Testimonials
What our customers say about Team Password Manager

The Team Password Manager API

Current Team Password Manager version: 13.166.291

API v5

Team Password Manager's RESTful API (Application Programming Interface) allows other applications to access some of the resources of the software, like projects or passwords. This document describes the basic concepts of the API and provides a quick example to get you started using it.

Sections: Overview | Enabling and disabling API access | Security | Making requests | Authentication | JSON only | Responses and error handling | Pagination | Logging | Maintenance Mode | Resources | Examples

Overview

Team Password Manager's API has the following features:

  • REST (Representational state transfer): external applications can access the resources provided by the API by using standard HTTP methods (GET, POST, PUT, DELETE).
  • JSON: all requests and responses use JSON.
  • Two methods for authenticating: HMAC and HTTP Basic authentication. Any (active) user can access the API using one of these two methods.
  • API access can be enabled/disabled globally in Settings.
  • It's versioned. You're reading the docs corresponding to version 5 (v5). You can see which version of the API your installation supports by going to Settings in the top menu and then select API.
  • It's NOT available in the demo. If you want to try it you should get a trial license.

API v5 provides access to the following resources in Team Password Manager: projects, passwords, my passwords, files, favorites, users, groups, passwords generator and version.

Enabling and disabling API access

API access is disabled by default. To enable it, go to Settings in the top menu, choose the API tab and click on "Enable API access". Once enabled it can be disabled using the same screen.

How to enable API access

If access to the API is disabled, calls to it return 403 Forbidden, with the message "API access is disabled".

API access cannot be enabled on the online demo.

Security

Since version 7.103.208 there's a way to limit the users who can access the API: you can either configure it so that all users can access the API (default) or that only "API only" users can access it. You can change this setting when the API is enabled in Settings (top menu), then API (sidebar) and then click on "Edit API Security".

Making requests

There are 3 required elements to make a request to Team Password Manager's API: the URL, the Content-Type header and the authentication parameters.

URLs

Requests to the Team Password Manager API must follow this URL schema:

YOUR_TEAM_PASSWORD_MANAGER_URL/index.php/api/v5/resource_and_parameters.json

Example: to get a list of passwords of a Team Password Manager installation located at https://tpm.mydomain.com, the URL is:

https://tpm.mydomain.com/index.php/api/v5/passwords.json

Note: API access also works with http if your installation is using http (https is recommended).

Content-Type header

Calls to the API must always supply the following Content-Type header: Content-Type: application/json; charset=utf-8

If you don't supply this header, you will get a 415 Unsupported Media Type response.

Authentication parameters

All requests to the API must be authenticated. See the section on authentication on how to do it.

Quick example

Here you have an example using curl from the command line to make a GET request to fetch the list of passwords for a user using HTTP Basic Authentication:

curl -u username:password \
  -H 'Content-Type: application/json; charset=utf-8' \
  -i https://tpm.mydomain.com/index.php/api/v5/passwords.json

To try it with your Team Password Manager installation, replace "username" and "password" with your credentials and "https://tpm.mydomain.com" with the URL of your installation.

Authentication

All requests to the Team Password Manager API must be authenticated.

Access to the API is done at the user level, meaning that any user of a Team Password Manager installation can access the API using his/her credentials. This way, the permissions the user has on the resources are the same as when the user accesses the software via the web interface. For instance, users with "Admin" role will have access to all of the resources while users with other roles will have access to less resources.

The API provides two methods for authenticating requests:

  • HTTP Basic Authentication: uses the username and password of the user.
  • HMAC Authentication: uses the user's HMAC API Keys (in the "API Keys" tab in My Account) to calculate a hash of the request.

Since v. 13.166.291:

  • You can configure which authentication method is enabled for the API: both HTTP Basic and HMAC, HTTP Basic only, or HMAC only.
  • You can set whether HMAC API keys will expire after a specified number of days or remain valid indefinitely.

Head over to the API authentication document to learn how to authenticate API requests.

JSON only

The Team Password Manager's API only supports JSON (JavaScript Object Notation) for serialization of data, in requests and responses.

All API URLs end in .json to indicate that they accept and return JSON.

The character set in requests and responses is UTF-8.

Responses and error handling

Any call to the API returns one of the three following responses:

1. Ok response with status code 2XX

Usually 200 Ok in GET requests, 201 Created in POST requests when creating resources and 204 No Content in PUT and DELETE requests that return no content.

