Clone wiki

KeeCloud / Configuration

When possible, no configuration is required. In these cases the credentials can simply be entered into the username and password fields directly in the 'Open From URL' dialog box. However, some of the providers have more complicated authentication schemes. To handle this a configuration wizard is provided to allow a set of simple credentials to be pulled from these systems.

Why is this even needed?


Typical authentication schemes simply require a username and password. The 'Open From URL' dialog takes a username and a password. For traditional authentication, this works well. This is very simple but it requires putting your credentials into a third party application.

Some providers have deemed this unacceptable. In order to safeguard access to the actual account credentials, they don't allow direct entry of them into third party systems. Instead of using the master account credentials they issue application specific credentials that the application will use for every subsequent request. Typically the user can go into a management interface and see which third party applications have access, and even revoke application access if they want.

A scheme such as this is called OAuth. This gives the user lots of control over their account security, but requires some additional steps to get an application (like KeeCloud) integrated to a specific account. The additional configuration is needed in systems that use OAuth rather than traditional authentication.


To use the wizard, select the 'URL Credential Wizard' from the tools menu in KeePass. You can do this with or without a database file open, however if you have a database open you can conveniently save the resulting credentials directly into KeePass for safekeeping when you are finished. This also has the advantage of allowing the alternate credential entry method for syncing the database files.

  1. Start by simply selecting the service that you want to configure. If the service isn't listed here, it doesn't need to use this wizard.
  2. When you have entered the URL and clicked next, you will be taken to a waiting screen with a next button. A browser window will also open. Don't click on the next button in the app until you have authenticated KeeCloud with your account in the web browser.
  3. When you have fully authenticated KeeCloud to your account, you can then click on the next button. You will be taken to a screen that shows the username and password that you are to use when accessing that service. You can elect to save it to your KeePass DB if one is open.

Important points

  • The username and password that you are given will not be your main account credentials. This is normal.
  • You don't need to go through this wizard for every client. Once you do this for a service you can use the same, or even different URLs with the same credentials across multiple clients.

Account Security

KeeCloud is an open source client application. This means that integration to these third party providers happens from your machine directly to them. There is no intermediate server acting as proxy. This has a few implications.

KeeCloud usually uses an API key provided by the services to obtain these application specific credentials. Since this is an open source app, those credentials could be used by other applications (nothing can really be done to prevent this much, this is a client side application written in a language that is easily disassembled). This doesn't mean that your data can be stolen however since the credentials are only granted to anyone with the KeeCloud API keys if you log into your account and allow it. This mainly means that you should be certain that the authentication browser window that you are using to grant access was actually opened by KeeCloud. In practice this is very easy. When you are using the credential wizard from within KeeCloud you can reasonably safely conclude that the browser that is opened right after selecting your service (for the selected service) is legitimate. Beyond that, deny access. Even if the KeeCloud credentials are gleaned from the app, your credentials that are granted to you are required to access any of your data. The only real risk is others impersonating KeeCloud and asking you to grant access under the KeeCloud name. Don't grant access unless you just used the wizard

In many ways your account is far more secure. Nobody other than machines you control, with source code that you can review, can ever access your account. Your credentials that are provided to you are only your machine and are never transmitted anywhere. If they are stored for you, it is in your own KeePass database. Again, the only real risk is other impersonating KeeCloud.