Axiom can automate websites behind a login in several different ways.
# Strong Recommendation - create restricted account(s) for axiom.
Our recommendation is to create a new, restricted login for axiom automations, with only the permissions required to run an automation.
For example, if an axiom bot is only reading data for creating a report, create an account with read-only permissions.
# Passing sessions at runtime
By default, axiom will pass session information from your local machine into the cloud (or desktop app)
# Keeping sessions on the local PC
If security is a concern, we first recommend using our Desktop-app which processes all data on your local machine.
Secondly, we recommend using an isolated Chrome profile.
- Create a new Chrome Profile. You can do that from this menu:
- Within this profile, install the axiom extension. You can use the same axiom login as before.
- Do not login to any websites - your sessions from your main profile will now be isolated.
# Storing login details
Although it's possible to store password directly within axiom automations, we do not recommend this.
# Recommended, Secure Approach
Storing logins (or sessions) securely requires setting up password manager infrastructure and processes to manage access. If your organisation does not have this, we suggest a workaround below.
https://www.vaultproject.io/ is one such solution.
The access key must be stored in axiom. Although this carries similar security risks to passwords, it a key can be quickly invalidated or programmatically set to expire.
One workaround, if you do not have a dedicated password manager, is to store credentials within Google Sheets.
Axiom accesses sheets using its Google Authentication permission, then retrieves the data at runtime.
This carries similar advantages (and disadvantages) to a dedicated password manager. Axiom stores an access token for your Google Drive account, but this access token can be revoked at any time.
# Automating Google Accounts
When using Google accounts with axiom automations, we recommend:
- Creating a dedicated Google account with restricted permissions, just for axiom.
- Creating a Google account using a VPN set to be in the USA. This reduces security blocks on an account, if it is accessed from multiple regions in a short time.
You may see still see security warnings from Google if this occurs. If you see access from a United States IP (Amazon Web Services), at a time when your bot ran, this will be axiom.
If you consent to axiom using your Google account for its automation:
# 2-Factor Authentication (2FA)
If 2-factor authentication is required, axiom bots must be supervised by a human at the start of execution.
Use the 'Enter password' step to input the 2FA token.
If you would like axiom to run automations unsupervised (e.g. via Zapier), there is currently no choice but to disable 2FA for the account you want to automate.
Please note - you do so at your own risk. Unfortunately, increasing convenience often reduces security.
If you choose to do this, we strongly recommend using an account with restricted permissions, setup just for axiom.