Password Pusher Logo
Password Pusher Go Ahead. Email Another Password.

Password Pusher API v2

Complete JSON API documentation for creating, retrieving and managing pushes in the open-source edition.

Authentication

Authenticate requests with a Bearer token in the Authorization header.

Create an API token in your account settings at /users/token.

Authorization: Bearer YOUR_API_TOKEN
  • Public endpoints: GET /api/v2/version, GET /api/v2/pushes/:url_token, GET /api/v2/pushes/:url_token/preview
  • Authenticated endpoints: GET /api/v2/pushes/:url_token/audit, GET /api/v2/pushes/active, GET /api/v2/pushes/expired
  • Anonymous access setting: When anonymous pushes are disabled, API endpoints require authentication.

Base URL

All endpoints are relative to your installation host:

https://pwpush.involas.cloud/api/v2

Version Endpoint

GET /api/v2/version

Returns API version, application details, and a features hash describing which capabilities are enabled on this instance.

cURL example:

curl -X GET https://pwpush.involas.cloud/api/v2/version
{
  "application_version": "2.9.0",
  "api_version": "2.1",
  "edition": "oss",
  "features": {
    "anonymous_access": false,
    "api_token_authentication": true,
    "accounts": {
      "enabled": false
    },
    "pushes": {
      "enabled": true,
      "email_auto_dispatch": false,
      "file_attachments": {
        "enabled": true,
        "requires_authentication": true
      },
      "url_pushes": {
        "enabled": true
      },
      "qr_code_pushes": {
        "enabled": true
      }
    },
    "requests": {
      "enabled": false
    }
  }
}

Features Hash

  • anonymous_access - Whether anonymous API usage is allowed (Settings.allow_anonymous)
  • api_token_authentication - Bearer token authentication support
  • accounts.enabled - Accounts API availability (not available in OSS)
  • pushes.enabled - Push creation and management via API
  • pushes.email_auto_dispatch - Auto-Dispatch email notifications (Settings.notify_by_email.enabled, requires SMTP and logins)
  • pushes.file_attachments.enabled - File attachments on pushes (Settings.enable_file_pushes)
  • pushes.url_pushes.enabled - URL push type (Settings.enable_url_pushes)
  • pushes.qr_code_pushes.enabled - QR code push type (Settings.enable_qr_pushes)
  • requests.enabled - Requests API availability (not available in OSS)

Push Endpoints

POST /api/v2/pushes

Create a new push.

Body format: { "push": { ... } }

Parameter Type Required Description
payloadstringYesSecret text payload for text, URL or QR pushes.
filesarrayNoFiles to attach. When present, the push type becomes file unless kind is explicitly provided.
kindstringNoPush type: text, file, url, or qr. Defaults to text when not provided.
expire_after_daysintegerNoExpiration window in days. If omitted, instance defaults are used.
expire_after_viewsintegerNoMaximum allowed retrieval count. If omitted, instance defaults are used.
deletable_by_viewerbooleanNoAllows the recipient to expire the push.
retrieval_stepbooleanNoAdds an extra retrieval confirmation step.
passphrasestringNoRequires this passphrase to retrieve the payload.
namestringNoOptional label shown to the owner.
notestringNoOptional owner-only note.
notify_by_emailobjectNoOptional recipients for the push creation email.
notify_by_email.recipientsstringNoOptional recipients for the push creation email. Comma-separated list of email addresses. Maximum 5 emails.
notify_by_email.localestringNoOptional locale for the push creation email. See the list of available locales in the Supported Locales section. Defaults to en.
{
  "push": {
    "payload": "my-secret",
    "expire_after_days": 1,
    "expire_after_views": 5,
    "passphrase": "optional-passphrase",
    "deletable_by_viewer": true,
    "retrieval_step": true,
    "notify_by_email": {
      "recipients": "email1@example.com, email2@example.com",
      "locale": "fr"
    }
  }
}

cURL example (JSON body):

curl -X POST https://pwpush.involas.cloud/api/v2/pushes \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "push": {
      "payload": "my-secret",
      "expire_after_days": 1,
      "expire_after_views": 5
    }
  }'

GET /api/v2/pushes/:url_token

Retrieve a push payload by token. This counts as a view and may expire the push when limits are reached.

Query parameters: passphrase (optional, required when the push is passphrase-protected)

cURL example:

curl -X GET https://pwpush.involas.cloud/api/v2/pushes/YOUR_URL_TOKEN

GET /api/v2/pushes/:url_token/preview

Returns the fully-qualified secret URL for a push without retrieving its payload.

cURL example:

curl -X GET https://pwpush.involas.cloud/api/v2/pushes/YOUR_URL_TOKEN/preview

GET /api/v2/pushes/:url_token/audit

Return audit log entries for a push. Authentication and ownership are required.

Query parameters: page (optional, integer, default 1, valid range 1 to 200)

cURL example:

curl -X GET "https://pwpush.involas.cloud/api/v2/pushes/YOUR_URL_TOKEN/audit?page=1" \
  -H "Authorization: Bearer YOUR_API_TOKEN"

DELETE /api/v2/pushes/:url_token

Expire a push immediately. Allowed for owners (when authenticated) or for recipients when the push was created with deletable_by_viewer enabled.

cURL example:

curl -X DELETE https://pwpush.involas.cloud/api/v2/pushes/YOUR_URL_TOKEN \
  -H "Authorization: Bearer YOUR_API_TOKEN"

GET /api/v2/pushes/active

List active pushes for the authenticated user.

Query parameters: page (optional, integer, default 1, valid range 1 to 200)

cURL example:

curl -X GET "https://pwpush.involas.cloud/api/v2/pushes/active?page=1" \
  -H "Authorization: Bearer YOUR_API_TOKEN"

GET /api/v2/pushes/expired

List expired pushes for the authenticated user.

Query parameters: page (optional, integer, default 1, valid range 1 to 200)

cURL example:

curl -X GET "https://pwpush.involas.cloud/api/v2/pushes/expired?page=1" \
  -H "Authorization: Bearer YOUR_API_TOKEN"

POST /api/v2/pushes/:url_token/notify_by_email

Send an email to notify the push creation to the specified recipients.

Parameter Type Required Description
recipientsstringYesComma-separated list of email addresses. Maximum 5 emails.
localestringNoLocale for the email notification. See the list of available locales in the Supported Locales section. Defaults to en.

cURL example:

curl -X POST "https://pwpush.involas.cloud/api/v2/pushes/YOUR_URL_TOKEN/notify_by_email" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "recipients": "email1@example.com, email2@example.com",
    "locale": "fr"
  }'

Supported Locales

The following locales are supported for API requests that accept a locale parameter:

Locale Code Language
ca Català
cs Čeština
cy Cymraeg
da Dansk
de Deutsch
en English
en-GB English (UK)
es Español
eu Euskara
fi Suomi
fr Français
ga Gaeilge
hi हिन्दी
hu Magyar
id Indonesian
is Íslenska
it Italiano
ja 日本語
ko 한국어
lv Latviski
nl Nederlands
no Norsk
pl Polski
pt-BR Português
pt-PT Português
ro Română
ru Русский
sk Slovenský
sr Српски
sv Svenska
th ไทย
uk Українська
ur اردو
zh-CN 中文

HTTP Status Codes

  • 200 - Successful request
  • 201 - Push created
  • 400 - Invalid request parameters
  • 401 - Authentication required or invalid token
  • 403 - Forbidden for current user
  • 404 - Resource not found
  • 422 - Validation error

For legacy API v1 documentation, see /api.