API v5
Team Password Manager's RESTful API (Application Programming Interface) allows other applications to access some of the resources of the software, like projects or passwords. This document describes the basic concepts of the API and provides a quick example to get you started using it.
Sections: Overview | Enabling and disabling API access | Security | Making requests | Authentication | JSON only | Responses and error handling | Pagination | Logging | Maintenance Mode | Resources | Examples
Overview
Team Password Manager's API has the following features:
- REST (Representational state transfer): external applications can access the resources provided by the API by using standard HTTP methods (GET, POST, PUT, DELETE).
- JSON: all requests and responses use JSON.
- Two methods for authenticating: HMAC and HTTP Basic authentication. Any (active) user can access the API using one of these two methods.
- API access can be enabled/disabled globally in Settings.
- It's versioned. You're reading the docs corresponding to version 5 (v5). You can see which version of the API your installation supports by going to Settings in the top menu and then select API.
- It's NOT available in the demo. If you want to try it you should get a trial license.
API v5 provides access to the following resources in Team Password Manager: projects, passwords, my passwords, files, favorites, users, groups, passwords generator and version.
Enabling and disabling API access
API access is disabled by default. To enable it, go to Settings in the top menu, choose the API tab and click on "Enable API access". Once enabled it can be disabled using the same screen.
If access to the API is disabled, calls to it return 403 Forbidden
, with the message "API access is disabled".
API access cannot be enabled on the online demo.
Security
Since version 7.103.208 there's a way to limit the users who can access the API: you can either configure it so that all users can access the API (default) or that only "API only" users can access it. You can change this setting when the API is enabled in Settings (top menu), then API (sidebar) and then click on "Edit API Security".
Making requests
There are 3 required elements to make a request to Team Password Manager's API: the URL, the Content-Type header and the authentication parameters.
URLs
Requests to the Team Password Manager API must follow this URL schema:
YOUR_TEAM_PASSWORD_MANAGER_URL/index.php/api/v5/resource_and_parameters.json
Example: to get a list of passwords of a Team Password Manager installation located at https://tpm.mydomain.com, the URL is:
https://tpm.mydomain.com/index.php/api/v5/passwords.jsonNote: API access also works with http if your installation is using http (https is recommended).
Content-Type header
Calls to the API must always supply the following Content-Type header: Content-Type: application/json; charset=utf-8
If you don't supply this header, you will get a 415 Unsupported Media Type
response.
Authentication parameters
All requests to the API must be authenticated. See the section on authentication on how to do it.
Quick example
Here you have an example using curl from the command line to make a GET request to fetch the list of passwords for a user using HTTP Basic Authentication:
curl -u username:password \ -H 'Content-Type: application/json; charset=utf-8' \ -i https://tpm.mydomain.com/index.php/api/v5/passwords.json
To try it with your Team Password Manager installation, replace "username" and "password" with your credentials and "https://tpm.mydomain.com" with the URL of your installation.
Authentication
All requests to the Team Password Manager API must be authenticated.
Access to the API is done at the user level, meaning that any user of a Team Password Manager installation can access the API using his/her credentials. This way, the permissions the user has on the resources are the same as when the user accesses the software via the web interface. For instance, users with "Admin" role will have access to all of the resources while users with other roles will have access to less resources.
The API provides two methods for authenticating requests:
- HTTP Basic Authentication: uses the username and password of the user.
- HMAC Authentication: uses the user's HMAC API Keys (in the "API Keys" tab in My Account) to calculate a hash of the request.
Since v. 13.166.291:
- You can configure which authentication method is enabled for the API: both HTTP Basic and HMAC, HTTP Basic only, or HMAC only.
- You can set whether HMAC API keys will expire after a specified number of days or remain valid indefinitely.
Head over to the API authentication document to learn how to authenticate API requests.
JSON only
The Team Password Manager's API only supports JSON (JavaScript Object Notation) for serialization of data, in requests and responses.
All API URLs end in .json
to indicate that they accept and return JSON.
The character set in requests and responses is UTF-8.
