Complete Scripting Token Reference
This reference covers every token available across all Secret Server scripting and notification contexts.
How Token Substitution Works
Secret Server uses two distinct token substitution engines:
| Engine | Used In | Token Source |
|---|---|---|
CustomCommandTranslator
|
Inbox templates, Event Pipeline, RPC, Heartbeat, Dependency Changers, Secret Hooks, Custom Launchers, Ticket System Scripts, External Vaults | PasswordInfoProvider.InfoDictionary + ItemValues (secret field values) plus context-specific additions |
ScriptArgumentTranslator
|
Discovery Scanner (Extensible Discovery) | ParameterPool — scan target and authentication credential fields |
The CustomCommandTranslator engine reads secret field values from a PasswordInfoProvider object. What is loaded into that object varies by context — some contexts load full secret fields including confidential values; others (Inbox Templates) load an empty provider so no secret field tokens resolve.
Confidential Field Restriction
Secret fields where IsPassword = true or IsFile = true are classified as confidential. The Event Pipeline enforces a restriction that blocks confidential tokens in script arguments and email bodies by default. Other contexts (RPC, Heartbeat, Dependency, Hooks, Launchers, etc.) do not enforce this restriction.
Token Syntax
All tokens use the $ prefix and are case-insensitive unless otherwise noted.
| Pattern | Example | Description |
|---|---|---|
$TokenName
|
$USERNAME
|
Standard named token |
$Prefix.Property
|
$Secret.Active
|
Object property token |
$[N]$FieldName
|
$[1]$Password
|
Field from the Nth associated/linked secret (1-indexed for CustomCommandTranslator; 0-indexed in Discovery) |
$[SID:nnn]$FieldName
|
$[SID:42]$Username
|
Field from a linked secret by secret ID |
$Prefix.Section.Field
|
$Metadata.Secret.MySection.MyField
|
Dotted path token (metadata, variables) |
$resourceName.embed
|
$company-logo.embed
|
Embedded image resource (inbox templates, email only) |
1. Inbox Templates
Inbox templates are used for email and Slack notifications triggered by event subscriptions, access requests, and system alerts. They are rendered by InboxTemplateService using a CustomCommandTranslator loaded with an empty PasswordInfoProvider — therefore secret field tokens do not resolve in inbox templates.
1.1 System Tokens
| Token | Resolves To |
|---|---|
$InboxRuleName
|
Name of the inbox rule that triggered the notification |
$InboxMessageTypeName
|
Localized display name of the notification type (e.g., "Secret Changed") |
$MessageId
|
Unique integer ID of the inbox message |
$MessageDataTable
|
Pre-built HTML or Slack table of all data fields for the message |
1.2 Time Tokens
| Token | Resolves To |
|---|---|
$RecipientTime
|
Current time in the recipient's timezone and locale |
$ServerTime
|
Current server time in the server's timezone |
$UtcTime
|
Current UTC time |
1.3 URL Tokens
| Token | Resolves To | Available When |
|---|---|---|
$ApplicationUrl
|
Base application URL | Always |
$InboxUrl
|
URL to the inbox / notifications view | Always |
$ViewUrl
|
URL to the specific inbox message | Message has an ID |
$UnsubscribeUrl
|
URL to unsubscribe from the notification | Message has an ID |
$RequestUrl
|
URL to the access request approval page | Message contains a RequestId |
$ForceCheckoutRequestUrl
|
URL to approve a force-checkout request | Message contains Secret + Requester |
$SecretUrl
|
URL to the secret's general page | Message contains a Secret |
1.4 Approval Tokens
These tokens are only rendered when the subscriber is an eligible approver for an active access request. They resolve to empty string in all other contexts.
