API v4: Passwords

API v4

Sections: List passwords | Show a password | List of users who can access a password | Create a password | Update a password | Update security of a password | Update custom fields definitions of a password | Delete a password | Lock a password | Unlock a password

List passwords

These return the passwords that the user has access to. The returned data is the same as in the passwords lists (all active, archived, favorite and search) in the web interface.

GET /passwords.json
GET /passwords/archived.json
GET /passwords/favorite.json
GET /passwords/search/urlencoded_string.json (see notes below)

The responses from these requests are paginated and /count.json and /page/num.json can be used. See the section on pagination for more information. Example: GET /passwords/page/2.json

If successful, the response code is 200 OK with the results of the call in the response body.

Example response body:

[
  {
    "id": 68,
    "name": "Wordpress admin",
    "project": {
      "id": 12,
      "name": "www.fictionalgadgetsite.com"
    },
    "notes_snippet": "some notes\nother notes",
    "tags": "wordpress",
    "access_info": "http:\/\/www.fictionalgadgetsite.com\/wp-admin",
    "username": "admin_sg",
    "email": "",
    "expiry_date": "2013-10-20",
    "expiry_status": 2,
    "archived": false,
    "favorite": true,
    "num_files": 1,
    "locked": false,
    "external_sharing": true,
    "updated_on": "2014-07-23 18:18:28"
  },
  {
    "id": 175,
    "name": "Sample password",
    "project": {
      "id": 12,
      "name": "www.fictionalgadgetsite.com"
    },
    "archived": false,
    "favorite": true,
    "locked": true,
    "external_sharing": false,
    "updated_on": "2014-07-23 18:18:06"
  },
...
]

Notes:

• expiry_date uses ISO 8601 format: yyyy-mm-dd.
• expiry_status has the following values: 0=no date or not expired, 1=expires today, 2=expired, 3=will expire soon.
• Locked passwords (locked=true) will not show any data except id, name, project, archived, favorite and updated on.
• Search:
  • You can use the search operators when searching for passwords.
  • You need to urlencode the "urlencoded_string" part.
  • Example (in PHP):
    

    $search_string = 'username:john'; // Find passwords whose username is "john"
    $search_string_urlencoded = urlencode($search_string);
    $request_url = 'https://YOUR_TPM_URL/index.php/api/v4/passwords/search/' . $search_string_urlencoded . '.json';

Show a password

This method returns all the data of a password, identified by its internal id.

GET /passwords/ID.json

If successful, the response code is 200 OK with the results of the call in the response body.

Example response body:

{
  "id": 69,
  "name": "CRM account",
  "project": {
    "id": 20,
    "name": "www.mynewsite.com"
  },
  "tags": "google",
  "access_info": "https:\/\/www.mynewsite.com\/crm",
  "username": "thisisme",
  "email": "thisisme@mynewsite.com",
  "password": "(Ip8=c1|9@%{d5!2-0.u",
  "expiry_date": "2015-08-24",
  "expiry_status": 3,
  "notes": "Some notes for the password",
  "custom_field1": {
    "type": "Text",
    "label": "Custom 1",
    "data": "Sample value"
  },
  "custom_field2": {
    "type": "Password",
    "label": "root",
    "data": "6Zi3=!\/7.b9#1,2}|4;"
  },
  "custom_field3": {
    "type": "Date",
    "label": "Renewal",
    "data": "2022-12-17"
  },
  "custom_field4": null,
  "custom_field5": null,
  "custom_field6": null,
  "custom_field7": null,
  "custom_field8": null,
  "custom_field9": null,
  "custom_field10": null,
  "users_permissions": [
    {
      "user": {
        "id": 6,
        "username": "clairewood",
        "email_address": "claire@teampasswordmanager.com",
        "name": "Claire Wood",
        "role": "Normal user"
      },
      "permission": {
        "id": 20,
        "label": "Edit data"
      }
    },
    {
      "user": {
        "id": 7,
        "username": "janineblack",
        "email_address": "janine@teampasswordmanager.com",
        "name": "Janine Black",
        "role": "Normal user"
      },
      "permission": {
        "id": 0,
        "label": "No access"
      }
    }
  ],
  "groups_permissions": [
    {
      "group": {
        "id": 1,
        "name": "SEO"
      },
      "permission": {
        "id": 10,
        "label": "Read"
      }
    }
  ],
  "parents": [
    13,
    19,
    20
  ],
  "user_permission": {
    "id": 30,
    "label": "Manage"
  },
  "archived": false,
  "favorite": true,
  "num_files": 0,
  "locked": false,
  "external_sharing": true,
  "external_url": "http:\/\/localhost\/tpm2\/site_enc\/index.php\/pwde\/view\/15abe2439e994f91befe55075b9729e6df514e4669",
  "managed_by": {
    "id": 1,
    "username": "john",
    "email_address": "john@teampasswordmanager.com",
    "name": "John Boss",
    "role": "Admin"
  },
  "created_on": "2015-08-16 08:37:52",
  "created_by": {
    "id": 1,
    "username": "john",
    "email_address": "john@teampasswordmanager.com",
    "name": "John Boss",
    "role": "Admin"
  },
  "updated_on": "2015-08-16 10:57:06",
  "updated_by": {
    "id": 1,
    "username": "john",
    "email_address": "john@teampasswordmanager.com",
    "name": "John Boss",
    "role": "Admin"
  }
}