Responses and error handling
Any call to the API returns one of the three following responses:
1. Ok response with status code 2XX
Usually 200 Ok
in GET requests, 201 Created
in POST requests when creating resources and 204 No Content
in PUT and DELETE requests that return no content.
If content is returned in the response body it's a JSON object/array.
2. Error response with status code 4XX
The request cannot be executed and the error is described in the response body with the following JSON object:
{ "error": true, "type": "Description of the status code error", "message": "Description of why the request failed" }
A failed HTTP Basic authentication request, for instance, returns status code 401 Unauthorized
with the following JSON object:
{ "error": true, "type": "Unauthorized", "message": "Incorrect or missing username or password" }
3. Error response with status code 500
500 Internal Server Error
indicates an unhandled exception on the server side.
The response also includes a JSON object describing the error.
Pagination
Some requests return lists (as a JSON array of objects). For example, GET /passwords.json
returns a list of passwords that the user can access. These responses are usually paginated, in pages of 20 elements (or the value set by NUM_ITEMS_LISTS). Not all resources are paginated, in the document of each one is specified if they are.
When there are more results available for a request, a "next" URL is present in the Link
response header indicating the next page:
Link: <https://tpm.mydomain.com/index.php/api/v5/passwords/page/2.json>; rel="next"
You can also manage pagination for these resources using the count.json
endpoint, which returns the number of elements and pages a resource has. For example:
GET /passwords/count.json { "num_items": 211, "num_pages": 11, "num_items_per_page": 20 }
Logging
Team Password Manager logs all actions that are generated by API requests. The actions are the same as in the web interface, so there's a new column in the log called "Origin" that tells where the action originated:
In the main log screen this column can be used to filter log entries.
Requests that result in an error are not logged except for 401 Unauthorized
.
Maintenance Mode
If Maintenance Mode is enabled the API is not available and any requests return "Service Unavailable" (status code 503), with the message: "This installation is in Maintenance Mode.".
Resources
With Team Password Manager's API v5 you can access the following resources:
- Projects: list, show, create, update, get a list of passwords from a project, get a list of users who can access the project, archive/unarchive, list files, upload a file and delete.
- Passwords: list, show, create, update, update security, update custom fields definitions, get a list of users who can access the password, delete, archive/unarchive, move, list files, upload a file and lock/unlock.
- My Passwords: list, show, create, update and delete.
- Files: list files, show a file, update the notes of a file, get the max upload file size, get the uploads folder information, upload a file, download a file, delete a file.
- Favorites: list favorite passwords and projects for the user, make a password/project favorite and make a password/project not favorite.
- Users: list, show, create, update, activate/deactivate, convert to ldap/normal and delete.
- Groups: list, show, create, update, add user to group, delete user from group and delete.
- Passwords generator: get a strong, random password generated by the password generator with the current settings.
- Version: get version information.
Examples
Here you have some examples to get you started with the API.
They all use HTTP Basic Authentication. To use them in your installation change "username", "password" and "https://tpm.mydomain.com".
