Jump to content

Retrieving a Password via API and Curl


Recommended Posts

Hello, I am able to pull passwords from passwordstate using powershell put am unable to pull via curl. Can someone please help me convert this?


This Works in powershell: 

$PasswordstateUrl = 'https://passwordstate.example.com/api/passwords/1111'
Invoke-Restmethod -Method GET -Uri $PasswordstateUrl -Header @{ "APIKey" = "fdafdasfqewfsdfsd6" }





Link to comment
Share on other sites

Here are some of the commands that i've tried.


curl  -k -sS --request GET https://passwordstate.example.com/api/passwords/1111 -d "apikey=fdafdasfqewfsdfsd6"


[{"errors":[{"message":"No Authorization"},{"phrase":"An error has occurred trying to validate the API Key for PasswordID '3481'. Please check the PasswordID and API Key values have been specified, and are correct."}]}]



curl -v -k -sS --request GET https://passwordstate.example.com/api/searchpasswords/1111/title="abcdinst GPG Passphrase" -d "apikey=fdafdasfqewfsdfsd6"

<hr><p>HTTP Error 400. The request is badly formed.</p>



Link to comment
Share on other sites



We don't have much experience with Curl, but for your first command, can you try changing the -d to a -H - the API Key can be set either in the URL (not recommended), or the Header Request. And in curl, I think this is a -H for header request.


The second issue may be spaces in the title field search, but I cannot be sure. Below is some old documentation for searching with curl, but again the API Key should go in the header request.


# General Search by Password List
    curl https://passwordstate/api/searchpasswords/<PasswordListID>?search=<value>&apikey=<value>
    # General Search across all Password Lists and all Fields (must use System Wide API Key) 
    curl https://passwordstate/api/searchpasswords/?search=<value>&apikey=<value>

    # Specific Search, by 'Title', within a Password List
    curl https://passwordstate/api/searchpasswords/<PasswordListID>?title=<value>&apikey=<value>

    # Specific Search, by 'Username', within a Password List
    curl https://passwordstate/api/searchpasswords/<PasswordListID>?username=<value>&apikey=<value>

    # Specific Search, by 'Title' and 'Username', across all Password Lists (must use System Wide API Key)
    curl https://passwordstate/api/searchpasswords/?title=<value>&username=<value>&apikey=<value>



Click Studios

Link to comment
Share on other sites

  • 2 years later...

I apologize for dragging out an old post, but this is the first hit when you Google "passwordstate api curl."


If you're using the API key for auth:


api_key='abc123' # PasswordState API key
pass_id='123456' # PasswordState PasswordID

json=$(curl -sS --request GET --header "APIKey: $api_key" "$url")


To address the OPs question, note that in the documentation, it shows PowerShell passing an array (with "key = value" pairs) as an argument for the headers:

-Header @{ "APIKey" = "<apikey>" }

...where curl expects them in the HTTP header format:

--header "APIKey: $key"


If you have jq installed, you can filter for the first password returned:

echo "$json" | jq -r '.[0].Password'


Or you don't want to install jq (or can't), you can use regex to pull out the value:

# If you have GNU grep (Linux):
echo "$json" | grep -oP '(?<="Password":").*?(?=")'
# If not, this _should_ be POSIX compliant (BSD, MacOS, etc), but I haven't tested thoroughly:
echo "$json" | sed -n 's/.*"Password":"\([^"]*\)".*/\1/p'

...just know that parsing structured data with regex is an exercise in frustration and very imperfect, though it usually works for very specific, very limited things.  :D

Link to comment
Share on other sites

  • 1 month later...

If you are a beginner, In addition to what @Jason Fuller already said, you can of course use an one liner, f.e.:

Just generate an API Key in your desired PasswordList, change the PasswordListID, in the following example the 302, to get all passwords (QueryAll) in this list. PreventAuditing will not log the access to any password of this list in the audit log.
As Jason also already mentioned, just remove the | jq if you have not installed it (But I can highly recommend it)


curl -sS "https://passwordstate.yourdomain.com/api/passwords/302?QueryAll&PreventAuditing=true" -H 'APIKey: 2bc9e347f658a3d4752c6fe9a3b3d88a' | jq

Together with the use of the API documentation, you can easily edit this example and for other API calls that just request something (GET), just change the URL, and of course, the API Key if it is not a global api key.



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...