Use passlane (a Keepass-backed password manager + authenticator CLI) to retrieve credentials, payment cards, secure notes, and generate TOTP codes for automa...
---
name: passlane
description: Use passlane (a Keepass-backed password manager + authenticator CLI) to retrieve credentials, payment cards, secure notes, and generate TOTP codes for automation — e.g. programmatically logging into websites and APIs. Use when the user wants to script a login, fetch a password or 2FA code from their vault, audit stored credentials, or build automations that authenticate using passlane.
allowed-tools: Bash(passlane:*)
---
# passlane
`passlane` is a command-line password manager and authenticator that stores data in the Keepass
encrypted format. It holds **credentials** (service/username/password), **payment cards**,
**secure notes**, and **TOTP authenticators** (time-based 2FA codes). It exposes scripting-friendly
output (`--json`, `--out`, `--once`, `--code`) so agents can read secrets and feed them into
automations without touching the clipboard or any interactive UI.
There are **two separate vaults**, each with its own master password:
- the **main vault** — credentials, payment cards, secure notes
- the **TOTP vault** — authenticator secrets (addressed with the `-o` flag on most commands)
## Prerequisite: the vault must be unlocked
Non-interactive use requires the master password to be stored in the OS keychain. The **user** runs
these one-time, interactive setup commands themselves:
```bash
passlane unlock # store the main vault master password in the OS keychain
passlane unlock -o # store the TOTP vault master password in the OS keychain
passlane lock # remove stored master passwords (re-locks)
```
There is **no environment variable or stdin** to supply the master password. If the vault is locked,
passlane will **block on an interactive prompt** — which hangs unattended automation. So:
> If a `passlane` command blocks or fails because the vault is locked, **stop and ask the user to
> run `passlane unlock` (and `passlane unlock -o` for 2FA codes)**. Do not try to supply the
> master password yourself.
## Reading secrets (the core of automation)
Two commands are built for scripts and print to **stdout**:
### `passlane list [REGEXP] [--json] [-v]`
Machine-readable listing. Default lists **credentials**; add a type flag to list something else:
`-p` payment cards, `-n` notes, `-o` TOTP entries. An optional `REGEXP` filters by service/issuer.
- `passlane list --json` — JSON envelope (best for parsing with `jq`).
- `passlane list github --json` — only entries matching `github`.
- `passlane list -v` — plain text **including passwords**.
> WARNING: `list --json` and `list -v` print **passwords in cleartext** to stdout. Default plain
> `list` (no `-v`) shows service/username/note only — no password.
### `passlane show <REGEXP> --out`
Print a **single** matched password to stdout — no clipboard, no countdown, exits immediately. Use
this when you need exactly one secret.
```bash
passlane show '^github\.com$' --out
```
**Rule of thumb:** use `list --json | jq` for structured extraction or multiple fields; use
`show --out` for one password.
## JSON output reference
Every `--json` response is an envelope:
```json
{ "type": "credentials", "count": 2, "entries": [ ... ] }
```
Entry fields by `type`:
| `type` | entry fields |
| --------------- | ------------ |
| `credentials` | `uuid`, `service`, `username`, `password`, `note` (optional), `last_modified` |
| `payment_cards` | `id`, `name`, `name_on_card`, `number`, `cvv`, `expiry` (`{month, year}`), `color?`, `billing_address?`, `last_modified` |
| `notes` | `id`, `title`, `content`, `last_modified` |
| `totp` | `id`, `label`, `issuer`, `secret`, `algorithm`, `period`, `digits`, `last_modified` |
| `totp_codes` | `label`, `issuer`, `code`, `valid_for_seconds` — **never includes the stored secret** |
## TOTP / 2FA codes
Most logins need a fresh time-based code. Two ways to get one:
### `passlane show -o --once <REGEXP>` — recommended for a single code
Prints the one matching current code to stdout and exits.
```bash
passlane show -o --once github # -> 447091
```
- **Zero matches** → exit code `1`, stderr: `No matching OTP authorizer found.`
- **Multiple matches** → exit code `1`, stderr: `Multiple OTP authorizers match: <labels>. Refine the search pattern to match exactly one.`
Because ambiguity is an error, **anchor your pattern** (e.g. `'^GitHub$'`) so it matches exactly one
authorizer.