Notes:

• expiry_date uses ISO 8601 format: yyyy-mm-dd.
• Custom fields of type "Date" use ISO 8601 format: yyyy-mm-dd.
• expiry_status has the following values: 0=no date or not expired, 1=expires today, 2=expired, 3=will expire soon.
• Locked passwords (locked=true) will not show any data except id, name, project, archived, favorite and managed/created fields.
• To view all the data for a locked password, the X-Unlock-Reason header must be supplied with a reason. When a locked password is accessed with the X-Unlock-Reason, a notification will be sent to the password manager with the supplied reason. Note that locked passwords that require permission to be unlocked cannot be used with the API, and if in this case the X-Unlock-Reason header is provided a "409 Conflict" error will be returned.
• users_permissions is an array of objects of the following data: user object and permission object (permission id, description). Each object describes the permission set to the user on the password. These data are only available to users with manage permission on the password (they're set to null for users that don't have the manage permission).
• groups_permissions is an array of objects of the following data: group object and permission object (permission id, description). Each object describes the permission set to the group on the password. These data are only available to users with manage permission on the password (they're set to null for users that don't have the manage permission).
• parents is an array of project ids from the root to the project of the password (in descending order), as seen by the user.
• user_permission is a permission object (permission id, description) that indicates what permission has the user making the request on the password.
• Custom fields of type "One Time Password" return: in 10.135.236 the secret key, in 10.138.240+ the OTP value at the time of the request.

List users who can access a password

This method returns the effective permissions users have on a password. This call shows similar data as the "Security" tab of the password.

GET /passwords/ID/security.json

To use this method with a locked password, the X-Unlock-Reason header must be supplied with a reason, otherwise the response code 403 Forbidden will be returned. When a locked password is accessed with the X-Unlock-Reason, a notification will be sent to the password manager with the supplied reason. Note that locked passwords that require permission to be unlocked cannot be used with the API, and if in this case the X-Unlock-Reason header is provided a "409 Conflict" error will be returned.

If successful, the response code is 200 OK with the results of the call in the response body.

Since version 10.135.236 this request is only available to the users who have manage permission on the password.

The response is an array of objects that have the following data:

• User object: data about the user.
• Permission object: permission id and description.
• Granted via: how the user is granted the permission on the project.

Example response body:

