diff --git a/product/admin/automation-examples.mdx b/product/admin/automation-examples.mdx
index 6f6c2db8..b36d2c87 100644
--- a/product/admin/automation-examples.mdx
+++ b/product/admin/automation-examples.mdx
@@ -309,6 +309,58 @@ Create a copy with an **On Demand** trigger. Run it manually for a known contrac
---
+## New account provisioning with initial password
+
+**Use case:** When a new employee account is created in a self-hosted application, automatically generate a password, set it on the account, and deliver it securely to the user's manager via a one-time secret link.
+
+
+The **Set credential** step used in this example is only supported for self-hosted connectors.
+
+
+### What you'll build
+
+| Component | Configuration |
+|---|---|
+| Trigger | Account Created |
+| Condition | Filter to the target application |
+| Step 1 | Generate password -- custom policy |
+| Step 2 | Set credential -- apply to the new account |
+| Step 3 | Store credential -- Paper Vault, deliver to manager |
+
+### Setup
+
+1. Create a new automation and select the **Account Created** trigger. Set the app to the self-hosted application where accounts are created.
+
+2. Add a **Generate password** step (name it `initial_password`). Select **Custom password policy** and configure length and character requirements to match the application's password rules.
+
+3. Add a **Set credential** step. Select the self-hosted connector for your application. Set the target account to:
+```
+ctx.trigger.app_user_id
+```
+Set the credential to the output of the previous step:
+```
+ctx.initial_password.credential_ref
+```
+
+4. Add a **Store credential** step. Set the credential to `ctx.initial_password.credential_ref`. Select **Paper Vault** as the vault type and set the recipient to the new user's manager:
+```
+ctx.trigger.user.manager_id
+```
+Set auth type to **SSO Internal** so the manager must authenticate before retrieving the secret. Leave max views at **1** so the link self-destructs after the manager retrieves it.
+
+### Why these choices
+
+- **Account Created** fires after the connector syncs the new account, so the account exists and can receive a credential by the time the Set credential step runs.
+- **Custom policy** on Generate password lets you match the target application's password complexity requirements. Use **Random 32-character** only if the application accepts any password format.
+- **Paper Vault with max views: 1** ensures the password is delivered once and then destroyed. The manager can share it with the employee directly, rather than the automation sending credentials over an unsecured channel.
+- **Delivering to the manager** (not the user directly) follows a common security pattern: a second person handles the credential handoff, creating an implicit acknowledgment step.
+
+### Testing
+
+Create a copy with an **On Demand** trigger. Run it manually, selecting a test account in the target application. Verify that the password is set on the account, and that the manager receives a Paper Vault link that works once and then expires.
+
+---
+
## Other automation patterns
These patterns follow similar structures to the examples above. They are listed here as starting points rather than full walkthroughs.
diff --git a/product/admin/automations-steps-reference.mdx b/product/admin/automations-steps-reference.mdx
index d546cf24..a63698ef 100644
--- a/product/admin/automations-steps-reference.mdx
+++ b/product/admin/automations-steps-reference.mdx
@@ -301,3 +301,54 @@ ctx.risk_check.should_review == true
For a full walkthrough of building Functions and using them in automations, see [using Functions in automations](/product/admin/functions-automations).
**Error behavior:** Fails if the Function throws an unhandled error or exceeds its execution timeout. The error message from the Function is visible in the execution log. Debug Function errors in the Functions UI, which has its own invocation logs.
+
+---
+## Generate password
+
+Generate a random password using either a preset 32-character random password or a custom policy.
+
+| Field | Required | CEL | Notes |
+|---|---|---|---|
+| Password type | Yes | No | **Random 32-character password**: generates a random 32-character password with no additional configuration. **Custom password policy**: exposes the fields below. |
+| Length | Yes (Custom) | No | Minimum and/or maximum character length for the generated password. |
+| Character requirements | Yes (Custom) | No | Which character types must be included: uppercase, lowercase, numbers, special characters. |
+| Character rules | No (Custom) | No | Additional constraints on special characters: define a custom set of allowed special characters, or specify characters to exclude from the generated password. |
+| Step name | Yes | No | Used to reference this step's output in subsequent steps via `ctx.{step_name}`. |
+| Skip condition | No | Yes | If the expression evaluates to true, this step is skipped. |
+
+---
+
+## Set credential
+
+Apply a credential to a user's account in a connected application.
+
+
+**Set credential is only supported for self-hosted connectors.** Cloud-hosted connectors do not support credential actions.
+
+
+| Field | Required | CEL | Notes |
+|---|---|---|---|
+| Connector | Yes | No | Only connectors that support credential actions appear in the picker. |
+| Target account | Yes | Yes | The account to set the credential on. Accepts `ctx.trigger.app_user_id` or a CEL expression resolving to a C1 app user ID. For new accounts, pass the output of the Create account step. |
+| Credential | Yes | No | Reference to the Generate password step output: `ctx.{generate_step_name}.credential_ref`. |
+| Skip condition | No | Yes | If the expression evaluates to true, this step is skipped. |
+
+---
+
+## Store credential
+
+Store a generated credential in a ConductorOne vault and optionally deliver it to a recipient.
+
+| Field | Required | CEL | Notes |
+|---|---|---|---|
+| Credential | Yes | No | Reference to the Generate password step output: `ctx.{generate_step_name}.credential_ref`. |
+| Vault type | Yes | No | **Paper Vault**: one-time secret link, self-destructs after N views or a time window. **App Vault**: persistent, entitlement-bound storage accessible via VaultOpenerService. |
+| Recipient | Yes | Yes | C1 user ID or CEL expression. Use `ctx.trigger.user.manager_id` to deliver to the subject user's manager. |
+| Auth type | Yes (Paper Vault) | No | How the recipient authenticates to retrieve the secret. Options: SSO Internal, Email verified. |
+| Expiry | No (Paper Vault) | No | How long the secret is available before auto-expiration. Default: 72 hours. |
+| Max views | No (Paper Vault) | No | Number of times the secret can be viewed before it self-destructs. Default: 1. |
+| App | Yes (App Vault) | No | The application this credential belongs to. |
+| Entitlement | Yes (App Vault) | No | The entitlement that controls access. Users with this grant can retrieve the credential. |
+| Expiry | Yes (Paper Vault) | No | Auto-expire the credential after this duration. Expired credentials are tombstoned for audit. |
+| Skip condition | No | Yes | If the expression evaluates to true, this step is skipped. |
+