### `passlane list -o --code [REGEXP] [--json]` — multiple codes / expiry window
Outputs the current code for every matching authorizer. With `--json`, each entry includes
`valid_for_seconds` so you know how long the code stays valid.
```bash
passlane list -o --code --json
```
> TOTP codes are valid only for a few seconds. **Fetch them just before use and never cache them.**
> Re-fetch on each retry.
## Other commands
| Command | Notes |
| ------- | ----- |
| `passlane gen [--out]` | Generate a random password. `--out` prints to stdout (otherwise copies to clipboard). |
| `passlane add [-p\|-n\|-o] [-g] [-l]` | Add a credential/card/note/TOTP. **Interactive** (prompts). |
| `passlane edit <REGEXP> [-p\|-n\|-o]` | Edit an entry. **Interactive.** |
| `passlane delete <REGEXP> [-c\|-p\|-n\|-o]` | Delete entries. **Interactive.** |
| `passlane csv <FILE>` | Import credentials from a CSV file. |
| `passlane export [-p\|-n\|-o] <FILE>` | Export the vault to CSV. |
| `passlane passwd [-o]` | Change a vault's master password. **Interactive.** |
| `passlane completions [SHELL]` | Generate shell completions (bash/zsh/fish). |
| `passlane init` | First-time setup. **Interactive.** |
| `passlane repl` | Interactive REPL (also launched by running `passlane` with no args). |
`add`, `edit`, `delete`, `passwd`, `init`, and `repl` are prompt-driven and **not suited to
unattended automation** — only the reading commands above are.
## Safety rules
- **Never** echo retrieved passwords or TOTP codes into chat, logs, or files you commit.
- Pipe secrets directly into the consuming command, or capture into a shell variable with
`VAR=$(passlane ...)` — avoid inlining a secret into a command line where it lands in shell
history or process listings.
- Fetch TOTP codes **just-in-time**, immediately before the request that uses them.
- Match patterns precisely (anchored regex) so `show -o --once` and `show --out` resolve to exactly
one entry.
- Treat exit code `1` as actionable: a **locked vault**, **no match**, or **ambiguous match**. Check
it and react rather than proceeding with empty output.
## Worked examples
For ready-to-adapt scripts — API login with basic auth + TOTP, single-secret extraction, browser
login combined with the `playwright-cli` skill, and a read-only credential audit — read
[references/automation-examples.md](references/automation-examples.md) when you are actually
building an automation.
don't have the plugin yet? install it then click "run inline in claude" again.
separated vault unlock prerequisite into inputs with explicit edge-case handling, broke reading commands into numbered procedure steps with clear input/output contracts, formalized decision logic for locked vaults and regex ambiguity, added JSON schema examples and exit code reference, and emphasized just-in-time TOTP fetching and secret safety throughout.
passlane is a command-line password manager and authenticator that stores data in keepass encrypted format. use it to retrieve credentials (service/username/password), payment cards, secure notes, and generate TOTP authenticator codes for unattended automation. reach for passlane when you need to script a login, fetch a password or 2FA code from a vault, audit stored credentials, or build automations that authenticate using stored secrets. the tool outputs machine-readable JSON and plaintext to stdout, making it suitable for piping into other commands or capturing into variables without touching the clipboard or interactive UI.
passlane CLI: must be installed and in PATH. (passlane --version to verify.)
two separate encrypted vaults, each requiring a master password:
-o flag)OS keychain integration: master passwords must be stored in the system keychain for non-interactive use. the user sets this up once with passlane unlock and passlane unlock -o. if vaults are locked, passlane will block on an interactive prompt and hang unattended automation.
external connection: none required beyond local vault files and OS keychain. passlane does not reach out to remote servers.
edge cases to handle:
show --once or show --out will error with exit code 1run passlane list --json with no arguments. if it prompts for a master password or errors with "vault locked", stop and ask the user to run passlane unlock (and passlane unlock -o if 2FA codes are needed). do not attempt to supply the master password yourself; there is no environment variable or stdin method.
input: passlane CLI, OS keychain state output: either JSON envelope or exit code 1 with stderr indicating lock status
run passlane list [REGEXP] --json [-v] to retrieve structured data.
