Skip to main content
When a user connects to a source, Deck needs their credentials to authenticate. How those credentials are handled after authentication depends on your integration. You have two options: store credentials in Deck Vault for automatic reuse, or terminate the connection to permanently delete them.

Deck Vault

By default, Deck encrypts and stores credentials in Deck Vault. Credentials never leave the vault except to authenticate a session, and each set is scoped to a single connection. They are never shared across users, organizations, or sources. Deck Vault is encrypted at rest and in transit. With credentials stored, you get:
  • Automatic re-authentication. Expired sessions recover without user involvement.
  • Persistent connections. Users link their account once and it works until they revoke access.
  • Zero-friction task runs. Scheduled and on-demand tasks authenticate silently.

Removing credentials

To permanently delete credentials from Deck Vault, terminate the connection: 
POST /v2/connections/{connection_id}/disconnect
This permanently and irreversibly removes the credentials from Deck Vault. The connection object and its task runs remain queryable, but no new tasks can be executed against it. If the user needs to reconnect, create a new connection.

Choosing an approach

The right choice depends on how your users interact with connected sources and how sensitive the credentials are.
Deck Vault (default)Terminate after use
User experienceLink once, use indefinitelyRe-enter credentials each session
Session recoveryAutomatic re-authenticationRequires a new connection
Operational overheadLow. Deck manages the session lifecycle.Higher. Your app handles re-linking flows.
Best forRecurring tasks, long-lived integrationsOne-time operations, high-sensitivity credentials

Common patterns

Recurring tasks with Deck Vault

Most integrations store credentials and run tasks on a schedule. A user links their hotel loyalty account once, and your application fetches reservations daily without further input. If the session expires between runs, Deck re-authenticates using credentials stored in Deck Vault. The user never notices.

One-time extraction with immediate termination

Some use cases only need a single extraction, like importing a year of transaction history. After the task run completes, terminate the connection to remove credentials from Deck Vault: 
POST /v2/connections/{connection_id}/disconnect
Task run output and stored files remain available. Only the credentials are removed.