If content is returned in the response body it's a JSON object/array.

2. Error response with status code 4XX

The request cannot be executed and the error is described in the response body with the following JSON object:

{
  "error": true,
  "type": "Description of the status code error",
  "message": "Description of why the request failed"
}

A failed HTTP Basic authentication request, for instance, returns status code 401 Unauthorized with the following JSON object:

{
  "error": true,
  "type": "Unauthorized",
  "message": "Incorrect or missing username or password"
}

3. Error response with status code 500

500 Internal Server Error indicates an unhandled exception on the server side.

The response also includes a JSON object describing the error.

Pagination

Some requests return lists (as a JSON array of objects). For example, GET /passwords.json returns a list of passwords that the user can access. These responses are usually paginated, in pages of 20 elements (or the value set by NUM_ITEMS_LISTS). Not all resources are paginated, in the document of each one is specified if they are.

When there are more results available for a request, a "next" URL is present in the Link response header indicating the next page:

Link: <https://tpm.mydomain.com/index.php/api/v5/passwords/page/2.json>; rel="next"

You can also manage pagination for these resources using the count.json endpoint, which returns the number of elements and pages a resource has. For example:

GET /passwords/count.json
{
  "num_items": 211,
  "num_pages": 11,
  "num_items_per_page": 20
}

Logging

Team Password Manager logs all actions that are generated by API requests. The actions are the same as in the web interface, so there's a new column in the log called "Origin" that tells where the action originated:

Origin column in the log

In the main log screen this column can be used to filter log entries.

Requests that result in an error are not logged except for 401 Unauthorized.

Maintenance Mode

If Maintenance Mode is enabled the API is not available and any requests return "Service Unavailable" (status code 503), with the message: "This installation is in Maintenance Mode.".


Resources

With Team Password Manager's API v5 you can access the following resources:

  • Projects: list, show, create, update, get a list of passwords from a project, get a list of users who can access the project, archive/unarchive, list files, upload a file and delete.
  • Passwords: list, show, create, update, update security, update custom fields definitions, get a list of users who can access the password, delete, archive/unarchive, move, list files, upload a file and lock/unlock.
  • My Passwords: list, show, create, update and delete.
  • Files: list files, show a file, update the notes of a file, get the max upload file size, get the uploads folder information, upload a file, download a file, delete a file.
  • Favorites: list favorite passwords and projects for the user, make a password/project favorite and make a password/project not favorite.
  • Users: list, show, create, update, activate/deactivate, convert to ldap/normal and delete.
  • Groups: list, show, create, update, add user to group, delete user from group and delete.
  • Passwords generator: get a strong, random password generated by the password generator with the current settings.
  • Version: get version information.

Examples

Here you have some examples to get you started with the API.

They all use HTTP Basic Authentication. To use them in your installation change "username", "password" and "https://tpm.mydomain.com".

Passwords list (first page)

GET /passwords.json

curl

curl -u username:password \
  -H 'Content-Type: application/json; charset=utf-8' \
  -i https://tpm.mydomain.com/index.php/api/v5/passwords.json

PHP

<?php	
  // Parameters
  $tpm_base_url = 'https://tpm.mydomain.com/index.php/'; // ending with /
  $req_uri = 'api/v5/passwords.json'; // GET /passwords.json
  $username = 'YOUR USERNAME';
  $password = 'YOUR PASSWORD';

  // Request headers
  $headers = array(	
    'Content-Type: application/json; charset=utf-8'
  );
	
  // Request
  $ch = curl_init($tpm_base_url . $req_uri);
  curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
  curl_setopt($ch, CURLOPT_HEADER, TRUE); // Includes the header in the output
  curl_setopt($ch, CURLOPT_USERPWD, $username . ":" . $password);
  $result = curl_exec($ch);	
  $status = curl_getinfo($ch, CURLINFO_HTTP_CODE);	
  curl_close($ch);

  // Get headers and body
  list($headers, $body) = explode("\r\n\r\n", $result, 2);
  $arr_headers = explode("\r\n", $headers);
  $arr_body = json_decode($body, TRUE);

  // Show status and array of passwords
  echo 'Status: ' . $status . '<br/>';
  print_r($arr_body);