| Token | Resolves To |
|---|---|
$RequestApprovalLinkDefault
|
Link to approve for the originally requested duration |
$RequestApprovalLink1
|
Link to approve for 1 hour |
$RequestApprovalLink2
|
Link to approve for 2 hours |
$RequestApprovalLink4
|
Link to approve for 4 hours |
$RequestApprovalLink8
|
Link to approve for 8 hours |
$RequestDenyLink
|
Link to deny the access request |
$SecretAccessRequestApprovalPart
|
Pre-built HTML/Slack block containing all approval and denial links |
1.5 Digest Tokens
Available only in inbox templates configured for digest mode.
| Token | Resolves To |
|---|---|
$DigestStartDate
|
Start of the digest period, formatted for the recipient |
$DigestEndDate
|
End of the digest period, formatted for the recipient |
$DigestTable
|
Pre-built HTML table summarizing all messages in the digest |
1.6 Image and Embed Tokens
Email-only. Not supported in Slack notifications.
| Token | Resolves To |
|---|---|
$SystemLogo
|
System logo image, embedded inline |
$SystemBannerLogo
|
System banner logo image, embedded inline |
$resourceName.embed
|
Custom image resource from Admin > Inbox > Embedded Resources, embedded inline. Replace resourceName with the resource name as configured. |
1.7 Style Tokens
| Token | Resolves To |
|---|---|
$cta-button-background-default
|
Background color for call-to-action buttons (brand-aware) |
$neutral-background-default
|
Default neutral background color |
1.8 Inbox Data Field Tokens
Every inbox notification carries named data fields. Each field is accessible in the template using its name.
| Pattern | Resolves To |
|---|---|
$FieldName
|
Display value of the field (formatted, linked, localized) |
$FieldName.Value
|
Raw stored value of the field |
$FieldName.SecretLink
|
Hyperlink to the secret identified by the field value |
$FieldName.UserLink
|
Hyperlink to the user profile identified by the field value |
$FieldName.FolderLink
|
Hyperlink to the folder identified by the field value (Container field) |
$FieldName.WorkflowStatus
|
Pre-built HTML representation of a workflow status value |
Standard data fields across built-in notification types:
| Field Name | Data Type | Description |
|---|---|---|
Secret
|
Integer (Secret ID) | Secret involved in the event |
User
|
Integer (User ID) | User involved in the event |
Details
|
String | Human-readable summary of what happened |
EventDetails
|
String | Additional event detail text |
ActionType
|
String | Action taken (e.g., View, Edit, Delete) |
SecretAction
|
String | Specific action performed on the secret |
Container
|
Integer (Folder ID) | Folder containing the secret |
ItemName
|
String | Display name of the affected item |
Dependency
|
String | Name of the dependency affected |
SubscriptionName
|
String | Name of the event subscription |
Message
|
String | Free-form message text |
Requester
|
Integer (User ID) | User who submitted the access request |
RequestId
|
Integer | ID of the access request |
RequestDate
|
Date | Date the access request was submitted |
StartDate
|
Date | Requested access start date |
ExpirationDate
|
Date | Requested access expiration date |
ReasonForRequest
|
String | Reason the user provided for the request |
TicketNumber
|
String | Ticket number associated with the request |
TicketSystemUrl
|
String | URL to the external ticket in the ticketing system |
Notes
|
String | Notes attached to the request |
ResponseComment
|
String | Comment provided by the approver |
EraseAfter
|
Date | Date after which the secret should be erased |
Reason
|
String | Reason for the action |
2. Event Pipeline
Event pipeline tasks use EventPipelineTranslator which builds a full PasswordInfoProvider from the triggering secret and injects additional event-context tokens before calling CustomCommandTranslator.
Applies to: Send Email tasks and Run Script tasks.
