API v3
Team Password Manager's RESTful API (Application Programming Interface) allows other applications to access some of the resources of the software, like projects or passwords. This document describes the basic concepts of the API and provides a quick example to get you started using it.
Sections: Overview | Enabling and disabling API access | Making requests | Authentication | JSON only | Responses and error handling | Pagination | Logging | Resources | Examples
Overview
Team Password Manager's API has the following features:
- REST (Representational state transfer): external applications can access the resources provided by the API by using standard HTTP methods (GET, POST, PUT, DELETE).
- JSON: all requests and responses use JSON.
- Two methods for authenticating: HMAC and HTTP Basic authentication. Any (active) user can access the API using one of these two methods.
- API access can be enabled/disabled globally in Settings.
- It's versioned. You're reading the docs corresponding to version 3 (v3). You can see which version of the API your installation supports by going to Settings in the top menu and then select API.
- It's NOT available in the demo. If you want to try it you should get a trial license.
API v3 provides access to the following resources in Team Password Manager: projects, passwords, my passwords, favorites, users, groups, passwords generator and version.
Enabling and disabling API access
API access is disabled by default. To enable it, go to Settings in the top menu, choose the API tab and click on "Enable API access". Once enabled it can be disabled using the same screen.
If access to the API is disabled, calls to it return 403 Forbidden
, with the message "API access is disabled".
API access cannot be enabled on the online demo.
Making requests
There are 3 required elements to make a request to Team Password Manager's API: the URL, the Content-Type header and the authentication parameters.
URLs
Requests to the Team Password Manager API must follow this URL schema:
YOUR_TEAM_PASSWORD_MANAGER_URL/index.php/api/v3/resource_and_parameters.json
Example: to get a list of passwords of a Team Password Manager installation located at https://tpm.mydomain.com, the URL is:
https://tpm.mydomain.com/index.php/api/v3/passwords.jsonNote: API access also works with http if your installation is using http (https is recommended).
Content-Type header
Calls to the API must always supply the following Content-Type header: Content-Type: application/json; charset=utf-8
If you don't supply this header, you will get a 415 Unsupported Media Type
response.
Authentication parameters
All requests to the API must be authenticated. See the section on authentication on how to do it.
Quick example
Here you have an example using curl from the command line to make a GET request to fetch the list of passwords for a user using HTTP Basic Authentication:
curl -u username:password \ -H 'Content-Type: application/json; charset=utf-8' \ -i https://tpm.mydomain.com/index.php/api/v3/passwords.json
To try it with your Team Password Manager installation, replace "username" and "password" with your credentials and "https://tpm.mydomain.com" with the URL of your installation.
Authentication
All requests to the Team Password Manager API must be authenticated.
Access to the API is done at the user level, meaning that any user of a Team Password Manager installation can access the API using his/her credentials. This way, the permissions the user has on the resources are the same as when the user accesses the software via the web interface. For instance, users with "Admin" role will have access to all of the resources while users with other roles will have access to less resources.
The API provides two methods for authenticating requests:
- HTTP Basic Authentication: uses the username and password of the user.
- HMAC Authentication: uses the user's HMAC API Keys (in the "API Keys" tab in My Account) to calculate a hash of the request.
Head over to the API authentication document to learn how to authenticate API requests.
JSON only
The Team Password Manager's API only supports JSON (JavaScript Object Notation) for serialization of data, in requests and responses.
All API URLs end in .json
to indicate that they accept and return JSON.
The character set in requests and responses is UTF-8.
Responses and error handling
Any call to the API returns one of the three following responses:
1. Ok response with status code 2XX
Usually 200 Ok
in GET requests, 201 Created
in POST requests when creating resources and 204 No Content
in PUT and DELETE requests that return no content.
If content is returned in the response body it's a JSON object/array.
2. Error response with status code 4XX
The request cannot be executed and the error is described in the response body with the following JSON object:
{ "error": true, "type": "Description of the status code error", "message": "Description of why the request failed" }
A failed HTTP Basic authentication request, for instance, returns status code 401 Unauthorized
with the following JSON object:
{ "error": true, "type": "Unauthorized", "message": "Incorrect or missing username or password" }
3. Error response with status code 500
500 Internal Server Error
indicates an unhandled exception on the server side.
The response also includes a JSON object describing the error.
Pagination
Some requests return lists (as a JSON array of objects). For example, GET /passwords.json
returns a list of passwords that the user can access. These responses are usually paginated, in pages of 20 elements (or the value set by NUM_ITEMS_LISTS). Not all resources are paginated, in the document of each one is specified if they are.
When there are more results available for a request, a "next" URL is present in the Link
response header indicating the next page:
Link: <https://tpm.mydomain.com/index.php/api/v3/passwords/page/2.json>; rel="next"
You can also manage pagination for these resources using the count.json
, which returns the number of elements and pages a resource has:
GET /passwords/count.json { "num_items": 211, "num_pages": 11, "num_items_per_page": 20 }
Logging
Team Password Manager logs all actions that are generated by API requests. The actions are the same as in the web interface, so there's a new column in the log called "Origin" that tells where the action originated:
In the main log screen this column can be used to filter log entries.
Requests that result in an error are not logged except for 401 Unauthorized
.
Resources
With Team Password Manager's API v3 you can access the following resources:
- Projects: list, show, create, update, get a list of passwords from a project, get a list of users who can access the project, archive/unarchive and delete.
