feat: add sensitiveData field to v3 SDK

[sauravpanda]

Summary

• Add sensitiveData parameter to RunTaskRequest in both OpenAPI v3 specs (cloud + open-source)
• Update generated types: Python models.py and Node types.ts
• Add sensitive_data param to Python SDK's sessions.create(), client.run(), and client.stream()
• Node SDK picks it up automatically via generated RunTaskRequest type
• Add missing useOwnKey and autoHeal fields to cloud OpenAPI spec
• Includes warning in field description that sensitive data may be visible in screenshots

Usage

from browser_use_sdk.v3 import BrowserUse

client = BrowserUse(api_key="...")
result = client.run(
    "Log into example.com",
    sensitive_data={"username": "user@example.com", "password": "s3cret"},
)

Test plan

• Verify Python SDK passes sensitiveData in request body
• Verify Node SDK types include sensitiveData on RunTaskRequest
• Run task check to type-check both SDKs

Companion to browser-use/cloud#3623

🤖 Generated with Claude Code

---

Summary by cubic

Add sensitiveData to the v3 API and SDKs so tasks can pass secrets via secure <secret>key</secret> placeholders. Also adds useOwnKey and autoHeal to the cloud spec and fixes the async Python client; SDKs bumped to 3.4.3.

• New Features

  • OpenAPI: added sensitiveData to RunTaskRequest in docs/openapi/v3.json and docs/cloud/openapi/v3.json; added useOwnKey and autoHeal to the cloud spec.
  • SDKs: Node generated v3/types.ts includes sensitiveData; Python generated v3/models.py and clients accept sensitive_data in sessions.create(), client.run(), and client.stream(). Values are not sent to the LLM, but may appear in screenshots if unmasked.

• Bug Fixes

  • Python async run() now declares the sensitive_data param to fix Pyright and runtime errors.
  • Bumped Node and Python SDKs to 3.4.3.

^{Written for commit 1e58d20. Summary will update on new commits.}

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
browser-use	🟢 Ready	View Preview	Apr 10, 2026, 1:57 AM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 77fb17ebfc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Add missing sensitive_data parameter to AsyncBrowserUse.run

AsyncBrowserUse.run() now forwards sensitive_data into self.sessions.create(...), but the method signature never defines sensitive_data, so this name is unresolved in the closure and raises NameError when the async run is executed. This breaks AsyncBrowserUse.run() for normal usage (even when callers do not pass sensitive data), and also makes the new field unusable from the async client.

Useful? React with 👍 / 👎.

[cubic-dev-ai]

2 issues found across 6 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="browser-use-python/src/browser_use_sdk/v3/client.py">

<violation number="1" location="browser-use-python/src/browser_use_sdk/v3/client.py:161">
P0: This added call passes `sensitive_data` from an undefined variable, which will raise `NameError` at runtime and break `AsyncBrowserUse.run()`.</violation>
</file>

<file name="docs/cloud/openapi/v3.json">

<violation number="1" location="docs/cloud/openapi/v3.json:3055">
P3: The new `autoHeal` description references `cache_script`, but the request field is `cacheScript`; use the actual camelCase field name to avoid misleading API docs.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[cubic-dev-ai]

P3: The new autoHeal description references cache_script, but the request field is cacheScript; use the actual camelCase field name to avoid misleading API docs.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At docs/cloud/openapi/v3.json, line 3055:

<comment>The new `autoHeal` description references `cache_script`, but the request field is `cacheScript`; use the actual camelCase field name to avoid misleading API docs.</comment>

<file context>
@@ -3027,6 +3042,18 @@
+                    "autoHeal": {
+                        "type": "boolean",
+                        "title": "Autoheal",
+                        "description": "When cache_script is active, controls whether a lightweight LLM validates the cached script output. If the output looks incorrect (empty, error, wrong structure), the system automatically re-triggers the full agent to generate a new version of the script. Set to false to disable validation and always return the raw script output.",
+                        "default": true
                     }
</file context>

Suggested change

	"description": "When cache_script is active, controls whether a lightweight LLM validates the cached script output. If the output looks incorrect (empty, error, wrong structure), the system automatically re-triggers the full agent to generate a new version of the script. Set to false to disable validation and always return the raw script output.",
	"description": "When cacheScript is active, controls whether a lightweight LLM validates the cached script output. If the output looks incorrect (empty, error, wrong structure), the system automatically re-triggers the full agent to generate a new version of the script. Set to false to disable validation and always return the raw script output.",

[cubic-dev-ai]

1 issue found across 4 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="browser-use-python/src/browser_use_sdk/v3/client.py">

<violation number="1" location="browser-use-python/src/browser_use_sdk/v3/client.py:339">
P2: `sensitive_data` was added to the concrete `run()` signature but not to all `@overload` signatures, causing incorrect type-checker errors for valid calls.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[cubic-dev-ai]

P2: sensitive_data was added to the concrete run() signature but not to all @overload signatures, causing incorrect type-checker errors for valid calls.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At browser-use-python/src/browser_use_sdk/v3/client.py, line 339:

<comment>`sensitive_data` was added to the concrete `run()` signature but not to all `@overload` signatures, causing incorrect type-checker errors for valid calls.</comment>

<file context>
@@ -336,6 +336,7 @@ def run(
         profile_id: str | None = None,
         proxy_country_code: str | None = _UNSET,  # type: ignore[assignment]
         workspace_id: str | None = None,
+        sensitive_data: dict[str, str] | None = None,
         enable_recording: bool | None = None,
         cache_script: bool | None = None,
</file context>