Nexus ERP / Docs

Passwords

Personal vault, team sharing, TOTP codes, and client password management.

Nexus ERP has a built-in password vault with three modes:

  • Personal vault, your own credentials.
  • Shared with you, passwords other people in the org shared.
  • Organisation passwords, every password tied to a client (read-only view for managers).

Personal entries can include a TOTP secret so the app generates the 6-digit 2FA code for you.

Where it lives

Workspace, Passwords. The page has two tabs: Personal and Organisation.

Adding a personal password

  1. Open the Personal tab.
  2. Click Add Password.
  3. Fill in:
    • Label (required). Example: Stripe dashboard.
    • Website URL (optional).
    • Username or email (required).
    • Password (optional). Click Generate to get a random 16-character value.
    • TOTP secret (optional). The setup key from the service's 2FA page, not the 6-digit code itself.
    • Linked passwords (optional). Use the search picker to chain related entries, for example GitHub linked to SSH key.
    • Notes (optional). Recovery codes, security questions, anything else.
  4. Click Save.

Revealing a password

The password field is masked by default. Click the eye icon to decrypt and display it inline. Click Copy to copy without revealing.

Generating a TOTP code

If you stored a TOTP secret, the entry shows a 6-digit code with a 30-second countdown ring around it. The code is split into two groups (123 456) for readability and turns red when there are fewer than 5 seconds left.

Sharing a password

  1. Open the password (you must be the owner).
  2. Click Share.
  3. Add the people you want to share with (search by name).
  4. Pick an expiry: No expiry, 1 hour, 6 hours, 1 day, 7 days, 30 days, or a custom date.
  5. Toggle Share TOTP if you want the recipient to also see the 2FA code. You can choose this per recipient.
  6. Click Save.

Recipients see the password in their Personal tab with a banner showing the owner. They can read and copy it but cannot edit or re-share.

Adjusting or revoking a share

On the password page, the Shared with section lists everyone who has access. You can:

  • Change the expiry inline.
  • Toggle TOTP sharing on or off.
  • Click Revoke to remove access immediately.

The Organisation tab

If you have Manage Client Passwords, this tab shows every password tied to any client across your org. It's read-only here, click a row to jump to the client's page where you can edit.

If you only have View Client Passwords, you'll see the same list but without edit links.

Client passwords (passwords for clients)

To share a password with a client through their portal:

  1. Open the client (CRM, Clients, [client]).
  2. Open the Passwords tab.
  3. Click Add Password, fill in the entry, save.
  4. Make sure Portal Settings, Passwords is toggled on for that client.

The client sees it on their portal under Passwords, with the same reveal/copy/TOTP UI.

Permissions

ActionPermission
Use the personal vault (own passwords)Default for all members
See client passwords for any clientView Client Passwords
Create, edit, share client passwordsManage Client Passwords

The whole feature is gated by the Passwords feature flag at the org level. If you don't see Passwords in the sidebar, your platform admin hasn't enabled it.

Encryption at rest

Passwords are encrypted in the database. They're decrypted only when you explicitly click reveal or copy, so they never sit in memory while you're just listing them.