Tornevall Networks

← Back to docs

Password Manager

Language: EN | EN | SV

Password Manager

Tools now has a first logged-in-only password-manager slice under /password-manager.

Access model

  • Web UI: /password-manager
  • Authentication: logged-in Tools user (auth:web)
  • Extra permission: none in this first slice

API contract

Tools now also exposes a first authenticated Password Manager API surface under /api/password-manager/*.

Current auth model:

  • signed-in web session
  • or JWT bearer token from POST /api/account/login

Current endpoints:

  • GET /api/password-manager/entries
  • GET /api/password-manager/entries/{entryId}
  • POST /api/password-manager/entries
  • PUT /api/password-manager/entries/{entryId}
  • PATCH /api/password-manager/entries/{entryId}
  • DELETE /api/password-manager/entries/{entryId}

Response behavior in this first contract:

  • list responses return masked entry rows plus summary text and counts
  • full decrypted secret_payload is returned only on explicit detail/read and create/update responses
  • API responses send Cache-Control: no-store, private
  • ownership is still strictly per authenticated user

Every entry belongs only to the current user. There is no sharing or delegated access yet.

Current scope

The first slice is intentionally small and security-focused:

  • Login entries for usernames, passwords, OTP secrets, and private notes
  • Secure note entries for recovery codes, server notes, or similar encrypted text
  • Payment card groundwork for encrypted cardholder/card data

Security posture in this first slice

  • Sensitive payload data is encrypted before it is stored.
  • Ownership is enforced per logged-in user.
  • Payment-card entries explicitly refuse CVV/CVC storage.
  • There is no browser extension, sharing model, or mobile sync contract yet.

Entry types

Login

Suggested for:

  • website usernames
  • passwords
  • TOTP/OTP seeds
  • account-specific notes

Secure note

Suggested for:

  • recovery codes
  • SSH snippets
  • alarm/disaster instructions
  • account metadata that should stay private

Payment card

Current guidance:

  • card number can be stored in encrypted form
  • brand/cardholder/expiry are supported
  • CVV/CVC is intentionally rejected in this first slice

Limitations right now

  • The API does not yet have a separate unlock/session gate beyond the normal authenticated session/JWT model.
  • No Android app implementation exists yet, even though the API contract now exists.
  • There is no import/export flow yet.
  • There is no browser autofill integration yet.
  • There is no sharing or delegated vault access yet.

Android preparation note

Android planning for a future password-manager/mobile companion is currently kept as internal pre-agent material in:

  • agents-collection/AGENTS-PASSWORD-MANAGER-ANDROID-PREP.md

That internal note is still for planning, but it now complements the first public /api/password-manager/* contract rather than replacing it.