passlane list --json lists all credentialspasslane list github --json filters entries matching "github"passlane list -p --json lists payment cardspasslane list -n --json lists secure notespasslane list -o --json lists TOTP authorizers (metadata only, secrets hidden)input: optional REGEXP filter, vault type flag (-p, -n, -o)
output: JSON envelope with type, count, and entries array; passwords included in plaintext only if -v flag is used
run passlane show '<REGEXP>' --out to print exactly one password to stdout.
passlane show '^github\.com$' --out
use anchored regex (^...$) to guarantee a single match. if zero or multiple matches, exit code is 1 and stderr describes the problem.
input: REGEXP pattern (anchored recommended), --out flag
output: password printed to stdout (no newline by default); exit code 0 on success, 1 on error
run passlane show -o --once '<REGEXP>' to fetch the current time-based code.
passlane show -o --once '^GitHub$'
codes are valid only for seconds; fetch immediately before use.
input: REGEXP pattern (anchored), -o flag, --once flag
output: 6-digit code (or configured digit count) to stdout; exit code 0 on success, 1 on zero or multiple matches
run passlane list -o --code --json to get all current codes with expiry information.
passlane list -o --code --json | jq '.entries[]'
each entry includes valid_for_seconds so you know how long each code remains valid. never cache TOTP codes; re-fetch on each use or retry.
input: -o flag, --code flag, --json flag
output: JSON envelope with totp_codes type; entries include label, issuer, code, valid_for_seconds (secret never included)
capture the output into a shell variable or pipe directly to the consuming command. do not echo it to stdout, logs, or files that will be committed.
PASSWORD=$(passlane show '^api\.service$' --out)
curl -u "user:$PASSWORD" https://api.service.com/endpoint
# or pipe directly (preferred for sensitive data)
passlane show '^api\.service$' --out | xargs -I {} curl -u "user:{}" https://api.service.com/endpoint
input: output from step 2, 3a, 3b, or 3c output: secret injected into consuming command or stored in shell variable (never logged or echoed)
if vault is locked: stop immediately. ask the user to run passlane unlock (main vault) and passlane unlock -o (TOTP vault if needed). do not retry or supply a master password.
if you need multiple secrets or structured audit data: use passlane list --json [REGEXP] and pipe to jq for extraction. this is more efficient than calling show multiple times.
if you need exactly one password: use passlane show '<REGEXP>' --out. anchor the regex to guarantee a single match; if multiple match, the command fails with exit code 1.
if you need exactly one TOTP code: use passlane show -o --once '<REGEXP>'. must be anchored to match exactly one authorizer. if multiple match or none match, exit code is 1.
if you need multiple TOTP codes or must know expiry windows: use passlane list -o --code --json. codes are valid only for a few seconds, so fetch just before use and never cache.
if a read command exits with code 1: the vault is locked, the pattern matched zero entries, or the pattern is ambiguous (multiple matches). check stderr, refine your regex (anchor it), and retry, or ask the user to unlock the vault.
if you need to generate a random password programmatically: run passlane gen --out to stdout. this does not interact with the vault.
passlane list --json returns:
{
"type": "credentials",
"count": 2,
"entries": [
{
"uuid": "...",
"service": "github.com",
"username": "user@example.com",
"password": "...",
"note": "...",
"last_modified": "2024-01-15T10:30:00Z"
}
]
}
passlane show --out returns: plaintext password to stdout (no trailing newline).
passlane show -o --once returns: 6-digit (or configured) TOTP code to stdout (no trailing newline).
passlane list -o --code --json returns:
{
"type": "totp_codes",
"count": 1,
"entries": [
{
"label": "GitHub",
"issuer": "github.com",
"code": "447091",
"valid_for_seconds": 27
}
]
}
exit codes:
0: success1: vault locked, no matches, ambiguous matches, or other error (check stderr)no files created or modified unless explicitly running add, edit, delete, or export (which are interactive and not recommended for automation).
passlane list --json succeeds and returns entries without prompting.valid_for_seconds window and not cached or re-used across retries.credits: original skill by passlane team. enriched and restructured per implexa standards.