> ## Documentation Index
> Fetch the complete documentation index at: https://docs.deck.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Credential management

> How Deck Vault stores, reuses, and deletes user credentials.

When you [store a credential](/concepts/credentials), Deck encrypts it in Deck Vault. How credentials are managed after storage depends on your integration.

You have two options: keep credentials in Deck Vault for automatic reuse, or delete the credential to permanently remove them.

## Deck Vault

By default, Deck encrypts and stores credentials in Deck Vault. Credentials never leave the vault except to authenticate a session, and each set is scoped to a single credential. They are never shared across users, organizations, or sources.

Deck Vault is encrypted at rest and in transit. With credentials stored, you get:

* **Automatic re-authentication.** Expired sessions recover without user involvement.
* **Persistent credentials.** Users link their account once and it works until they revoke access.
* **Zero-friction task runs.** Scheduled and on-demand tasks authenticate silently.

## Removing credentials

To permanently delete credentials from Deck Vault, [delete the credential](/concepts/credentials):

```text theme={null}
DELETE /v2/credentials/{credential_id}
```

This permanently and irreversibly removes the credentials from Deck Vault. The credential transitions to `deleted` status. The credential object and its task runs remain queryable, but no new tasks can use it. If the user needs access again, create a new credential.

## Choosing an approach

The right choice depends on how your users interact with connected sources and how sensitive the credentials are.

|                          | Deck Vault (default)                     | Terminate after use                               |
| ------------------------ | ---------------------------------------- | ------------------------------------------------- |
| **User experience**      | Store once, use indefinitely             | Re-enter credentials each time                    |
| **Session recovery**     | Automatic re-authentication              | Requires a new credential                         |
| **Operational overhead** | Low. Deck manages authentication.        | Higher. Your app handles re-linking flows.        |
| **Best for**             | Recurring tasks, long-lived integrations | One-time operations, high-sensitivity credentials |

## Common patterns

### Recurring tasks with Deck Vault

Most integrations store credentials and run tasks on a schedule. A user links their hotel loyalty account once, and your application fetches reservations daily without further input.

If the session expires between runs, Deck re-authenticates using credentials stored in Deck Vault. The user never notices.

### One-time extraction with immediate termination

Some use cases only need a single extraction, like importing a year of transaction history. After the task run completes, delete the credential to remove it from Deck Vault:

```text theme={null}
DELETE /v2/credentials/{credential_id}
```

Task run output and stored files remain available. Only the credentials are removed.