API v6
Sections: List passwords | Show a password | Create a password | Update a password | Update custom fields definitions of a password | Move a password | Copy a password | Duplicate a password | Archive/un-archive a password | Delete a password | List files of a password | Upload a file to a password
403 FORBIDDEN and with the error message "Personal passwords are disabled".
List passwords
These return the personal passwords of the user (My Passwords). The returned data is the same as in the my passwords list in the web interface.
GET /my_passwords.json GET /my_passwords/archived.json GET /my_passwords/favorite.json GET /my_passwords/search/urlencoded_string.json (see notes below)
The responses from these requests are paginated and /count.json, /page/num.json and X-Page-Size can be used. See the section on pagination for more information. Example: GET /my_passwords/page/2.json
If successful, the response code is 200 OK with the results of the call in the response body.
Example response body:
[
{
"id": 1,
"name": "My site user",
"notes_snippet": "Just a user to blog",
"tags": "blog",
"access_info": "https:\/\/mysite.com\/wp-login.php",
"username": "john",
"email": "",
"has_password": true,
"strength": "strong",
"archived": false,
"favorite": true,
"num_files": 1,
"created_by": {
"id": 1
},
"created_on": "2024-12-17 19:10:29",
"updated_by": {
"id": 1
},
"updated_on": "2024-12-17 19:18:03"
},
{
"id": 2,
"name": "My Site Analytics",
"notes_snippet": "",
"tags": "analytics",
"access_info": "https:\/\/analyticsplatform.com\/login",
"username": "",
"email": "john@teampasswordmanager.com",
"has_password": true,
"strength": "strong",
"archived": false,
"favorite": false,
"num_files": 0,
"created_by": {
"id": 1
},
"created_on": "2024-12-17 19:16:17",
"updated_by": {
"id": 1
},
"updated_on": "2024-12-17 19:17:49"
},
...
]
Notes:
has_passwordis true if the password entry has the password datum filled in. To view it you need to use the show a password method.strengthcan have the following values: "" (none), "very weak", "weak", "good" and "strong".- You can use the search operators when searching for passwords.
- You need to urlencode the "urlencoded_string" part.
- Example (in PHP):
$search_string = 'username:john'; // Find my passwords whose username is "john" $search_string_urlencoded = urlencode($search_string); $request_url = 'https://YOUR_TPM_URL/index.php/api/v6/my_passwords/search/' . $search_string_urlencoded . '.json';
Metadata only lists
All my password list requests can include the following header: X-Metadata-Only: true. When this header is used, the response will only include the metadata fields of the passwords. For example:
[
{
"id": 1,
"created_by": {
"id": 1
},
"created_on": "2024-12-17 19:10:29",
"updated_by": {
"id": 1
},
"updated_on": "2024-12-17 19:18:03"
},
{
"id": 2,
"created_by": {
"id": 1
},
"created_on": "2024-12-17 19:16:17",
"updated_by": {
"id": 1
},
"updated_on": "2024-12-17 19:17:49"
},
...
]
Metadata only lists are much quicker than the normal lists.
Show a password
This method returns all the data of a password, identified by its internal id.
GET /my_passwords/ID.json
If successful, the response code is 200 OK with the results of the call in the response body.
Example response body:
{
"id": 1,
"name": "My site user",
"tags": "blog",
"access_info": "https:\/\/mysite.com\/wp-login.php",
"username": "john",
"email": "",
"password": "UgR8l4UGAWWE21wa",
"strength": "strong",
"time_to_crack": "centuries",
"notes": "Just a user to blog",
"custom_field1": {
"type": "One Time Password",
"label": "2FA code",
"data": "005438"
},
"custom_field2": {
"type": "Date",
"label": "Installation date",
"data": "2023-12-17"
},
"custom_field3": {
"type": "Password",
"label": "Admin pwd",
"data": "R]xaU:)U!_fJa.g",
"strength": "strong",
"time_to_crack": "centuries"
},
"custom_field4": null,
"custom_field5": null,
"custom_field6": null,
"custom_field7": null,
"custom_field8": null,
"custom_field9": null,
"custom_field10": null,
"archived": false,
"favorite": true,
"num_files": 1,
"created_on": "2024-12-17 19:10:29",
"created_by": {
"id": 1,
"username": "john",
"email_address": "john@teampasswordmanager.com",
"name": "John Boss",
"role": "Admin"
},
"updated_on": "2024-12-17 19:18:03",
"updated_by": {
"id": 1,
"username": "john",
"email_address": "john@teampasswordmanager.com",
"name": "John Boss",
"role": "Admin"
}
}
Notes:
strengthcan have the following values: "" (none), "very weak", "weak", "good" and "strong".- Custom fields of type "Date" use ISO 8601 format: yyyy-mm-dd.
