Best Practices for Sending Credentials to Clients

Sending credentials to clients is a routine part of business. Whether you're a web developer delivering login details for a new site, an IT consultant providing access to configured systems, or an agency handing over social media accounts, how you deliver those credentials matters. It reflects your professionalism and impacts your client's security.

Why credential delivery matters

The way you handle credential delivery sends a message about your business. Sending passwords in plain text emails, scattering credentials across multiple messages, and not verifying receipt looks unprofessional. Using encrypted, self-destructing links with organized credential delivery and confirmation of successful access looks professional and builds trust.

The professional workflow

Here's a step-by-step process for delivering credentials to clients that's both secure and professional:

Prepare your delivery email: Write a clear email listing what credentials you're providing (without the actual passwords). Include context like what each login is for and any important notes.
Create one-time links: For each credential, create a separate one-time link on Burn the Secret. This keeps things organized and allows you to verify each credential was received.
Send with clear labels: Include the links in your email with clear labels like "WordPress Admin Login: [link]" and "Hosting Panel Access: [link]".
Request confirmation: Ask the client to confirm they were able to access each credential and that everything works. This protects both of you.

Example: Website project handoff

Here's how a professional credential delivery email might look:

Subject: [Project Name] - Access Credentials

Hi [Client Name],

Your website is live! Below are the secure links to access your credentials. Each link can only be viewed once and will expire in 72 hours, so please save the information somewhere secure after viewing.

Website Admin (WordPress):
URL: yoursite.com/wp-admin
Login credentials: [one-time link]

Hosting Panel (cPanel):
URL: server.host.com:2083
Login credentials: [one-time link]

Domain Registrar:
URL: namecheap.com
Login credentials: [one-time link]

Please confirm once you've successfully accessed each account. Let me know if you have any questions.

Different types of client credentials

Website and CMS logins. WordPress, Shopify, Squarespace admin credentials. Include the login URL alongside the credential link, but keep them separate.

API keys and tokens. Third-party API keys, service tokens, webhook secrets. Include clear documentation on what each key is for and any rate limits or restrictions.

Email and social media. Business email accounts, social media management access. For social media, consider having the client add you as a manager rather than sharing the master password.

Best practices checklist

Create separate one-time links for each credential type
Set appropriate expiration times (24-72 hours is typical)
Include context (what the credential is for, the login URL)
Request confirmation that credentials were received and work
Add passphrase protection for highly sensitive credentials
Document what was delivered in your project records
Advise clients to change passwords after the handoff if desired

Handling client requests for credentials

Sometimes clients need to send you credentials. Coach them to use secure methods too. Send them a link to Burn the Secret and explain how to use it. Never ask them to email passwords in plain text. If they send credentials insecurely, change them immediately and educate them for next time.

Here's a template you can use:

Subject: Secure Way to Share Your Login Credentials

Hi [Client Name],

I need access to [system/account] to proceed with [task]. Please don't email the password directly, as that's not secure.

Instead, please visit burnthesecret.com, paste your password, and send me the secure link it generates. The link will only work once and then delete itself.

Ready to deliver credentials professionally? Create a secure link on Burn the Secret.