Skip to main content

CLI for KeePassXC using the browser extension protocol with biometric unlock

Project description

KeePassXC CLI

A command-line interface for KeePassXC that communicates via the browser extension protocol, supporting biometric (TouchID/fingerprint) unlock on supported platforms.

keepassxc-cli talks to a running KeePassXC instance using the same native messaging protocol used by the KeePassXC Browser extension. This means:

  • Biometric unlock: On macOS with TouchID (or similar) configured in KeePassXC, you can authenticate via fingerprint rather than typing your master password.
  • No master password in shell history: Authentication happens through KeePassXC's GUI, not the terminal.
  • CRUD: Add, edit, delete entries and groups.
  • TOTP: Retrieve time-based one-time passwords.
  • Clipboard: Copy credentials directly to the clipboard.

Functionality demonstration

KeePassXC CLI based on KeePassXC Browser API.

Prerequisites

  • macOS (uses Unix sockets and KeePassXC's browser extension socket)
  • Python >= 3.10
  • KeePassXC with:
    • Browser Integration enabled (Settings > Browser Integration > Enable browser integration) KeePassXC Browser Integration Settings screenshot

Install

Homebrew (recommended)

See homebrew homepage on how to setup homebrew.

brew install mietzen/tap/keepassxc-cli

pipx

pipx install keepassxc-cli

Setup

Before using keepassxc-cli, associate it with your KeePassXC instance:

keepassxc-cli setup

This performs a key exchange with KeePassXC (you will be prompted to allow the association in the KeePassXC GUI). The association is saved to ~/.keepassxc/browser-api.json.

Usage

Global options

keepassxc-cli [--config PATH] [--browser-api-config PATH] [-v] COMMAND [COMMAND OPTIONS]
Option Description
--config Path to CLI config file (default: ~/.keepassxc/cli.json)
--browser-api-config Path to browser API config file (default: ~/.keepassxc/browser-api.json)
-v, --verbose Enable verbose/debug logging

Some commands support a -j / --json flag for JSON output — pass it anywhere after the subcommand name:

keepassxc-cli show https://github.com -j
keepassxc-cli status -j

Commands

setup — Associate with KeePassXC

keepassxc-cli setup

status — Connection and association status

keepassxc-cli status
keepassxc-cli status -j

show — Show entries for a URL

keepassxc-cli show https://github.com
keepassxc-cli show https://github.com -p     # reveal password and TOTP
keepassxc-cli show https://github.com -j

Without -p, password and TOTP are omitted from the output entirely.

totp — Get TOTP code

keepassxc-cli totp https://github.com
keepassxc-cli totp https://github.com -j

clip — Copy a field to clipboard

keepassxc-cli clip password https://github.com
keepassxc-cli clip username https://github.com
keepassxc-cli clip totp     https://github.com

add — Add a new entry

# Password is prompted securely if --password is not given
keepassxc-cli add --url https://example.com --username user@example.com
keepassxc-cli add --url https://example.com --username user --password mypass
# Place the entry in a specific group by UUID
keepassxc-cli add --url https://example.com --username user --group-uuid <group-uuid>

Note: The entry title is always derived from the URL hostname by KeePassXC. The protocol has no field to set a custom title.

edit — Edit an entry

# Get the UUID first
keepassxc-cli show https://github.com -p

# Then edit — --url is required to resolve the current entry
keepassxc-cli edit <uuid> --url https://github.com --username newuser
keepassxc-cli edit <uuid> --url https://github.com --password newpass --title "New Title"

rm — Delete an entry

keepassxc-cli rm <uuid>        # prompts for confirmation
keepassxc-cli rm <uuid> --yes  # skip confirmation

lock — Lock the database

keepassxc-cli lock

mkdir — Create a group

keepassxc-cli mkdir "Work"
keepassxc-cli mkdir "Work/Projects"   # create Projects inside Work

Use /-separated paths to create nested groups. KeePassXC creates any missing path segments automatically.

group-uuid — Look up a group's UUID by path

keepassxc-cli group-uuid "Work"
keepassxc-cli group-uuid "Work/Projects"
keepassxc-cli group-uuid "Work/Projects" -j

Returns the UUID for the group at the given path (relative to the database root). Useful for scripting — pipe the UUID into add --group-uuid.

JSON output (-j):

{
  "path": "Work/Projects",
  "name": "Projects",
  "uuid": "<uuid>"
}

version — Show the CLI version

keepassxc-cli version

Does not require a running KeePassXC instance.