- Custom fields of type "One Time Password": the "data" field returns the OTP value at the time of the request.
Create a password
POST /my_passwords.json
The request body must include the data for the password. The only required fields is the name of the password:
{
"name": "Name of the password",
...
}
If successful, the response code is 201 Created with the internal id of the password in the response body:
{
"id": 123
}
The following fields can be used when creating a password: 'name' (required), 'tags' (list of comma separated strings), 'access_info', 'username', 'email', 'password', 'notes', 'custom_data1' ... 'custom_data10'.
Update a password
PUT /my_passwords/ID.json
The request body must include the data for the password. Only the fields that are included are updated, the other fields are left unchanged:
{
"name": "Changed name of the password",
"tags": "tag1,tag2,tag3",
...
}
If successful, the response code is 204 No content and the response body is empty.
The following fields can be used when updating a password: 'name', 'tags' (list of comma separated strings), 'access_info', 'username', 'email', 'password', 'notes', 'custom_data1' ... 'custom_data10'. The 'name' field, if used, cannot be empty.
Update custom fields definitions of a password
PUT /my_passwords/ID/custom_fields.json
The request body must include the data for the password. Only the fields that are included are updated, the other fields are left unchanged:
{
"custom_label1": "MySQL user",
"custom_type1": "text",
"custom_label2": "MySQL password",
"custom_type2": "password",
...
}
If successful, the response code is 204 No content and the response body is empty.
The following fields can be used when updating a password's custom fields definitions: custom_labelX, custom_typeX (X=1..10).
Allowed custom types (case insensitive): 'Text', 'Encrypted text', 'E-mail' or 'email, 'Password', 'Notes', 'Encrypted notes', "One Time Password" or "OTP" and "Date".
Notes:
- To delete the definition of a custom field set custom_typeX to an empty string.
- Deleting the definition of a custom field doesn't delete its data, but it may uncrypt it.
- No data is passed here, only definition.
Move a password
Move a password to a project.
PUT /my_passwords/ID/move.json
The request body must include the ID of the target project:
{
"project_id": 123
}
Note: project_id cannot be 0.
When moving a personal password to a project, a shared password is created and the personal password is deleted.
If successful, the response code is 201 Created with the internal id of the shared password in the response body:
{
"id": 321
}
Copy a password
Copy a password to a project.
POST /my_passwords/ID/copy.json
The request body must include the ID of the target project (which cannot be 0 or negative):
{
"project_id": 123
}
If successful, the response code is 201 Created with the internal id of the created password in the response body:
{
"id": 70
}
Duplicate a password
Duplicate a password.
POST /my_passwords/ID/duplicate.json
The request body must include the name of the new password:
{
"new_name": "New Wordpress admin"
}
If successful, the response code is 201 Created with the internal id of the created password in the response body:
{
"id": 71
}
Notes:
- Duplicated passwords include the files, have the same passwords and custom fields.
new_namecannot be empty.
Archive/un-archive a password
PUT /my_passwords/ID/archive.json
PUT /my_passwords/ID/unarchive.json
If successful, the response code is 204 No content and the response body is empty.
Delete a password
DELETE /my_passwords/ID.json
This deletes the password.
If successful, the response code is 204 No content and the response body is empty.
Note: since v. 12.143.260, the password is moved to the personal Trash Bin.
List files of a password
This method returns the files uploaded to a password. This call shows similar data as the "Files" tab of the password.
GET /my_passwords/ID/files.json
The response from this request is paginated and /count.json, /page/num.json and X-Page-Size can be used. See the section on pagination for more information. Example: GET /my_passwords/ID/files/page/2.json
If successful, the response code is 200 OK with the results of the call in the response body.