2.1 Event Context Tokens
Always available in any event pipeline task.
| Token | Resolves To |
|---|---|
$EventDetails
|
Human-readable description of the event |
$ByUser
|
Username of the user who triggered the event |
$ByUserDisplayName
|
Display name of the user who triggered the event |
$ContainerName
|
Name of the folder or group associated with the event |
$ContainerId
|
ID of the folder or group associated with the event |
$ItemNameForDisplay
|
Display name of the item affected by the event |
$ItemId
|
ID of the item affected by the event |
$EventAction
|
Type of action that occurred (e.g., SecretView, SecretEdit) |
$EventActionId
|
Numeric ID of the event action |
$EventEntityType
|
Type of entity affected (e.g., Secret, User) |
$EventTime
|
Timestamp of the event (yyyy-MM-ddTHH:mm:ss) |
$SYSTEMEMAILURL
|
Application base URL |
2.2 Secret Context Tokens
Only available when the triggering event entity is a Secret.
| Token | Resolves To |
|---|---|
$SECRETNAME
|
Name of the secret |
$SECRETID
|
Integer ID of the secret |
$FOLDERID
|
Integer ID of the secret's folder |
$FOLDERNAME
|
Name of the secret's folder |
$FOLDERPATH
|
Full folder path (e.g., Root\SubFolder\MyFolder) |
2.3 Secret Property Tokens
Only available when the triggering event entity is a Secret.
| Token | Resolves To |
|---|---|
$Secret.Active
|
Whether the secret is active (True/False) |
$Secret.AutoChangeOnExpiration
|
Whether the password auto-changes on expiration |
$Secret.ChangePasswordNow
|
Whether the secret is flagged for immediate change |
$Secret.CheckOutChangePassword
|
Whether the password changes on checkout |
$Secret.CheckOutEnabled
|
Whether checkout is required |
$Secret.EnableInheritPermissions
|
Whether permissions are inherited from the folder |
$Secret.EnableInheritSecretPolicy
|
Whether the policy is inherited from the folder |
$Secret.ExpiredFieldChangedDate
|
Date the expiration field was last changed (yyyy-MM-dd HH:mm:ss) |
$Secret.Expired
|
Whether the secret is currently expired |
$Secret.HideLauncherPassword
|
Whether the password is hidden from the launcher |
$Secret.IsDoubleLock
|
Whether Double Lock is enabled |
$Secret.IsSSHProxyEnabled
|
Whether SSH proxy is enabled |
$Secret.IsSessionRecordingEnabled
|
Whether session recording is enabled |
$Secret.LastHeartBeatCheck
|
Date of the last heartbeat check (yyyy-MM-dd HH:mm:ss) |
$Secret.LastHeartBeatStatus
|
Result of the last heartbeat check (e.g., Success, Failed) |
$Secret.PasswordChangeFailed
|
Whether the most recent password change attempt failed |
$Secret.PasswordChangeOutOfSync
|
Whether the password is out of sync with the target |
$Secret.PasswordChangeStatus
|
Current password change status |
$Secret.PasswordComplianceCode
|
Password policy compliance code |
$Secret.RPCAttemptCount
|
Number of RPC attempts made |
$Secret.RPCNextAttemptTime
|
Scheduled time for the next RPC attempt (yyyy-MM-dd HH:mm:ss) |
$Secret.RequireApprovalForAccess
|
Whether approval is required for all users |
$Secret.RequireApprovalForAccessForEditors
|
Whether approval is required for editors |
$Secret.RequireApprovalForAccessForOwnersAndApprovers
|
Whether approval is required for owners/approvers |
$Secret.RequireViewComment
|
Whether users must enter a comment when viewing |
$Secret.RestrictSshCommands
|
Whether SSH command restrictions are enabled |
$Secret.SecretPolicyId
|
ID of the secret policy |
$Secret.SecretTemplateId / $Secret.SecretTypeId |
ID of the secret template |
$Secret.SecretTemplateName
|
Name of the secret template |
$Secret.SiteId
|
ID of the distributed engine site |
2.4 Current User Tokens
In event pipeline v1, the "current user" is the ThycoticSystem account.
| Token | Resolves To |
|---|---|
$CURRENTUSERKNOWNAS
|
Display/known-as name of the current user |
$CURRENTUSERNAME
|
Username of the current user |
$CURRENTUSERLASTLOGIN
|
Last login date (yyyy-MM-dd HH:mm:ss) |
$CURRENTUSERID
|
ID of the current user |
2.5 Event User Tokens
The user who triggered the event.
