passlane is a command-line password manager and authenticator that stores data in the Keepass
encrypted format. It holds credentials (service/username/password), payment cards,
secure notes, and TOTP authenticators (time-based 2FA codes). It exposes scripting-friendly
output (--json, --out, --once, --code) so agents can read secrets and feed them into
automations without touching the clipboard or any interactive UI.
There are two separate vaults, each with its own master password:
-o flag on most commands)Non-interactive use requires the master password to be stored in the OS keychain. The user runs
these one-time, interactive setup commands themselves:
passlane unlock # store the main vault master password in the OS keychain
passlane unlock -o # store the TOTP vault master password in the OS keychain
passlane lock # remove stored master passwords (re-locks)
There is no environment variable or stdin to supply the master password. If the vault is locked,
passlane will block on an interactive prompt — which hangs unattended automation. So:
> If a passlane command blocks or fails because the vault is locked, **stop and ask the user to
> run passlane unlock (and passlane unlock -o for 2FA codes)**. Do not try to supply the
> master password yourself.
Two commands are built for scripts and print to stdout:
passlane list [REGEXP] [--json] [-v]Machine-readable listing. Default lists credentials; add a type flag to list something else:
-p payment cards, -n notes, -o TOTP entries. An optional REGEXP filters by service/issuer.
passlane list --json — JSON envelope (best for parsing with jq).passlane list github --json — only entries matching github.passlane list -v — plain text including passwords.> WARNING: list --json and list -v print passwords in cleartext to stdout. Default plain
> list (no -v) shows service/username/note only — no password.
passlane show --out Print a single matched password to stdout — no clipboard, no countdown, exits immediately. Use
this when you need exactly one secret.
passlane show '^github\.com$' --out
Rule of thumb: use list --json | jq for structured extraction or multiple fields; use
show --out for one password.
Every --json response is an envelope:
{ "type": "credentials", "count": 2, "entries": [ ... ] }
Entry fields by type:
type | entry fields |
|---|---|
| --------------- | ------------ |
credentials | uuid, service, username, password, note (optional), last_modified |
payment_cards | id, name, name_on_card, number, cvv, expiry ({month, year}), color?, billing_address?, last_modified |
notes | id, title, content, last_modified |
totp | id, label, issuer, secret, algorithm, period, digits, last_modified |
totp_codes | label, issuer, code, valid_for_seconds — never includes the stored secret |
Most logins need a fresh time-based code. Two ways to get one:
passlane show -o --once — recommended for a single codePrints the one matching current code to stdout and exits.
passlane show -o --once github # -> 447091
1, stderr: No matching OTP authorizer found.1, stderr: Multiple OTP authorizers match: . Refine the search pattern to match exactly one. Because ambiguity is an error, anchor your pattern (e.g. '^GitHub$') so it matches exactly one
authorizer.
passlane list -o --code [REGEXP] [--json] — multiple codes / expiry windowOutputs the current code for every matching authorizer. With --json, each entry includes
valid_for_seconds so you know how long the code stays valid.
passlane list -o --code --json
> TOTP codes are valid only for a few seconds. Fetch them just before use and never cache them.
> Re-fetch on each retry.
| Command | Notes | |||
|---|---|---|---|---|
| ------- | ----- | |||
passlane gen [--out] | Generate a random password. --out prints to stdout (otherwise copies to clipboard). | |||
| `passlane add [-p\ | -n\ | -o] [-g] [-l]` | Add a credential/card/note/TOTP. Interactive (prompts). | |
| `passlane edit | -n\ | -o]` | Edit an entry. Interactive. | |
| `passlane delete | -p\ | -n\ | -o]` | Delete entries. Interactive. |
passlane csv | Import credentials from a CSV file. | |||
| `passlane export [-p\ | -n\ | -o] | Export the vault to CSV. | |
passlane passwd [-o] | Change a vault's master password. Interactive. | |||
passlane completions [SHELL] | Generate shell completions (bash/zsh/fish). | |||
passlane init | First-time setup. Interactive. | |||
passlane repl | Interactive REPL (also launched by running passlane with no args). |
add, edit, delete, passwd, init, and repl are prompt-driven and **not suited to
unattended automation** — only the reading commands above are.
VAR=$(passlane ...) — avoid inlining a secret into a command line where it lands in shell
history or process listings.
show -o --once and show --out resolve to exactlyone entry.
1 as actionable: a locked vault, no match, or ambiguous match. Checkit and react rather than proceeding with empty output.
For ready-to-adapt scripts — API login with basic auth + TOTP, single-secret extraction, browser
login combined with the playwright-cli skill, and a read-only credential audit — read
references/automation-examples.md when you are actually
building an automation.
共 1 个版本