[
  {
    "user": {
      "id": 2,
      "username": "alan",
      "email_address": "alan@teampasswordmanager.com",
      "name": "Alan",
      "role": "Project manager"
    },
    "permission": {
      "id": 30,
      "label": "Manage"
    },
    "granted_via": "Project: Project manager"
  },
  {
    "user": {
      "id": 4,
      "username": "amy",
      "email_address": "amy@teampasswordmanager.com",
      "name": "Amy",
      "role": "Normal user"
    },
    "permission": {
      "id": 10,
      "label": "Read"
    },
    "granted_via": "Group: SEO"
  },
  {
    "user": {
      "id": 3,
      "username": "ann",
      "email_address": "ann@teampasswordmanager.com",
      "name": "Ann",
      "role": "Normal user"
    },
    "permission": {
      "id": 10,
      "label": "Read"
    },
    "granted_via": "Group: SEO"
  },
  {
    "user": {
      "id": 6,
      "username": "clairewood",
      "email_address": "claire@teampasswordmanager.com",
      "name": "Claire Wood",
      "role": "Normal user"
    },
    "permission": {
      "id": 20,
      "label": "Edit data"
    },
    "granted_via": "User direct"
  },
  {
    "user": {
      "id": 7,
      "username": "janineblack",
      "email_address": "janine@teampasswordmanager.com",
      "name": "Janine Black",
      "role": "Normal user"
    },
    "permission": {
      "id": 0,
      "label": "No access"
    },
    "granted_via": "User direct"
  },
  {
    "user": {
      "id": 1,
      "username": "john",
      "email_address": "john@teampasswordmanager.com",
      "name": "John Boss",
      "role": "Admin"
    },
    "permission": {
      "id": 30,
      "label": "Manage"
    },
    "granted_via": "Password manager"
  }
]

Create a password

POST /passwords.json

The request body must include the data for the password. The required fields are the name and the id of the project the password is to be created in:

{
  "name": "Name of the password",
  "project_id": 21,
  ...
}

If successful, the response code is 201 Created with the internal id of the password in the response body:

{
  "id": 345
}

The following fields can be used when creating a password: 'name' (required), 'project_id' (required), 'tags' (list of comma separated strings), 'access_info', 'username', 'email', 'password', 'expiry_date' (in ISO 8601 format: yyyy-mm-dd, or null or ''), 'notes', 'custom_data1', 'custom_data2', 'custom_data3', 'custom_data4', 'custom_data5', 'custom_data6', 'custom_data7', 'custom_data8', 'custom_data9', 'custom_data10'.

Notes:

• Custom data fields are allowed even if custom fields are not defined (their type is text by default).
• The data for custom data fields of type "One Time Password" must be the secret key.
• The data for custom data fields of type "Date" must be the specified in ISO 8601 format: yyyy-mm-dd.

Update a password

PUT /passwords/ID.json

The request body must include the data for the password. Only the fields that are included are updated, the other fields are left unchanged:

{
  "name": "Changed name of the password",
  "tags": "tag1,tag2,tag3",
  ...
}

If successful, the response code is 204 No content and the response body is empty.

The following fields can be used when updating a password: 'name', 'tags' (list of comma separated strings), 'access_info', 'username', 'email', 'password', 'expiry_date' (in ISO 8601 format: yyyy-mm-dd, or null or ''), 'notes', 'custom_data1', 'custom_data2', 'custom_data3', 'custom_data4', 'custom_data5', 'custom_data6', 'custom_data7', 'custom_data8', 'custom_data9', 'custom_data10'.

Notes:

• The 'name', if present, cannot be empty.
• Custom data fields are allowed even if custom fields are not defined (their type is text by default).
• The data for custom data fields of type "One Time Password" must be the secret key.
• The data for custom data fields of type "Date" must be the specified in ISO 8601 format: yyyy-mm-dd.
• To update a locked password, the X-Unlock-Reason header must be supplied with a reason, otherwise the response code 403 Forbidden will be returned. When a locked password is accessed with the X-Unlock-Reason, a notification will be sent to the password manager with the supplied reason. Note that locked passwords that require permission to be unlocked cannot be used with the API, and if in this case the X-Unlock-Reason header is provided a "409 Conflict" error will be returned.
• Linked passwords cannot be updated (they're read only). If you try to update a linked password you'll get a 403 Forbidden response.

Update the security of a password

PUT /passwords/ID/security.json

The request body must include the data for the password:

• managed_by is the main manager of the password. If present, cannot be 0.
• users_permissions is an array of [user_id, permission_id]. User permissions will be set for the users passed, deleting the current permissions. permission_id can be: 0=no acces, 10=read, 20=edit data, 30=manage (only 0, 10 for users with role read only). If you want to set "Do not set", simply exclude the user. Admin users, the project manager(s) and the password manager can be included in this list, but it will have no effect. For Read only users these are the only valid permissions: 0, 10.
• groups_permissions is an array of [group_id, permission_id]. Groups permissions will be set for the groups passed, deleting the current permissions. permission_id can be: 0=no acces, 10=read, 20=edit data, 30=manage. If you want to set "Do not set", simply exclude the group from the list.