| Token | Resolves To |
|---|---|
$EVENTUSERKNOWNAS
|
Display/known-as name of the event user |
$EVENTUSERNAME
|
Username of the event user |
$EVENTUSERLASTLOGIN
|
Last login date (yyyy-MM-dd HH:mm:ss) |
$EVENTUSERID
|
ID of the event user |
$EVENTUSERDOMAIN
|
Domain name of the event user |
$User.UserName
|
Username of the event user |
$User.DisplayName
|
Display name of the event user |
$User.UserEmail
|
Email address of the event user |
$User.UserEnabled
|
Whether the event user account is enabled |
$User.IsApplicationAccount
|
Whether the event user is an application account |
$User.IsSystemUser
|
Whether the event user is a system user |
$EVENTUSERKNOWNAS and $User.DisplayName both reflect the event user's display name but are resolved by different code paths. The $User.* tokens are only populated when eventUserId > 0.2.6 Target User Tokens
Only available when the triggering event entity is a User (e.g., user created, modified, disabled).
| Token | Resolves To |
|---|---|
$TARGETUSERKNOWNAS
|
Display/known-as name of the target user |
$TARGETUSERNAME
|
Username of the target user |
$TARGETUSERLASTLOGIN
|
Last login date (yyyy-MM-dd HH:mm:ss) |
$TARGETUSERID
|
ID of the target user |
$TARGETUSERDOMAIN
|
Domain name of the target user |
$TargetUser.UserName
|
Username of the target user |
$TargetUser.DisplayName
|
Display name of the target user |
$TargetUser.UserEmail
|
Email address of the target user |
$TargetUser.UserEnabled
|
Whether the target user account is enabled |
$TargetUser.IsApplicationAccount
|
Whether the target user is an application account |
$TargetUser.IsSystemUser
|
Whether the target user is a system user |
2.7 Variable Tokens
Event pipeline policy variables defined in the pipeline configuration. Replace VariableName with the exact variable name as configured.
| Pattern | Resolves To |
|---|---|
$ItemVariable.VariableName
|
Value of an item-scoped variable for the triggering secret |
$GlobalVariable.VariableName
|
Value of a global variable defined in the event pipeline policy |
2.8 Metadata Tokens
Custom metadata fields attached to secrets, folders, or users. Replace SectionName and FieldName with the exact names from the metadata section definition.
| Pattern | Resolves To | Available When |
|---|---|---|
$Metadata.Secret.SectionName.FieldName
|
Metadata field on the triggering secret | Event entity is a Secret |
$Metadata.Folder.SectionName.FieldName
|
Metadata field on the secret's folder | Event entity is a Secret |
$Metadata.User.SectionName.FieldName
|
Metadata field on the event user | Always |
$Metadata.TargetUser.SectionName.FieldName
|
Metadata field on the target user | Event entity is a User |
$Metadata.SecretFolderUser.SectionName.FieldName
|
First matching value across secret, folder, and event user | Event entity is a Secret |
2.9 Secret Field Tokens in Event Pipeline
When the triggering event entity is a Secret, all secret field tokens from Section 3 are also available. Confidential tokens (password/file fields) are blocked in script arguments and email bodies by default.
3. Secret Field Tokens
These tokens are populated from the field values of the secret currently in context. They are available in RPC, Heartbeat, Dependency Changers, Secret Hooks, Custom Launchers, Ticket System Scripts, External Vaults, and Event Pipeline (when the event entity is a Secret).
