Authentication Issue via API with GPG Key


I am encountering an issue while authenticating to the Passbolt API using curl with my GPG key. Here is the command I am using:

curl -k -X POST https://passbolt.local.lab/auth/login.json
-H “Content-Type: application/json”
-d ‘{“gpg_auth”: {“keyid”: “MY_GPG_KEY”}}’

I consistently receive an error indicating that authentication failed, even when using the fingerprint of my GPG key which is correctly associated with my user account in Passbolt. Here is the error received:

{“header”:{“status”:“error”,“message”:“Authentication failed.”}}

I have checked my Passbolt server configuration, the association of my GPG key with my user account, and ensured that my GPG key is neither expired nor revoked. Despite these checks, the issue persists.

Do you have any suggestions or additional steps I could follow to resolve this issue?

Thank you in advance for your assistance.

hey @reyanhsn welcome to the forum!

For this issue do you have the verbose output? I believe this is expected as this is the first of 2 calls to the same endpoint and the first says authentication failed but will output an x-gpgauth-user-auth-token which you’ll need for the second step

Could you check for that?

Hey, thanks for the quick response!

I’ve followed your suggestion and checked the verbose output from the curl command. As you mentioned, the first call does indeed indicate an authentication failure but provides an x-gpgauth-user-auth-token in the response. Here’s the token part from the output:

< x-gpgauth-authenticated: false
< x-gpgauth-progress: stage1
< x-gpgauth-user-auth-token: -----BEGIN PGP MESSAGE-----

I understand this token is essential for the next step in the authentication process. Could you guide me on how to correctly use this token for the subsequent call? I want to make sure I’m proceeding in the right manner.

Thanks again for your help!

Hello @reyanhsn, you will find more information about it here: Passbolt Help | Authentication in passbolt

Thank you for directing me to the Passbolt authentication documentation. I’ve carefully followed the outlined GPGAuth authentication steps but seem to be encountering some issues, particularly with encrypting and sending the verification token to the server.

Here’s a brief overview of my approach, based on the documentation and your advice:

I generated a verification token following the specified format and encrypted it with the server’s public key.
I then attempted to send this encrypted token via a POST request to /auth/verify.json using Postman, including my GPG key’s fingerprint in the request body.
However, I’m receiving a 400 Bad Request response from the server, which leads me to believe there might be an error in either my request formatting or the encryption process.

Could you provide any further advice or indicate if I’m missing a crucial step? However, to give you a better idea, here’s an example of how I structured the POST request:

curl -k -X POST https://passbolt.local.lab/auth/verify.json
-H “Content-Type: application/json”
-d ‘{“gpg_auth”: {“keyid”: “FINGERPRINT”, “server_verify_token”: “ENCRYPTED_TOKEN”}}’

i have this “{
“header”: {
“id”: “3ae4dabd-7b08-4855-8e03-11a6bb4ec89c”,
“status”: “error”,
“servertime”: 1709136554,
“action”: “a3c19ad2-8920-5395-86d0-8567cb34f382”,
“message”: “The server verify token is missing or invalid.”,
“url”: “/auth/login.json”,
“code”: 400
“body”: “”