Credentials
How credentials work in Scanopy — types, scopes, assignment, and resolution.
Credentials provide daemons with the authentication details they need to gather data during discovery. Without credentials, discovery is limited to port scanning and DNS lookups. With credentials configured, daemons can also query SNMP for device details, interfaces, and neighbor data, or connect to Docker APIs for container discovery.
Credential Types
| Type | What it provides |
|---|---|
| SNMP | Device identity, interfaces, LLDP/CDP neighbors via SNMPv2c |
| Docker Proxy | Container discovery via a Docker API proxy (local or remote) |
See Set up SNMP credentials and Docker Proxy guide for setup instructions.
Scope Models
Each credential type supports one or both scope models, which determine where it can be assigned:
| Scope | Meaning | Example |
|---|---|---|
| Broadcast | Applies to all hosts on a network. The daemon tries this credential on every host it scans on that network. | An SNMP community string shared across all switches on a network segment. |
| PerHost | Applies to a specific host (and optionally specific interfaces on that host). | A Docker Proxy credential for one particular Docker host. |
SNMP credentials support both Broadcast and PerHost scopes — you can assign one to an entire network or to individual hosts. Docker Proxy credentials are PerHost only, since each proxy endpoint is specific to a host.
How to Provide Credentials
There are three ways to give daemons the credentials they need, depending on your situation:
During daemon setup (new daemons)
When creating a new daemon, the credential wizard lets you add SNMP and Docker Proxy credentials before the first scan. You enter the credential details along with a target IP — the IP address of the device you expect to find on the network.
After the daemon's first scan discovers hosts at those IPs, the credentials are auto-assigned to the matching hosts and used in subsequent scans without manual assignment.
From the discovery modal (existing daemons, new network segments)
When an existing daemon starts scanning a new network segment or VLAN, open the discovery's Credentials tab to add credentials the same way as during daemon setup — with credential details and target IPs.
On a host directly (existing hosts)
For hosts that have already been discovered, assign credentials from the host edit modal. Go to the Credentials tab, add the credential, and optionally restrict it to specific interfaces. This is the most targeted approach — useful when a particular device needs a different community string than the network default, or when you want to enable Docker Proxy scanning for a specific host.
Assigning a Credential to a Host
When you assign a credential to a host, you're linking it so that the credential is used to gather data from the host on every scan. Each assignment can optionally be scoped to specific network interfaces:
- All interfaces (default) — the credential is used whenever the daemon scans any interface on this host
- Specific interfaces — the credential is only used when scanning through those particular interfaces
Interface scoping is mainly useful for Docker Proxy credentials, where the proxy is reachable through a specific network interface.
Credential Resolution
When the daemon scans a host, it resolves credentials in this priority order:
- Host-level assignment — credentials assigned directly to the host (or its specific interface)
- Network default — Broadcast-scoped credentials assigned to the host's network
- Fallback — for SNMP, the community string
publicis tried as a last resort
All available credentials at each level are tried — not just the first match. If every credential fails (timeout or authentication error), the host is scanned without that credential type's data.
Auto-Assignment
Credentials created through the daemon setup wizard or discovery credentials tab support auto-assignment. When you provide a target IP during creation:
- The credential is created with the target IP recorded
- The daemon includes this credential in its next discovery scan, trying it on the target IP
- If the credential succeeds (e.g., SNMP responds, Docker API connects), it is permanently assigned to the discovered host at that IP
- The target IP is then cleared — the credential is now a regular assigned credential
This bridges the gap between "I know this device's IP and credentials" and "Scanopy hasn't discovered it yet." The credential is ready and waiting for the host to appear.
If auto-assignment isn't working as expected, see Troubleshooting credentials for how to diagnose issues using daemon logs.
Network-Level Credentials
Broadcast-scoped credentials can be assigned to a network from the network edit modal (Assets > Networks → select network). All hosts on that network automatically inherit these credentials — you don't need to assign them individually.
This is the simplest way to enable SNMP across an entire network segment: create one SNMP credential with the shared community string and assign it to the network.