rest api

Skip to first unread message

Drew Pierce

Mar 9, 2016, 6:24:13 PM3/9/16
to webpasswordsafe
I'm trying to use the rest api and in the documentation it says that we can do a curl call but it doesn't look like Tomcat likes the curl request.  Any help or pointers in debugging would help.

When running the following I'm getting a 400 error.
curl -v -H "X-WPS-Username: username" -H 'X-WPS-Password: password' http://host:8080/wps/rest/passwords?query=test

< HTTP/1.1 400 Bad Request

< Server: Apache-Coyote/1.1

< Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:; frame-src 'self'; style-src 'self' 'unsafe-inline'

< X-WebKit-CSP: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:; frame-src 'self'; style-src 'self' 'unsafe-inline'

< X-Content-Security-Policy: default-src 'self' data:; img-src 'self' data:; options inline-script eval-script

< Content-Type: text/html;charset=utf-8

< Content-Language: en

< Content-Length: 968

< Date: Wed, 09 Mar 2016 23:11:39 GMT

< Connection: close

* Closing connection 0

HTTP Status 400 -

type Status report


description The request sent by the client was syntactically incorrect.

Apache Tomcat/7.0.47

Gordon Tetlow

Mar 9, 2016, 8:24:15 PM3/9/16
to Drew Pierce, webpasswordsafe
The default implementation for the REST API requires the TOTP header as well, even if it isn't used:
curl -v -H "X-WPS-Username: username" -H 'X-WPS-Password: password' -D 'X-WPS-TOTP: 123456' http://host:8080/wps/rest/passwords?query=test

I've got a fix in github for it if you are interested:


You received this message because you are subscribed to the Google Groups "webpasswordsafe" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
For more options, visit

Drew Pierce

Mar 10, 2016, 1:25:17 AM3/10/16
to webpasswordsafe,
Thanks Gordon,
I was able to turn on debug and was seeing 'X-WPS-TOTP' missing but didn't know what that was until I saw 1.3 release notes the figured out the "two step Verification" and figured deduced it was a kind of like a token that needed to be passed.

Gordon Tetlow

Mar 10, 2016, 10:18:16 AM3/10/16
to Drew Pierce, webpasswordsafe
To be clear, if you aren't using the TOTP plugin, you can just pass any bogus value.

Reply all
Reply to author
0 new messages