- Passwords: list, show, create, update, update security, update custom fields definitions, get a list of users who can access the password, delete and lock/unlock.
- My Passwords: list, show, create, update and delete.
- Favorites: list favorite passwords and projects for the user, make a password/project favorite and make a password/project not favorite.
- Users: list, show, create, update, activate/deactivate, convert to ldap/normal and delete.
- Groups: list, show, create, update, add user to group, delete user from group and delete.
- Passwords generator: get a strong, random password generated by the password generator with the current settings.
- Version: get version information.
Examples
Here you have some examples to get you started with the API.
They all use HTTP Basic Authentication. To use them in your installation change "username", "password" and "https://tpm.mydomain.com".
Passwords list (first page)
GET /passwords.json
curl
curl -u username:password \ -H 'Content-Type: application/json; charset=utf-8' \ -i https://tpm.mydomain.com/index.php/api/v3/passwords.json
PHP
<?php // Parameters $tpm_base_url = 'https://tpm.mydomain.com/index.php/'; // ending with / $req_uri = 'api/v3/passwords.json'; // GET /passwords.json $username = 'YOUR USERNAME'; $password = 'YOUR PASSWORD'; // Request headers $headers = array( 'Content-Type: application/json; charset=utf-8' ); // Request $ch = curl_init($tpm_base_url . $req_uri); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_HEADER, TRUE); // Includes the header in the output curl_setopt($ch, CURLOPT_USERPWD, $username . ":" . $password); $result = curl_exec($ch); $status = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); // Get headers and body list($headers, $body) = explode("\r\n\r\n", $result, 2); $arr_headers = explode("\r\n", $headers); $arr_body = json_decode($body, TRUE); // Show status and array of passwords echo 'Status: ' . $status . '<br/>'; print_r($arr_body);
Show a password
To get all the data of a password you need its internal id. Example for id=1: GET /passwords/1.json
curl
curl -u username:password \ -H 'Content-Type: application/json; charset=utf-8' \ -i https://tpm.mydomain.com/index.php/api/v3/passwords/1.json
PHP
Use the code from the previous example and just change the $req_uri
variable to:
$req_uri = 'api/v3/passwords/1.json'; // GET /passwords/1.json
Create a project
POST /projects.json
Only the name is required to create a project. If successful it returns 201 Created
and the id of the new project:
{ "id": 41 }
curl
curl -u username:password \ -H 'Content-Type: application/json; charset=utf-8' \ -d '{"name":"My new project"}' \ -i https://tpm.mydomain.com/index.php/api/v3/projects.json
PHP
<?php // Parameters $tpm_base_url = 'https://tpm.mydomain.com/index.php/'; // ending with / $req_uri = 'api/v3/projects.json'; // POST /projects.json $username = 'YOUR USERNAME'; $password = 'YOUR PASSWORD'; // Request headers $headers = array( 'Content-Type: application/json; charset=utf-8' ); // Body (json encoded array) $request_body = json_encode(array( 'name' => 'This is a new project' )); // Request $ch = curl_init($tpm_base_url . $req_uri); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_HEADER, TRUE); // Includes the header in the output curl_setopt($ch, CURLOPT_USERPWD, $username . ":" . $password); curl_setopt($ch, CURLOPT_POST, TRUE); curl_setopt($ch, CURLOPT_POSTFIELDS, $request_body); $result = curl_exec($ch); $status = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); // Get headers and body list($headers, $body) = explode("\r\n\r\n", $result, 2); $arr_headers = explode("\r\n", $headers); $arr_body = json_decode($body, TRUE); // Show status and the new project id echo 'Status: ' . $status . '<br/>'; print_r($arr_body);
Create a password
POST /passwords.json
Only the name and the id of the project where the password goes is required to create a password. If successful it returns 201 Created
and the id of the new password:
{ "id": 123 }
curl
curl -u username:password \ -H 'Content-Type: application/json; charset=utf-8' \ -d '{"name":"My new password", "project_id":41}' \ -i https://tpm.mydomain.com/index.php/api/v3/passwords.json
PHP
<?php // Parameters $tpm_base_url = 'https://tpm.mydomain.com/index.php/'; // ending with / $req_uri = 'api/v3/passwords.json'; // POST /passwords.json $username = 'YOUR USERNAME'; $password = 'YOUR PASSWORD'; $project_id = 41; // The id of the project where the password is created // Request headers $headers = array( 'Content-Type: application/json; charset=utf-8' ); // Body (json encoded array) $request_body = json_encode(array( 'name' => 'This is a new password', 'project_id' => $project_id, 'tags' => 'seo,clients', 'access_info' => 'http://urlforthepassword.com', 'username' => 'usernameforthepassword', 'email' => 'email@forthepassword.com', 'password' => 'changeit' )); // Request $ch = curl_init($tpm_base_url . $req_uri); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_HEADER, TRUE); // Includes the header in the output curl_setopt($ch, CURLOPT_USERPWD, $username . ":" . $password); curl_setopt($ch, CURLOPT_POST, TRUE); curl_setopt($ch, CURLOPT_POSTFIELDS, $request_body); $result = curl_exec($ch); $status = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); // Get headers and body list($headers, $body) = explode("\r\n\r\n", $result, 2); $arr_headers = explode("\r\n", $headers); $arr_body = json_decode($body, TRUE); // Show status and the new password id echo 'Status: ' . $status . '<br/>'; print_r($arr_body);