Retrieving data (get)
Retrieving data from items and shortcuts
This example demonstrates how to retrieve items and shortcuts from Passwork using the get mode, as well as how to extract specific fields from them.
Use cases
The get command provides many use cases for securely working with data from Passwork:
- Extracting specific fields — retrieving individual values (name, password, login, URL, description, tags, or custom fields)
- Using in scripts — integration into bash scripts and other automation tools for secure password handling
- CI/CD pipelines — passing secrets to build and deployment processes without storing them in configuration files
- TOTP code generation — creating one-time passwords for two-factor authentication from secrets stored in custom fields
- Retrieving custom data — extracting API keys, access tokens, and other custom fields from records
- Working with shortcuts — retrieving data through shortcuts to access items from other vaults
- Secure password management — retrieving passwords without saving to disk or command line history
Item/shortcut identification
Specify the data source, one of the parameters is required:
| Parameter | Description |
|---|---|
--password-id | Item ID |
--shortcut-id | Shortcut ID |
Output modes and extraction
| Parameter | Description |
|---|---|
--field | Displays the specified field of an item or shortcut |
--json | Outputs all available data for the item/shortcut in JSON format |
--totp-code | Generates and outputs a TOTP code from a field containing a secret in base32 or otpauth:// |
Fields supported --field:
name,login,password,url,description,tags- Custom fields by name, for example
API_KEY,SERVICE_ACCOUNT
Basic usage
Get password from item by ID
- shell
passwork-cli get \
--host "https://passwork.example.com" \
--token "your_access_token" \
--master-key "your_master_key" \
--password-id "68793e13dfc88d879e0f2e39" \
By default, the password will be retrieved. If the password field is empty, an error will be displayed.
Using environment variables
You can export Passwork data as environment variables:
- shell
export PASSWORK_HOST="https://passwork.example.com"
export PASSWORK_TOKEN="your_access_token"
export PASSWORK_MASTER_KEY="your_master_key"
# Then retrieve without specifying credentials
passwork-cli get --password-id "68793e13dfc88d879e0f2e39"
This is useful for automation scripts and CI/CD pipelines, where credentials can be securely stored as environment variables.
Extracting specific fields
- shell
# Item name
passwork-cli get --password-id "68793e13dfc88d879e0f2e39" --field name
# Custom field (e.g., API_KEY)
passwork-cli get --password-id "68793e13dfc88d879e0f2e39" --field API_KEY
TOTP code generation
You can generate TOTP (Time-based One-Time Password) codes from secrets stored in custom fields. This is useful for two-factor authentication.
Using TOTP secret field
- shell
# Generate TOTP code from a custom field containing a secret
passwork-cli get \
--password-id "68793e13dfc88d879e0f2e39" \
--totp-code "TOTP_SECRET" \
The --totp-code parameter expects the name of a field (custom) that contains:
- Raw TOTP secret (string in base32 encoding)
- Or
otpauth://URL, for example:
otpauth://totp/Service:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Service
The TOTP code will be output to stdout, making it easy to use in scripts or for copying.
Working with shortcuts
Examples for shortcuts:
- shell
# Password from shortcut
passwork-cli get --shortcut-id "68d6c94bec3a3fe41209546e"
# Name field from shortcut
passwork-cli get --shortcut-id "68d6c94bec3a3fe41209546e" --field name
# TOTP from totp_secret field
passwork-cli get --shortcut-id "68d6c94bec3a3fe41209546e" --totp-code "totp_secret"
How it works
- CLI connects to Passwork using the provided data
- It retrieves an item or shortcut by ID
- The item is decrypted using the master key (when using client-side encryption)
- If
--totp-codeis specified, a TOTP code is generated from the specified field and output - If
--fieldis specified, only the value of that field is output - If neither
--totp-codenor--fieldis specified, the password value is output (or an error if it's empty)
Using in scripts
The get command is suitable for automation scripts where you need to retrieve specific values from an item:
- shell
#!/bin/bash
DB_PASSWORD=$(passwork-cli get \
--password-id "68d6c94bec3a3fe41209546e")
echo "Connecting to database..."
mysql -u admin -p"$DB_PASSWORD" mydatabase