3.1 Standard Named Field Tokens
These tokens map to standard field roles recognized by Secret Server's built-in password changers.
| Token | Resolves To | Confidential |
|---|---|---|
$USERNAME
|
Value of the username field | No |
$PASSWORD / $CURRENTPASSWORD |
Current value of the password field | Yes |
$NEWPASSWORD
|
Newly generated password (available during a password change) | Yes |
$PORT
|
Value of the port field | No |
$PRIVATEKEY
|
Private key (e.g., SSH private key content) | Yes |
$PUBLICKEY / $CURRENTPUBLICKEY |
Current SSH public key | No |
$NEWPUBLICKEY
|
New/next SSH public key (available during key rotation) | No |
$PRIORPUBLICKEY
|
SSH public key before the most recent rotation | No |
$PRIORPRIVATEKEY
|
SSH private key before the most recent rotation | Yes |
$PASSPHRASE
|
Passphrase for the SSH private key | Yes |
$PRIORPASSPHRASE
|
Passphrase before the most recent key rotation | Yes |
$PRIVILEGEDUSERNAME
|
Username of the privileged/run-as account | No |
$PRIVILEGEDPASSWORD
|
Password of the privileged/run-as account | Yes |
$PRIVILEGEDPRIVATEKEY
|
Private key of the privileged/run-as account | Yes |
$PRIVILEGEDPASSPHRASE
|
Passphrase for the privileged/run-as account's private key | Yes |
$SSHKEY
|
SSH key content (dependency contexts) | Yes |
$SSHKEYPASSPHRASE
|
Passphrase for the SSH key (dependency contexts) | Yes |
$NEWPASSWORD in Heartbeat: In the heartbeat context the $NEWPASSWORD parameter is set to the current (or temporary) password value rather than a freshly generated one. It is effectively the same as $PASSWORD during heartbeat execution.3.2 Dynamic Secret Template Field Tokens
Every field defined on the secret's template is also available as a token using the field's name. Token names are case-insensitive.
Example: A "Windows Account" template secret has fields Machine, Username, and Password. These are available as $Machine, $Username, and $Password.
The exact set of available tokens therefore varies by secret template. Password and file fields are confidential.
3.3 Associated Secret Tokens
When a secret has linked (associated) secrets, their field values are accessible with an indexed or ID-based prefix.
| Pattern | Resolves To |
|---|---|
$[1]$FieldName
|
FieldName from the first linked/associated secret |
$[2]$FieldName
|
FieldName from the second linked/associated secret |
$[N]$FieldName
|
FieldName from the Nth linked/associated secret |
$[SID:nnn]$FieldName
|
FieldName from the linked secret with ID nnn |
AddAssociated = true on the PasswordLoaderArgs. This is enabled in: Event Pipeline, Custom Launchers, Ticket System Scripts (when $[ appears in args). It is disabled by default in some contexts.3.4 Dependency Tokens
When the context involves a dependency (e.g., dependency changers, dependency events), dependency field values are available:
| Pattern | Resolves To |
|---|---|
$FieldName
|
Field value from the dependency's associated data (resolved after base secret fields) |
$DEPENDENCY.FieldName
|
Same, with an explicit prefix to avoid ambiguity |
3.5 Secret Server User Tokens
These resolve to properties of the Secret Server user account in the current execution context.
| Token | Resolves To |
|---|---|
$SECRETSERVERUSERID
|
ID of the current Secret Server user |
$SECRETSERVERUSERNAME
|
Username of the current Secret Server user |
$SECRETSERVERDISPLAYNAME
|
Display name of the current Secret Server user |
$SECRETSERVEREMAILADDRESS
|
Email address of the current Secret Server user |
3.6 Session Tokens
Used by the launcher and remote session infrastructure. These are injected for Custom Launchers (System Internal type) and are not meaningful in other scripting contexts.
| Token | Resolves To |
|---|---|
$SESSIONGUID
|
GUID of the active session |
$SESSIONTOKEN
|
Authentication token for the session |
$EXPIRESIN
|
Time until the session token expires (seconds) |
$REFRESHTOKEN
|
Refresh token for the session |
4. Remote Password Changing (RPC)
RPC scripts run when Secret Server executes an automated password change on a secret. The script arguments (defined on the password changer) are translated depending on the changer type.
