Passbolt API
Self-hosted, end-to-end encrypted password manager API built for teams who demand full ownership of their credentials.
Passbolt API is the open source backend powering Passbolt Community Edition, a security-first password manager designed for teams. It provides a RESTful JSON API for managing, sharing, and auditing credentials with end-to-end encryption — meaning secrets are encrypted on the client before they ever reach the server, and only users holding the corresponding private key can decrypt them.
Built on CakePHP 5 and PHP 8.2+, the API supports authentication via session tokens and JWT, multi-factor authentication with TOTP and Duo, and LDAP-based directory synchronization. It can be deployed on any major Linux distribution, Docker, Kubernetes, or cloud marketplaces like AWS and DigitalOcean, with no vendor lock-in and zero telemetry.
Passbolt separates itself from conventional password managers by enforcing a zero-knowledge model at the protocol level: the server stores only encrypted ciphertext and public keys. Private keys never leave the user’s device, making it suitable for regulated environments, government agencies, and organizations with strict data sovereignty requirements.
The project is maintained by Passbolt SA, headquartered in Luxembourg (EU), and undergoes multiple annual third-party security audits with full public disclosure of findings. The community edition is licensed under AGPL-3.0, while the Pro and Cloud editions add enterprise features such as SSO, advanced audit logs, directory sync, and dedicated support.
What You Get
- End-to-End OpenPGP Encryption - All secrets are encrypted client-side with OpenPGP before transmission; the server stores only ciphertext and public keys, making server-side compromise useless without user private keys.
- User-Owned PGP Key Pairs - Each user generates and retains their own PGP private key; the server never holds private keys, enforcing a strict zero-knowledge architecture.
- RESTful JSON API with JWT and Session Auth - Full-featured API with versioned endpoints supporting both stateful session and stateless JWT authentication, usable by browser extensions, mobile apps, CLI tools, and custom integrations.
- Role-Based Access Control (RBAC) - Granular permissions for users, groups, and administrators, including custom roles from v5.8 that allow delegating specific administrative responsibilities without granting full admin access.
- Multi-Factor Authentication (MFA) - Built-in support for TOTP (Google Authenticator, Authy), Duo integration, and YubiKey OTP for layered authentication security.
- Email Digest Notifications - Transactional email notifications with digest batching that reduces noise during bulk operations and supports internationalization across many languages.
- Plugin-Driven Architecture - Community Edition and Enterprise Edition features are isolated in distinct CakePHP plugins (e.g., Folders, JwtAuthentication, Metadata, SecretRevisions), enabling clean feature separation and extensibility.
- Comprehensive Health Check System - Built-in CLI and API health check commands validate database state, encryption key integrity, environment variables, plugin dependencies, and database version compatibility.
- Secret History and Revisions - Configurable secret revision tracking lets users view and restore previous versions of credentials, reducing risk from accidental overwrites.
- Broad Deployment Support - Official installation packages and guides for Ubuntu, Debian, RedHat, CentOS, AlmaLinux, RockyLinux, Fedora, openSUSE, Oracle Linux, Docker, Kubernetes, AWS, DigitalOcean, and Raspberry Pi.
Common Use Cases
- Securing team credentials in regulated industries - A healthcare IT team deploys Passbolt on-premises to store and share login credentials for patient systems and infrastructure, satisfying HIPAA requirements through end-to-end encryption and immutable audit logs without sending data to third-party cloud services.
- Automating credential rotation in DevOps pipelines - A DevOps engineer integrates the Passbolt API into CI/CD workflows using the go-passbolt-cli tool to programmatically fetch, rotate, and distribute database passwords and API keys without exposing secrets in plaintext environment variables.
- Replacing cloud password managers in air-gapped environments - A government agency or financial institution deploys Passbolt on an isolated network to manage privileged access credentials with no internet dependency, leveraging Docker or Kubernetes for orchestration.
- Centralizing access for distributed engineering teams - A remote-first engineering team uses the Passbolt browser extension and mobile apps to securely share SSH keys, API tokens, and service accounts across time zones with granular group-based permissions and share audit trails.
- LDAP-integrated enterprise credential management - An enterprise IT department connects Passbolt to Active Directory via the LDAP sync plugin (Pro edition) to automatically provision users and groups, keeping password manager access in sync with employee onboarding and offboarding.
- Academic and research institution credential governance - A university IT team uses Passbolt CE to give individual departments controlled access to shared service accounts while maintaining centralized visibility and audit capability.
Under The Hood
Architecture
Passbolt API is structured as a CakePHP 5 application that separates concerns across a clean layered architecture: HTTP middleware handles security policy enforcement, controllers delegate to domain service classes, and the ORM manages persistence through table and entity abstractions. The middleware pipeline applies a consistent sequence of security concerns — CSP headers, CSRF protection, SSL enforcement, GPG authentication headers, UUID parsing, and session validation — before any request reaches business logic. Feature isolation is enforced through a plugin system where both Community Edition and Enterprise Edition capabilities live in self-contained CakePHP plugin namespaces under plugins/PassboltCe/ and plugins/PassboltEe/. A service container with typed service providers (ResourceServiceProvider, UserServiceProvider, SetupServiceProvider) enables configuration-driven service instantiation and supports interface-based dependency injection throughout. The architecture makes it straightforward to extend or override behaviors without touching the core.
