project: CMS admin, hosting control panel, domain registrar, analytics, email, and any third-party tools connected to the site.

Finalizo encrypts credential passwords at rest. Client-facing packs show the credential label, login URL, username, and notes, while the password stays masked until the client deliberately reveals it. If you add a pack password, the client must unlock the pack before any credential details are available.

Adding credentials to a pack

Inside your pack, navigate to the Credentials section. Click Add credential to add a new row. For each entry you can record:

• Platform — the name of the tool or service (e.g. "Webflow", "Cloudflare", "Google Analytics")
• URL — the login page or admin URL
• Username / email — the login identifier
• Password — the current password for the account
• Notes — optional context, such as "Two-factor authentication is enabled on this account — client must use the backup codes in the folder shared via Google Drive"

You can add as many credential rows as needed. Most web projects have between five and twelve.

Password best practice

Before adding credentials to a handover pack, we recommend:

1. Change all passwords to fresh ones — do not hand over your own working passwords. Create account-specific passwords for the client transfer.
2. Remove yourself from shared accounts — remove your email from admin roles and transfer ownership properly where the platform supports it (Google Analytics, for instance, allows ownership transfer directly).
3. Document two-factor authentication — if an account has 2FA enabled, include instructions for how the client can access or reset it.

When credentials are revealed

Credential passwords are not sent in email and are not returned by the public API. On the client handover page, each stored password has a Reveal control. When the client reveals a password, Finalizo rate-limits the request, decrypts the value for that response, shows it temporarily in the browser, and writes a credential access log with client access metadata.

Use this together with the sign-off flow: the pack gives the client the access they need, and the sign-off records that they received and reviewed the handover. If you need a stricter process, password-protect the pack and send that password through a separate channel.

Updating credentials after sending

If you send a pack and then discover a password needs updating, you can:

1. Go to Projects → [Project Name] → Pack
2. Click Edit pack
3. Update the credential row
4. Click Resend to notify the client that the pack has been updated

If the client has already signed, updating a credential does not require them to re-sign — only structural changes to the pack (scope, support terms) trigger a re-sign requirement.

Removing credentials from your records

Once a project is marked complete and the sign-off certificate has been issued, you should remove your own copies of client credentials from any personal password managers or notes. Finalizo stores the credential record as part of the project archive, but you should not maintain a live copy once ownership has transferred.

To help with this, include a delivered item or internal note in your own workflow confirming that credentials were removed from personal password managers after transfer.

Security and encryption

All credentials stored in Finalizo are encrypted at rest using AES-256 encryption. Access is restricted to authenticated users and is tied to the specific project. Finalizo staff cannot access the plaintext content of your credential fields.

For questions about our security practices, see the Security Policy or email security@finalizo.com.