Token engine: CustomCommandTranslator with a fully populated PasswordInfoProvider.
Available tokens:
- All Standard Named Field Tokens including
$NEWPASSWORD - All Dynamic Template Field Tokens
- Associated Secret Tokens if linked secrets are configured
- Secret Server User Tokens
- Dependency Tokens when dependency context applies
LDAP-specific additional token:
| Token | Resolves To |
|---|---|
$DISTINGUISHEDDOMAINNAME
|
LDAP distinguished name format of the domain (e.g., DC=example,DC=com). Set automatically by the LDAP adapter. |
5. Heartbeat
Heartbeat scripts verify that credentials stored in a secret are still valid on the target system. Script arguments are translated using the same adapter as RPC, but against the heartbeat script args.
Token engine: CustomCommandTranslator with a fully populated PasswordInfoProvider.
Available tokens:
- All Standard Named Field Tokens
- All Dynamic Template Field Tokens
- Secret Server User Tokens
$NEWPASSWORD is set to the current (or temporary) password in heartbeat context — not a newly generated value. For a pure credential verification script, use $PASSWORD. No confidential token restriction.6. Dependency Changers
Dependency scripts run after a secret's password is changed to update dependent systems (services, application pools, scheduled tasks, etc.).
Script types supported: PowerShell, SQL, SSH.
Token engine: CustomCommandTranslator with a populated PasswordInfoProvider.
Available tokens:
- All Standard Named Field Tokens including
$NEWPASSWORD - All Dynamic Template Field Tokens
- Associated Secret Tokens
- Dependency Tokens
- Secret Server User Tokens
Dependency-specific additional tokens:
| Token | Resolves To |
|---|---|
$SERVER / $HOST |
Machine name / host of the dependency target |
$PORT
|
Port configured on the dependency |
$DATABASE
|
Database name (SQL dependency types) |
$WALLETLOCATION
|
Oracle wallet location (Oracle SQL dependencies) |
$TNSADMIN
|
TNS admin path (Oracle SQL dependencies) |
$SSLSERVERCERTDN
|
SSL server certificate DN (Oracle SSL dependencies) |
$ASSYS
|
Whether to connect as SYSDBA (Oracle SQL dependencies) |
$DEPENDENCYSSHKEY
|
SSH private key from the linked SSH key secret (SSH dependencies) |
$DEPENDENCYSSHKEYPASSPHRASE
|
Passphrase for the dependency SSH key (SSH dependencies) |
Username, Password, Key, and Passphrase fields are themselves translated via CustomCommandTranslator before being applied as the run-as credentials. No confidential token restriction.7. Secret Hooks (Pre/Post Change)
Secret Hooks (also called Event Hooks or Pre/Post Change Hooks) are scripts attached to a secret that run before or after a password change event.
Script types supported: PowerShell, SQL, SSH.
Token engine: CustomCommandTranslator with a fully populated PasswordInfoProvider.
Available tokens for PowerShell hooks:
- All Standard Named Field Tokens
- All Dynamic Template Field Tokens
- Associated Secret Tokens
- Secret Server User Tokens
SQL hook additional tokens:
| Token | Resolves To |
|---|---|
$USERNAME
|
Privileged account username (overrides secret field) |
$PASSWORD
|
Privileged account password (overrides secret field) |
$SERVER / $HOST |
Machine name from the hook configuration |
$DATABASE
|
Database from the hook configuration |
$PORT
|
Port from the hook configuration |
$WALLETLOCATION
|
Oracle wallet location |
$TNSADMIN
|
TNS admin path |
$SSLSERVERCERTDN
|
SSL server certificate DN |
$ASSYS
|
Whether to connect as SYSDBA |
SSH hook additional tokens:
| Token | Resolves To |
|---|---|
$RUN_USERNAME
|
Run-as username for the SSH connection |
$RUN_PASSWORD
|
Run-as password for the SSH connection |
8. Custom Launchers
Custom launchers define process arguments for launching remote access tools. Arguments are translated by CustomLauncherArgumentsBuilder.