Configuration

CLI config (~/.keepassxc/cli.json)

Only non-default values are stored. Available options:

Key Default Description
browser_api_config_path ~/.keepassxc/browser-api.json Path to the browser API config
default_format table Default output format (table or json)

Example ~/.keepassxc/cli.json:

{
  "default_format": "json"
}

Browser API config (~/.keepassxc/browser-api.json)

Shared with keepassxc-browser-api. Contains the association keys created during keepassxc-cli setup. This file is automatically created and updated by the setup command.

Both config files are stored with 0o600 permissions (owner read/write only).

Exit codes

Code Meaning
0 Success
1 Generic error (unexpected KeePassXC error, OS error, config parse error)
2 KeePassXC is not running or the socket is not found (ConnectionError)
3 Database unlock timed out (DatabaseLockedError)
4 Access denied by user — either the access prompt was cancelled or "Allow access to all entries" was denied

These codes are stable and suitable for scripting, e.g.:

keepassxc-cli show https://example.com || case $? in
  2) echo "Start KeePassXC first" ;;
  3) echo "Unlock timed out" ;;
  4) echo "Access denied" ;;
esac

Development

This package depends on keepassxc-browser-api, which handles the KeePassXC browser extension protocol. The browser API credentials are stored in ~/.keepassxc/browser-api.json and are shared with keepassxc-ssh-agent if installed.

git clone https://github.com/mietzen/keepassxc-cli
git clone https://github.com/mietzen/keepassxc-browser-api
cd keepassxc-cli

python3 -m venv .venv
source .venv/bin/activate

# Install local keepassxc-browser-api dependency first
pip install ../mietzen-keepassxc-browser-api/

# Install in editable mode with dev dependencies
pip install -e ".[dev]"

# Run tests
pytest --tb=short -q

# Run tests with coverage
pytest --cov=keepassxc_cli --cov-report=term-missing

# Lint
ruff check --ignore=E501 --exclude=__init__.py ./keepassxc_cli

Known Limitations

  • Requires KeePassXC to be running and the database to be open (or biometric auto-unlock configured).
  • The clip command requires pyperclip and a working clipboard (e.g., xclip/xsel on Linux, built-in on macOS/Windows).
  • The browser integration protocol does not support moving entries between groups directly.
  • Entry lookup is by URL/hostname only (same as the browser extension). Title-based search is not supported by the protocol.
  • String fields (string_fields in JSON output) require the KeePassXC setting "Support KPH fields" to be enabled, and custom attributes must be prefixed with KPH: in the KeePassXC entry's "Advanced" tab. This is a server-side KeePassXC requirement, not something the CLI can control.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

keepassxc_cli-1.6.0.tar.gz (10.6 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

keepassxc_cli-1.6.0-py3-none-any.whl (18.0 kB view details)

Uploaded Python 3

File details

Details for the file keepassxc_cli-1.6.0.tar.gz.

File metadata

  • Download URL: keepassxc_cli-1.6.0.tar.gz
  • Upload date:
  • Size: 10.6 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for keepassxc_cli-1.6.0.tar.gz
Algorithm Hash digest
SHA256 135c649359c4e7c15696473bdc1298e1e76647df529434040b41f237c60a9de2
MD5 d3cd302baafce77dfdbb23e1f8eb76f1
BLAKE2b-256 d1d1b5049e4bcf5f17b8d20808734c4107b1b947b620ddaccb77eae3efbfa6c5

See more details on using hashes here.

Provenance

The following attestation bundles were made for keepassxc_cli-1.6.0.tar.gz:

Publisher: pypi.yml on mietzen/keepassxc-cli

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file keepassxc_cli-1.6.0-py3-none-any.whl.

File metadata

  • Download URL: keepassxc_cli-1.6.0-py3-none-any.whl
  • Upload date:
  • Size: 18.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for keepassxc_cli-1.6.0-py3-none-any.whl
Algorithm Hash digest
SHA256 af841cd0c0f45e6097fc3870557add4b8ec9f2bee3403f8fa2dbb539b9908202
MD5 79066b906b323b7d1340ab780f666e7a
BLAKE2b-256 d3cd34c5e6bafa720745d31ae17d617ee3d3fe678fb5349b3684a08fec7c517b

See more details on using hashes here.

Provenance

The following attestation bundles were made for keepassxc_cli-1.6.0-py3-none-any.whl:

Publisher: pypi.yml on mietzen/keepassxc-cli

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page