Passbolt API is the backend component of Passbolt Community Edition, an open source password manager designed for teams that prioritize security and privacy. Built with CakePHP 5, it provides a JSON API to manage passwords, secrets, and access policies while enforcing end-to-end encryption where users retain control of their private keys. Unlike cloud-based alternatives, Passbolt can be deployed on-premises or in air-gapped environments, ensuring no telemetry is collected and data never leaves the organization’s infrastructure. This makes it ideal for compliance-driven industries, DevOps teams managing credentials at scale, and organizations seeking full transparency through public security audits.
The API serves as the foundation for Passbolt’s browser extensions, mobile apps, and CLI tools, enabling seamless integration into existing workflows. It supports multi-tenant team structures with granular sharing policies and audit trails, making it a robust alternative to proprietary password managers that lack transparency or impose data restrictions.
What You Get
- End-to-end encryption - All passwords and secrets are encrypted client-side using OpenPGP; the server never sees plaintext credentials, ensuring data privacy even if compromised.
- Team-based access control - Granular permissions let administrators define who can view, edit, or share credentials within teams and groups with audit logs.
- Self-hosted deployment - Deploy on Docker, Kubernetes, Ubuntu, Debian, RedHat, AWS, DigitalOcean, or Raspberry Pi with full control over infrastructure and data residency.
- Public security audits - Codebase is regularly audited by third parties, and all findings are published publicly to ensure transparency and trust.
- Multi-platform integration - Compatible with browser extensions (Chrome, Firefox, Edge), mobile apps (iOS/Android), and CLI tools for automation and scripting.
- No telemetry or data collection - Designed to operate in air-gapped environments; no user behavior tracking, analytics, or external data transmission.
Common Use Cases
- Building a secure DevOps credential vault - Engineering teams use Passbolt API to store and share SSH keys, database credentials, and cloud API keys with role-based access, eliminating plaintext secrets in configuration files.
- Compliance for GDPR and HIPAA environments - Organizations in healthcare or EU-regulated sectors deploy Passbolt on-premises to meet data sovereignty requirements and avoid third-party cloud risks.
- Problem: Unsafe password sharing → Solution: Encrypted team vaults - Teams previously using email or shared documents to exchange passwords switch to Passbolt to eliminate credential leakage and enable revocation with audit trails.
- DevOps teams managing microservices across multiple cloud providers - Automate credential rotation and distribution using the Passbolt API to feed secrets into CI/CD pipelines while maintaining encryption standards.
Under The Hood
Passbolt is a PHP-based open-source password manager designed for secure team collaboration, offering end-to-end encryption and seamless GPG key integration. It emphasizes robust security practices while maintaining a modular architecture that supports scalable credential management.
Architecture
Passbolt follows a monolithic structure with well-defined layers and migration-driven schema evolution. The system organizes functionality through database migrations, configuration modules, and entity-based components.
- Modular organization with distinct functional layers and clear separation of concerns
- Database-first approach enabling consistent schema evolution across environments
- Use of migration files and configuration layers to manage system state and behavior
- Strong emphasis on data consistency and entity-based design patterns
Tech Stack
Built on PHP with the CakePHP framework, Passbolt leverages modern development practices and tooling for secure credential handling.
- Built on PHP with CakePHP as the core framework, supporting modular and extensible development
- Extensive use of database migration tools and GPG libraries for encryption and key management
- Integrated with Composer, Grunt, and static analysis tools like Psalm and PHPStan for robust development workflows
- Comprehensive testing ecosystem including PHPUnit, static analyzers, and CI/CD pipeline support
Code Quality
Passbolt demonstrates a mature codebase with strong emphasis on security and maintainability, particularly in cryptographic operations.
- Comprehensive test suite covering various components and workflows with good coverage and reliability
- Consistent error handling through try/catch blocks and custom exception types for graceful failure management
- Well-defined modules and interfaces with clear conventions and code organization practices
- Presence of type annotations and documented APIs contributing to long-term maintainability
What Makes It Unique
Passbolt stands out in the password management space through its unique combination of encryption and team collaboration features.
- End-to-end encryption with GPG integration enables secure sharing without compromising privacy or centralization
- Web-based interface that simplifies complex cryptographic operations for non-expert users
- Seamless integration of key management and credential storage within a unified platform
- Focus on team-based secure credential handling, distinguishing it from individual-focused password managers