Note: you cannot assign the "20=edit data" permission to linked passwords as they're read only. You'll get a 409 Conflict response if you try to do so.

Example of a request body:

{
  "managed_by": 1,
  "users_permissions": [ [2,10],[3,20] ],
  "groups_permissions": [ [1,20] ]
}

If successful, the response code is 204 No content and the response body is empty.

To update the security of a locked password, the X-Unlock-Reason header must be supplied with a reason, otherwise the response code 403 Forbidden will be returned. When a locked password is accessed with the X-Unlock-Reason, a notification will be sent to the password manager with the supplied reason. Note that locked passwords that require permission to be unlocked cannot be used with the API, and if in this case the X-Unlock-Reason header is provided a "409 Conflict" error will be returned.

To get the users in your Team Password Manager installation you can use GET /users.json and the groups GET /groups.json.

Update custom fields definitions of a password

PUT /passwords/ID/custom_fields.json

The request body must include the data for the password. Only the fields that are included are updated, the other fields are left unchanged:

{
  "custom_label1": "MySQL user",
  "custom_type1": "text",
  "custom_label2": "MySQL password",
  "custom_type2": "password",
  ...
}

If successful, the response code is 204 No content and the response body is empty.

The following fields can be used when updating a password's custom fields definitions: custom_labelX, custom_typeX (X=1..10).

Allowed custom types (case insensitive): 'Text', 'Encrypted text', 'E-mail' or 'email, 'Password', 'Notes' and 'Encrypted notes'. Note that in this version of the API custom types of "One Time Password" or "Date" are not allowed.

Notes:

• To delete the definition of a custom field set custom_typeX to an empty string.
• Deleting the definition of a custom field doesn't delete its data, but it may uncrypt it.
• No data is passed here, only definition.
• To update the custom field definitions of a locked password, the X-Unlock-Reason header must be supplied with a reason, otherwise the response code 403 Forbidden will be returned. When a locked password is accessed with the X-Unlock-Reason, a notification will be sent to the password manager with the supplied reason. Note that locked passwords that require permission to be unlocked cannot be used with the API, and if in this case the X-Unlock-Reason header is provided a 409 Conflict error will be returned.
• Custom field definitions of linked passwords cannot be updated (they're read only). If you try to update the custom field definition of a linked password you'll get a 403 Forbidden response.

Delete a password

DELETE /passwords/ID.json

This deletes the password, its files, etc.

If successful, the response code is 204 No content and the response body is empty.

To delete a locked password, the X-Unlock-Reason header must be supplied with a reason, otherwise the response code 403 Forbidden will be returned. When a locked password is accessed with the X-Unlock-Reason, a notification will be sent to the password manager with the supplied reason. Note that locked passwords that require permission to be unlocked cannot be used with the API, and if in this case the X-Unlock-Reason header is provided a "409 Conflict" error will be returned.

Notes:

• linked passwords cannot be deleted (they're read only). If you try to delete a linked password you'll get a 403 Forbidden response.
• Since v. 12.143.260, the password is moved to the Trash Bin.

Lock a password

PUT /passwords/ID/lock.json

This sets the locking status of a password to locked. From this moment on, any user who wants to use it will have to supply a reason to unlock it.

If successful, the response code is 204 No content and the response body is empty.

Unlock a password

PUT /passwords/ID/unlock.json

This sets the locking status of a password to unlocked.

If successful, the response code is 204 No content and the response body is empty.

To unlock a locked password, the X-Unlock-Reason header must be supplied with a reason, otherwise the response code 403 Forbidden will be returned. When a locked password is accessed with the X-Unlock-Reason, a notification will be sent to the password manager with the supplied reason. Note that locked passwords that require permission to be unlocked cannot be used with the API, and if in this case the X-Unlock-Reason header is provided a "409 Conflict" error will be returned.