8.1 Standard Custom Launchers
Process argument parameters are translated via CustomCommandTranslator with a PasswordInfoProvider populated with AddAssociated = true. The following fields are explicitly set:
| Token | Resolves To |
|---|---|
$Domain
|
Domain value from the launcher session |
$Username
|
Username resolved for the launcher session |
$Password
|
Password resolved for the launcher session |
$Machine
|
Target machine name |
$Host
|
Target host name |
$Server
|
Target server name |
$Port
|
Port number (from launcher args or secret field) |
Additionally, all Standard Named Field Tokens, Dynamic Template Field Tokens, and Associated Secret Tokens are available. If a promptable field is configured on the launcher type, its prompted value is also injected.
8.2 System Internal Launchers
System Internal launchers (Connection Manager integration) use only session tokens:
| Token | Resolves To |
|---|---|
$SESSIONTOKEN
|
OAuth access token for the SS API session |
$EXPIRESIN
|
Token lifetime in seconds |
$REFRESHTOKEN
|
OAuth refresh token (omitted if API timeout is unlimited) |
9. Ticket System Scripts
Custom ticket system integrations (PowerShell-based) use two script types: Ticket Validation scripts and Ticket Comment scripts. Both are handled by PowerShellMapper, which translates script arguments via CustomCommandTranslator.
Available tokens:
- All Standard Named Field Tokens
- All Dynamic Template Field Tokens
- Associated Secret Tokens (when
$[appears in arguments) - Secret Server User Tokens
Special token:
| Token | Resolves To |
|---|---|
$TEMPLATEARGS
|
Expands to the list of template-provided arguments injected by Secret Server at runtime (ticket number, etc.). Used as a placeholder in the argument list to control where template args are inserted. |
10. External Vaults
External vault integration (HashiCorp Vault, CyberArk, etc.) uses token substitution in the Transform expression when pushing a secret's value to the external vault. The transform is translated via CustomCommandTranslator loaded with the linked secret's full field values.
Available tokens:
- All Standard Named Field Tokens
- All Dynamic Template Field Tokens
$USERNAME:$PASSWORD would push the combined username and password as the external vault secret value.11. Discovery Scanner (Extensible Discovery)
Discovery scripts use a completely separate token engine (ScriptArgumentTranslator) and a ParameterPool object — not CustomCommandTranslator or PasswordInfoProvider. Token behavior differs in several ways from all other contexts.
Applies to: PowerShell scripts used in Extensible Discovery scan templates (Find Machine, Find Accounts / Local Accounts, etc.).
$[N]$ indexing: Discovery uses zero-based indexing where $[0]$ is the RunAs secret and $[1]$ onward are mapped secrets. All other contexts use 1-based indexing.11.1 Scan Context Tokens
| Token | Resolves To | Scan Type |
|---|---|---|
$Target
|
Scan target — OU path, host range, or domain name (whichever applies) | All |
$Domain
|
Domain name | All |
$HostRange
|
IP address or hostname range | Find Machine |
$SpecificOu
|
Specific OU path | Find Machine (OU mode) |
$IPAddress
|
IP address of the computer being scanned | Find Accounts |
$ComputerName
|
Name of the computer being scanned | Find Accounts |
$Username
|
Username value from the scan input | Find Accounts (some types) |
11.2 Authentication Account Tokens ($[N]$)
Each authentication account (RunAs secret or mapped secret) mapped to the scan template provides credential tokens accessible via a zero-based index:
| Pattern | Resolves To |
|---|---|
$[0]$USERNAME
|
Username from the RunAs (index 0) account |
$[0]$PASSWORD
|
Password from the RunAs account |
$[0]$DOMAIN
|
Domain from the RunAs account |
$[0]$PRIVATEKEY
|
Private key from the RunAs account |
$[0]$PASSPHRASE
|
Passphrase from the RunAs account |
$[1]$USERNAME
|
Username from the first mapped secret |
$[N]$USERNAME
|
Username from the Nth mapped secret (0-indexed) |
$[N]$PASSWORD
|
Password from the Nth mapped secret |
$[N]$DOMAIN
|
Domain from the Nth mapped secret |
$[N]$PRIVATEKEY
|
Private key from the Nth mapped secret |
$[N]$PASSPHRASE
|
Passphrase from the Nth mapped secret |
$[N]$FieldName
|
Any additional field from the Nth account's InfoDictionary (non-standard fields) |
Quick Reference Matrix
This matrix shows which token categories are available in each scripting context. "Secret field tokens" refers to the tokens in Section 3.
