We are running our own passbolt install and I’m trying to write small php script to call a API.
And for some reason I’m getting error during first phase after I send post to /auth/login.json with my key_id and field “server_verify_token” with encrypted nonce by server public key.
Based on passbolt documentation server should decode nonce and send me token to decode.

Data I got from my post:

19ad2-8920-5395-86d0-8567cb34f382”,“message”:“The authentication failed.”,“url”:"/auth/login.json",“code”:200},“body”:null}


Hey @romcis,

I am not sure if you already know but there is a detailed API documentation that takes you step by step through the authentication process. It lists all the possible responses and details about error codes.

Do not hesitate to get back if you still need help.



I read API documentation and i missed info that answer is sent in header. But a body sent as answer is confusing. What is coding of message you sent in a header?
EDIT: sorry I was confused by URL encoding and as I ddin’t decode it I couldn’t decrypt message.


Hey @romcis that depends on the HTTP library you are using.

For curl you can use something like

//enable headers
curl_setopt($ch, CURLOPT_HEADER, 1);
//get only headers
curl_setopt($ch, CURLOPT_NOBODY, 1);

After this,

$response = curl_exec($curlHandle);

$response contains all your headers delimited by a newline. Something like

server: nginx
date: Tue, 14 May 2019 07:55:04 GMT
content-type: application/json; charset=UTF-8
X-GPGAuth-Verify-Response: <decrypted_token>

And each header row is a header-name: value separated by a colon :

You can use the explode function separate the headers and then individual row using the separators.

If you are using some other framework/library or the steps above are not clear to you, please don’t hesitate to revert.


Thanks :slight_smile:
I got to point that I’m authenticated. So in next step I send request for resources and i got reply that I need to login to access it. Do I need to send anything special in get request?
As well I don’t see in response, after successful authentication, cookie csrfToken only CAKEPHP.


Great progress @romcis

To make a GET type request as authenticated user, you’ve to send the cookies with your request. The cookie was sent to you in step 5 of authentication.

And for POST type request, you need to send the CSRF token with your request.


And one very crucial point. How can I fetch secrets? I know resource-id so i can see details about resource but I miss password :slight_smile:


@romcis The API only returns encrypted passwords that the client is supposed to decrypt locally using PGP.

For fetching secrets you can make a GET request to


The secret is returned in response body under the data key. You will then have to decrypt it using private key of the user locally.


That’s exactly what I was looking for. I’ll check it :slight_smile: :top:
I didn’t found it in or


/resources/c8000a1b-263e-49eb-918a-8a422df17b4c.json?api-version=v2 /secrets/resource/c8000a1b-263e-49eb-918a-8a422df17b4c.json?api-version=v2

So I have response for first request but 404 Not Found for second one. Any idea?


@romcis Thank you for reporting this. We are still in the process of updating the help docs. The swagger.json file does have the details, though.

Moreover, you can access the Swagger/openAPI UI at


Got my passwords. Thanks :slight_smile:

1 Like
closed #14