Tech Stack
The backend runs on PHP 8.2+ with CakePHP 5.2, supported by either MySQL/MariaDB or PostgreSQL via CakePHP’s ORM and a migration system powered by Phinx. RESTful API authentication is handled via both session cookies and JWT tokens, with OpenPGP operations delegated to the singpolyma/openpgp-php library and the system gnupg PHP extension. Multi-factor authentication integrations cover TOTP (via spomky-labs/otphp), Duo Universal SDK, and YubiKey OTP. Email delivery uses a queued email system via lorenzo/cakephp-email-queue, with Crowdin-managed translations for internationalization. Static analysis is enforced at PHPStan level 6 and Psalm level 4. CI runs on GitLab with PHPUnit 11, code style enforcement via PHP-CS-Fixer, and Docker-based test environments.
Code Quality
Passbolt maintains extensive test coverage across unit, integration, and controller layers, with more than 700 test classes split across the core application and plugins. Tests use factory-based data seeding via CakePHP-test-suite-light, which keeps fixtures lightweight and composable. Type hinting is strict throughout — every method signature is fully typed, return types are declared, and PHPDoc annotations accompany all public APIs. Error handling follows a domain-exception pattern where validation failures throw typed exceptions (ValidationException, CustomValidationException) rather than returning ambiguous null values. Naming conventions are uniform and CakePHP-idiomatic: Table classes own query logic, Service classes own business operations, and Controller classes stay thin. Static analysis passes at rigorous levels and CI enforces formatting on every merge.
What Makes It Unique Passbolt’s distinguishing design choice is enforcing end-to-end encryption as a protocol constraint rather than a feature flag: the API stores only OpenPGP-encrypted ciphertext and never receives or holds private keys, making it architecturally impossible for the server operator to read secrets even with full database access. The OpenPGP service layer is modular and testable, abstracting key validation, encryption, and signature verification into composable services with independent unit tests. The plugin architecture enables community and enterprise features to be shipped as discrete namespaces — secret revisions, SCIM provisioning, SSO, directory sync — without coupling to the CE codebase. Custom RBAC from v5.8 allows organizations to delegate specific administrative capabilities to custom roles rather than granting full admin access, a fine-grained control model uncommon in open source credential managers. The result is a credential management system that is auditable, sovereignty-preserving, and extensible without compromising its security model.
Self-Hosting
Passbolt API is released under the GNU Affero General Public License v3.0 (AGPL-3.0). This means you can freely use, modify, and distribute the software, including for commercial purposes, as long as any modifications or derivative works you distribute are also released under the AGPL. The key implication for organizations self-hosting Passbolt is copyleft: if you modify the source and offer it as a network service, those modifications must also be made available under the AGPL. For most self-hosted internal deployments, this is a non-issue, but organizations building commercial products on top of Passbolt should review the license carefully. Note that ‘Passbolt’ is a registered trademark of Passbolt SA, and the license explicitly excludes a trademark license, so you cannot ship a product using that name without a separate agreement.
Self-hosting Passbolt API requires a Linux server (or Docker/Kubernetes environment) with PHP 8.2+, a GnuPG installation, a MySQL/MariaDB or PostgreSQL database, and a mail server for email queue delivery. You are responsible for provisioning TLS certificates, managing database backups, applying PHP and OS security patches, and running database migrations on every version upgrade. The healthcheck CLI command helps surface environmental problems, but operationally this is a non-trivial stack for a small team without PHP hosting experience. Version upgrades are frequent (approximately one minor release per month) and require following migration notes carefully, especially around database version deprecations.
Compared to Passbolt Pro and Passbolt Cloud, the Community Edition lacks LDAP/Active Directory synchronization, SSO (OIDC, Azure AD), advanced audit logs (exported reports), SCIM provisioning, and dedicated support SLAs. The Cloud edition removes all infrastructure burden — backups, uptime, upgrades, and security patching are fully managed by Passbolt SA — while the Pro edition is a self-hosted license that adds the enterprise plugin set without the managed hosting. For organizations with strong infrastructure capability and data sovereignty requirements, the Community Edition provides substantial value; for those who want enterprise integrations or managed hosting without operational overhead, the paid tiers are worth evaluating.
Related Apps
Caddy
Devops · Security
The only web server that obtains and renews TLS certificates automatically, with HTTP/1-2-3 support and zero dependency on external runtimes.
Caddy
Apache 2.0Traefik
Devops · Automation · Security
A cloud-native reverse proxy and load balancer that auto-configures itself from Docker, Kubernetes, and other orchestrators — zero manual routing required.
Traefik
MITVaultwarden
Password Manager · Security
Unofficial Bitwarden-compatible server in Rust — run the full Bitwarden ecosystem on a Raspberry Pi using every official client you already have, without the multi-container overhead.