| Token Category | Inbox Template | EP Email | EP Script | RPC | Heartbeat | Dependency | Secret Hook | Launcher | Ticket | Ext. Vault | Discovery |
|---|---|---|---|---|---|---|---|---|---|---|---|
Inbox system tokens ($InboxRuleName, etc.) |
Yes | Yes | — | — | — | — | — | — | — | — | — |
Inbox time tokens ($RecipientTime, etc.) |
Yes | Yes | — | — | — | — | — | — | — | — | — |
Inbox URL tokens ($ApplicationUrl, etc.) |
Yes | Yes | — | — | — | — | — | — | — | — | — |
Approval tokens ($RequestApprovalLink*) |
Request events only | Request events only | — | — | — | — | — | — | — | — | — |
Digest tokens ($DigestTable, etc.) |
Digest mode only | — | — | — | — | — | — | — | — | — | — |
Image/embed tokens ($SystemLogo, $.embed) |
Email only | Email only | — | — | — | — | — | — | — | — | — |
EP event context ($EventDetails, $ByUser, etc.) |
— | Yes | Yes | — | — | — | — | — | — | — | — |
EP secret context ($SECRETNAME, $FOLDERID, etc.) |
— | Secret events only | Secret events only | — | — | — | — | — | — | — | — |
EP secret properties ($Secret.Active, etc.) |
— | Secret events only | Secret events only | — | — | — | — | — | — | — | — |
EP event user ($EVENTUSERKNOWNAS, $User.*) |
— | Yes | Yes | — | — | — | — | — | — | — | — |
EP target user ($TARGETUSERNAME, $TargetUser.*) |
— | User events only | User events only | — | — | — | — | — | — | — | — |
Variable tokens ($ItemVariable.*, $GlobalVariable.*) |
— | Yes | Yes | — | — | — | — | — | — | — | — |
Metadata tokens ($Metadata.*) |
— | Yes | Yes | — | — | — | — | — | — | — | — |
Standard named field tokens ($PASSWORD, $USERNAME, etc.) |
— | Yes* | Yes* | Yes | Yes | Yes | Yes | Yes | Yes | Yes | — |
Dynamic template field tokens ($FieldName) |
— | Yes* | Yes* | Yes | Yes | Yes | Yes | Yes | Yes | Yes | — |
Associated secret tokens ($[N]$FieldName) |
— | Yes | Yes | Yes | — | Yes | Yes | Yes | Conditional | — | Yes (0-indexed) |
Dependency tokens ($DEPENDENCY.*) |
— | Yes | Yes | — | — | Yes | — | — | — | — | — |
SS user tokens ($SECRETSERVERUSERNAME, etc.) |
— | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | — |
Session tokens ($SESSIONTOKEN, $REFRESHTOKEN) |
— | — | — | — | — | — | — | Internal only | — | — | — |
Discovery scan tokens ($Target, $IPAddress, etc.) |
— | — | — | — | — | — | — | — | — | — | Yes |
Discovery auth tokens ($[N]$USERNAME, etc.) |
— | — | — | — | — | — | — | — | — | — | Yes |
* = Available but confidential tokens (password/file fields) blocked by default in EP email body and EP script args. "Conditional" = Available only when $[ appears in the script argument string. "Internal only" = Session tokens on System Internal launchers only; not available on standard custom launchers.
