Source Credentials Leading Practices

A system may offer secured content, meaning that you have to give the credentials (such as username and password) of an account in this system to gain access to some or all of its content.

You can create a source for a system with secured content, but you must then provide credentials to the source (typically in the Authentication source configuration section) so that your Coveo organization can gain access to the secured content in the system to include it in the source.

Consider the following source credentials leading practices:

  • Provide an account used only by your Coveo source.

    Avoid using an administrator account that probably carries more permissions (sometimes called rights, roles, privileges, etc) than needed, or your employee account that may lose needed permissions if you change job or leave the organization.

  • The account password shouldn’t be forced to change regularly or expire automatically.

    Otherwise, you’ll need to also change the source Password value each time the password changes to prevent source Refresh/Rescan/Rebuild authentication errors.

  • In the system, grant appropriate permissions to the account.

    The account must allow your Coveo organization to see or view the content to include and to continuously maintain it searchable. Some connectors require specific credentials in their source configuration (see Connector Types).


    A given source may need permissions to make calls to a particular system API to allow the Refresh process to catch deleted items.

  • The account should give access to all the secured content that you want to make searchable.

    However, when selecting the Everyone or Specific users and groups source content security option, ensure to provide an account with appropriate permissions to avoid disclosing sensitive content.


    You have an Intranet to which employees must log in to access its content. Most of this content is accessible to all employees, except for some sensitive human resources content, which is accessible only to specific users. To index your Intranet, you create a Web source and select the Everyone content security option.

    The account whose credentials you provide must have access only to the content accessible to all employees rather than to all Intranet content. Otherwise, restricted access items would be available to any employee in the search results.

  • When a source type (such as a Web source) supports Basic authentication and you want to use it, provide username and password information only when the site uses a secured communication protocol such as TLS or SSL (HTTPS) to prevent exposing your credentials.

  • If you use a password manager such as LastPass, we recommend checking its options and ensuring that it respects the autocomplete="off" attribute. When a password manager ignores this attribute, it may replace the username and password you provided at source creation with different ones as you edit the source. In such case, saving your source configuration changes also saves the credential replacement, and your next source update will fail due to inadequate credentials.