Passwords list (first page)
GET /passwords.json
curl
curl -u username:password \ -H 'Content-Type: application/json; charset=utf-8' \ -i https://tpm.mydomain.com/index.php/api/v5/passwords.json
PHP
<?php // Parameters $tpm_base_url = 'https://tpm.mydomain.com/index.php/'; // ending with / $req_uri = 'api/v5/passwords.json'; // GET /passwords.json $username = 'YOUR USERNAME'; $password = 'YOUR PASSWORD'; // Request headers $headers = array( 'Content-Type: application/json; charset=utf-8' ); // Request $ch = curl_init($tpm_base_url . $req_uri); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_HEADER, TRUE); // Includes the header in the output curl_setopt($ch, CURLOPT_USERPWD, $username . ":" . $password); $result = curl_exec($ch); $status = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); // Get headers and body list($headers, $body) = explode("\r\n\r\n", $result, 2); $arr_headers = explode("\r\n", $headers); $arr_body = json_decode($body, TRUE); // Show status and array of passwords echo 'Status: ' . $status . '<br/>'; print_r($arr_body);
Show a password
To get all the data of a password you need its internal id. Example for id=1: GET /passwords/1.json
curl
curl -u username:password \ -H 'Content-Type: application/json; charset=utf-8' \ -i https://tpm.mydomain.com/index.php/api/v5/passwords/1.json
PHP
Use the code from the previous example and just change the $req_uri
variable to:
$req_uri = 'api/v5/passwords/1.json'; // GET /passwords/1.json
Create a project
POST /projects.json
Only the name is required to create a project. If successful it returns 201 Created
and the id of the new project:
{ "id": 41 }
curl
curl -u username:password \ -H 'Content-Type: application/json; charset=utf-8' \ -d '{"name":"My new project", "parent_id": 0}' \ -i https://tpm.mydomain.com/index.php/api/v5/projects.json
PHP
<?php // Parameters $tpm_base_url = 'https://tpm.mydomain.com/index.php/'; // ending with / $req_uri = 'api/v5/projects.json'; // POST /projects.json $username = 'YOUR USERNAME'; $password = 'YOUR PASSWORD'; // Request headers $headers = array( 'Content-Type: application/json; charset=utf-8' ); // Body (json encoded array) $request_body = json_encode(array( 'name' => 'This is a new project', 'parent_id' => 0 // The project will be a root project )); // Request $ch = curl_init($tpm_base_url . $req_uri); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_HEADER, TRUE); // Includes the header in the output curl_setopt($ch, CURLOPT_USERPWD, $username . ":" . $password); curl_setopt($ch, CURLOPT_POST, TRUE); curl_setopt($ch, CURLOPT_POSTFIELDS, $request_body); $result = curl_exec($ch); $status = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); // Get headers and body list($headers, $body) = explode("\r\n\r\n", $result, 2); $arr_headers = explode("\r\n", $headers); $arr_body = json_decode($body, TRUE); // Show status and the new project id echo 'Status: ' . $status . '<br/>'; print_r($arr_body);
Create a password
POST /passwords.json
Only the name and the id of the project where the password goes is required to create a password. If successful it returns 201 Created
and the id of the new password:
{ "id": 123 }
curl
curl -u username:password \ -H 'Content-Type: application/json; charset=utf-8' \ -d '{"name":"My new password", "project_id":41}' \ -i https://tpm.mydomain.com/index.php/api/v5/passwords.json
PHP
<?php // Parameters $tpm_base_url = 'https://tpm.mydomain.com/index.php/'; // ending with / $req_uri = 'api/v5/passwords.json'; // POST /passwords.json $username = 'YOUR USERNAME'; $password = 'YOUR PASSWORD'; $project_id = 41; // The id of the project where the password is created // Request headers $headers = array( 'Content-Type: application/json; charset=utf-8' ); // Body (json encoded array) $request_body = json_encode(array( 'name' => 'This is a new password', 'project_id' => $project_id, 'tags' => 'seo,clients', 'access_info' => 'http://urlforthepassword.com', 'username' => 'usernameforthepassword', 'email' => 'email@forthepassword.com', 'password' => 'changeit' )); // Request $ch = curl_init($tpm_base_url . $req_uri); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_HEADER, TRUE); // Includes the header in the output curl_setopt($ch, CURLOPT_USERPWD, $username . ":" . $password); curl_setopt($ch, CURLOPT_POST, TRUE); curl_setopt($ch, CURLOPT_POSTFIELDS, $request_body); $result = curl_exec($ch); $status = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); // Get headers and body list($headers, $body) = explode("\r\n\r\n", $result, 2); $arr_headers = explode("\r\n", $headers); $arr_body = json_decode($body, TRUE); // Show status and the new password id echo 'Status: ' . $status . '<br/>'; print_r($arr_body);
Document changelog
Nov 5, 2024: |
In Authentication: choose API authentication method and expire HMAC keys. |
Nov 12, 2021: | Document created |