Show a password

To get all the data of a password you need its internal id. Example for id=1: GET /passwords/1.json

curl

curl -u username:password \
  -H 'Content-Type: application/json; charset=utf-8' \
  -i https://tpm.mydomain.com/index.php/api/v5/passwords/1.json

PHP

Use the code from the previous example and just change the $req_uri variable to:

$req_uri = 'api/v5/passwords/1.json'; // GET /passwords/1.json

Create a project

POST /projects.json

Only the name is required to create a project. If successful it returns 201 Created and the id of the new project:

{
  "id": 41
}

curl

curl -u username:password \
  -H 'Content-Type: application/json; charset=utf-8' \
  -d '{"name":"My new project", "parent_id": 0}' \
  -i https://tpm.mydomain.com/index.php/api/v5/projects.json

PHP

<?php	
  // Parameters
  $tpm_base_url = 'https://tpm.mydomain.com/index.php/'; // ending with /
  $req_uri = 'api/v5/projects.json'; // POST /projects.json
  $username = 'YOUR USERNAME';
  $password = 'YOUR PASSWORD';

  // Request headers
  $headers = array(	
    'Content-Type: application/json; charset=utf-8'
  );

  // Body (json encoded array)
  $request_body = json_encode(array(
    'name' => 'This is a new project',
    'parent_id' => 0 // The project will be a root project
  ));

  // Request
  $ch = curl_init($tpm_base_url . $req_uri);
  curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
  curl_setopt($ch, CURLOPT_HEADER, TRUE); // Includes the header in the output
  curl_setopt($ch, CURLOPT_USERPWD, $username . ":" . $password);
  curl_setopt($ch, CURLOPT_POST, TRUE);
  curl_setopt($ch, CURLOPT_POSTFIELDS, $request_body);
  $result = curl_exec($ch);	
  $status = curl_getinfo($ch, CURLINFO_HTTP_CODE);	
  curl_close($ch);

  // Get headers and body
  list($headers, $body) = explode("\r\n\r\n", $result, 2);
  $arr_headers = explode("\r\n", $headers);
  $arr_body = json_decode($body, TRUE);

  // Show status and the new project id
  echo 'Status: ' . $status . '<br/>';
  print_r($arr_body);

Create a password

POST /passwords.json

Only the name and the id of the project where the password goes is required to create a password. If successful it returns 201 Created and the id of the new password:

{
  "id": 123
}

curl

curl -u username:password \
  -H 'Content-Type: application/json; charset=utf-8' \
  -d '{"name":"My new password", "project_id":41}' \
  -i https://tpm.mydomain.com/index.php/api/v5/passwords.json

PHP

<?php	
  // Parameters
  $tpm_base_url = 'https://tpm.mydomain.com/index.php/'; // ending with /
  $req_uri = 'api/v5/passwords.json'; // POST /passwords.json
  $username = 'YOUR USERNAME';
  $password = 'YOUR PASSWORD';
  $project_id = 41; // The id of the project where the password is created

  // Request headers
  $headers = array(	
    'Content-Type: application/json; charset=utf-8'
  );

  // Body (json encoded array)
  $request_body = json_encode(array(
    'name' => 'This is a new password',
    'project_id' => $project_id,
    'tags' => 'seo,clients',
    'access_info' => 'http://urlforthepassword.com',
    'username' => 'usernameforthepassword',
    'email' => 'email@forthepassword.com',
    'password' => 'changeit'
  ));

  // Request
  $ch = curl_init($tpm_base_url . $req_uri);
  curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
  curl_setopt($ch, CURLOPT_HEADER, TRUE); // Includes the header in the output
  curl_setopt($ch, CURLOPT_USERPWD, $username . ":" . $password);
  curl_setopt($ch, CURLOPT_POST, TRUE);
  curl_setopt($ch, CURLOPT_POSTFIELDS, $request_body);
  $result = curl_exec($ch);	
  $status = curl_getinfo($ch, CURLINFO_HTTP_CODE);	
  curl_close($ch);

  // Get headers and body
  list($headers, $body) = explode("\r\n\r\n", $result, 2);
  $arr_headers = explode("\r\n", $headers);
  $arr_body = json_decode($body, TRUE);

  // Show status and the new password id
  echo 'Status: ' . $status . '<br/>';
  print_r($arr_body);

Document changelog

Nov 5, 2024: In Authentication: choose API authentication method and expire HMAC keys.
Nov 12, 2021: Document created
Questions or Problems? Please contact our support department