Question

API to retrieve the password in password safe

Forum|Forum|1 month ago
December 2, 2025
5 replies
101 views

immi563
Trailblazer

Hi All,

I wanted to check if there is any API available that I can use to retrieve the password of account ? We are using cloud version of Password safe.

With my initial analysis , I found there is any API available that can be used to Set password for account But want to understand if there is any API available to retrieve the password as well?

Awaiting response .thanks in advance.

tclowater
BeyondTrust Employee
Forum|Forum|1 month ago
December 2, 2025

Hi @immi563,

In short, yes. I would recommend ensuring that this is restricted as much as possible, and review the API configuration options for the access policies on managed accounts.

Managed Accounts: Password Safe APIs

If you have an active request:

Credentials - Get

To make a session request:

Requests - Post

Check-in to avoid failed requests with “you already have it checked out:

Requests - Put

Secrets Safe: Secrets Safe APIs | PS

Secrets - Get

Since I’m a visual person, some related articles and a whiteboard around location restrictions in PS Cloud:

Whiteboard Workflow Diagrams for PasswordSafe Authentication and Permissions | Community

Whiteboard Notes: Understanding PasswordSafe User Provisioning with Smart Group nuance | Community

IP restrictions and how they can play into APIs:

Whiteboard diagram around IP restrictions to PasswordSafe - helpful for understanding that there are access policies and API policies that can alter behaviour based on IP addresses

immi563
Author
Trailblazer
Forum|Forum|1 month ago
December 2, 2025

Hi @immi563,

In short, yes. I would recommend ensuring that this is restricted as much as possible, and review the API configuration options for the access policies on managed accounts.

Managed Accounts: Password Safe APIs

If you have an active request:

Credentials - Get

To make a session request:

Requests - Post

Check-in to avoid failed requests with “you already have it checked out:

Requests - Put

Secrets Safe: Secrets Safe APIs | PS

Secrets - Get

Since I’m a visual person, some related articles and a whiteboard around location restrictions in PS Cloud:

Whiteboard Workflow Diagrams for PasswordSafe Authentication and Permissions | Community

Whiteboard Notes: Understanding PasswordSafe User Provisioning with Smart Group nuance | Community

IP restrictions and how they can play into APIs:

Thank you so much for details information . Wanted to check is it not possible to retrieve password only with Account id ?

for example if I want to set password for a account , I use below API

PUT <cloud-URL)/BeyondTrust/api/public/v3/ManagedAccounts/{AccountID}/Credentials/
Similarly Is it not possible to get the password by providing the account Id?

What I am planning is

We have custom platform on which we need to create the Shared id which is going to be accessed by multiple users.
Since concurrent session is not possible on Ids on custom platform, I am planning to create the dummy account on windows platform and sync the password from actual Ids to this dummy accounts.
Post that We will map these dummy accounts to users and user will checkout the Id , retrieve the password and use it outside of Password safe.

Hence I am looking for API, on which I will pass the account Id and it will return me password which I will sync on dummy accounts.

Hope my requirement is clear. Awaiting response.

Regards,

Imran ALiyani

tclowater
BeyondTrust Employee
Forum|Forum|1 month ago
December 3, 2025

Hi @immi563,

Thank you for explaining! I would strongly recommend not doing that; I’ll give my suggestion first then why not that approach after 😊

Not a huge fan, but OK - there are use cases and as long as sessions are being proxied and recorded, I’m fine with it.
Concurrent session checkouts are a configuration item on the access policy and not the platform.
1. For platforms where concurrent sessions don’t work, e.g. Windows RDP, that’s a function of the operating system, and not a PasswordSafe restriction
Please no.

Why I don’t recommend this:

You lose visibility over a password and sessions; as this is a shared account there is no accountability to who has accessed the system and if it’s the expected user.
This promotes bad habits of “it’s the same anyways, I’ll just give it to the person X to save time”, or “let me store it in this file”
If you have password rotation upon check-in, then you may likely rotate a credential after a session while another one is ongoing.
If the concurrent session challenge is an OS related item, such as windows, then you won’t be resolving the underlying issue.
You’re going to increase licenses consumed if you’re on a per asset license subscription.
An API opens a hole in your security posture, and leads to one additional area to ensure is safely implemented
This appears to bypass the security controls that are intended to be resolved with PasswordSafe

Why we have password checkouts via API and synced accounts

Password checkouts via API are typically used for robotic process automations, or other automation tools, or other niche applications
Synced accounts are for the situations where an account needs to have the same password on multiple systems; not ideal but often a function of the application it’s running.

tclowater
BeyondTrust Employee
Forum|Forum|1 month ago
December 3, 2025

Correction - I do see the other question - nevermind about the concurrent sessions! Concurrent session on Custom Platform | Community

I do agree that the secrets safe option is the better option, along with the KB article and response in the session. The above method is not recommended regardless due to the same reasons of license count, rotation during session, etc.