The response is an array of objects that have the following data: id (each file has a unique id in Team Password Manager, which you can see by clicking on the "Info" button of the file), filename, size in bytes and as it appears in the UI, a snippet of the notes if the file has them and when it was last updated.
Example response body:
[
{
"id": 2,
"filename": "logo.jpg",
"size_bytes": 3571,
"size_txt": "3.49 kb",
"notes_snippet": "Just a...",
"uploaded_by": {
"id": 1
},
"uploaded_on": "2024-12-18 05:49:03",
"notes_updated_by": {
"id": 1
},
"notes_updated_on": "2024-12-18 05:49:03"
},
{
"id": 1,
"filename": "PXL_20241217_125411350.jpg",
"size_bytes": 2017894,
"size_txt": "1.92 mb",
"notes_snippet": "",
"uploaded_by": {
"id": 1
},
"uploaded_on": "2024-12-17 19:15:22",
"notes_updated_by": {
"id": 1
},
"notes_updated_on": "2024-12-17 19:15:22"
}
]
Metadata only list
This list files of a password request can include the following header: X-Metadata-Only: true. When this header is used, the response will only include the metadata fields of the files. For example:
[
{
"id": 2,
"uploaded_by": {
"id": 1
},
"uploaded_on": "2024-12-18 05:49:03",
"notes_updated_by": {
"id": 1
},
"notes_updated_on": "2024-12-18 05:49:03"
},
{
"id": 1,
"uploaded_by": {
"id": 1
},
"uploaded_on": "2024-12-17 19:15:22",
"notes_updated_by": {
"id": 1
},
"notes_updated_on": "2024-12-17 19:15:22"
}
]
Upload a file to a password
This method uploads a file to a password.
POST /my_passwords/ID/upload.json
The request body must include the data for the file, which consists of three fields:
file_data_base64contents of the file. It must be Base64 encoded. This field is required.file_namename of the file. This field is required.notesnotes of the file. This field is optional.
Example request body:
{
"file_data_base64": "dGhpcyBpcyBhIHNpbXBsZSB0ZXh0IGZpbGU=", (Base64 encoded content of the file to upload)
"file_name": "file_to_upload.pdf",
"notes": "some notes for the file"
}
If successful, the response code is 201 Created with the internal id of the file in the response body:
{
"id": 373
}
Upload a file to a password example in PHP
The following script shows you how to upload a file to a personal password using PHP. To run it, save it to a PHP file and replace the variables on top with your own values:
<?php
// API URL
$tpm_base_url = 'https://YOUR_TPM_URL/index.php/api/v6';
// User
$username = 'YOUR_TPM_USERNAME';
$password = 'YOUR_TPM_PASSWORD';
// Password id of the personal password to upload the file to
$pwd_id = YOUR_PWD_ID; // For example: 344
// File to upload, in the same folder as this script
$file_to_upload = 'YOUR_FILE_NAME'; // For example: 'server_specs.pdf'
// Read the file, encode it with Base64 and store it in $file
$file = base64_encode(file_get_contents($file_to_upload));
if ( $file ) {
// Method to upload
$request_uri = '/my_passwords/' . $pwd_id . '/upload.json';
// Body with the data to upload the file (JSON encoded array)
$request_body_json = json_encode(array(
'file_data_base64' => $file,
'file_name' => $file_to_upload, // Just the name of the file, do not include the path here
'notes' => 'Some notes'
));
// Headers: JSON and UTF-8
$headers = array(
'Content-Type: application/json; charset=utf-8'
);
// POST request
$ch = curl_init($tpm_base_url . $request_uri);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, FALSE); // Does not include header in the output
curl_setopt($ch, CURLOPT_POST, TRUE);
curl_setopt($ch, CURLOPT_POSTFIELDS, $request_body_json);
curl_setopt($ch, CURLOPT_USERPWD, $username . ":" . $password); // HTTP Basic Authentication
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
// Execute
$result = curl_exec($ch);
$status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
// Show response
echo 'Status: ' . $status . '<br/>';
echo $result;
} else {
echo 'Incorrect file';
}
If successful, the result should show something like this, where "id" is the id of the newly created file:
Status: 201
{"id":380}
Document changelog
| Dec 19, 2024: |
Document created from API v5 Check the API changelog for changes |
