CLI for KeePassXC using the browser extension protocol with biometric unlock
Project description
KeePassXC CLI
A command-line interface for KeePassXC that communicates via the browser extension protocol, supporting biometric (TouchID/fingerprint) unlock on supported platforms.
keepassxc-cli talks to a running KeePassXC instance using the same native messaging protocol used by the KeePassXC Browser extension. This means:
- Biometric unlock: On macOS with TouchID (or similar) configured in KeePassXC, you can authenticate via fingerprint rather than typing your master password.
- No master password in shell history: Authentication happens through KeePassXC's GUI, not the terminal.
- CRUD: Add, edit, delete entries and groups.
- TOTP: Retrieve time-based one-time passwords.
- Clipboard: Copy credentials directly to the clipboard.
KeePassXC CLI based on KeePassXC Browser API.
Prerequisites
- macOS (uses Unix sockets and KeePassXC's browser extension socket)
- Python >= 3.10
- KeePassXC with:
- Browser Integration enabled (Settings > Browser Integration > Enable browser integration)
- Browser Integration enabled (Settings > Browser Integration > Enable browser integration)
Install
Homebrew (recommended)
See homebrew homepage on how to setup homebrew.
brew install mietzen/tap/keepassxc-cli
pipx
pipx install keepassxc-cli
Setup
Before using keepassxc-cli, associate it with your KeePassXC instance:
keepassxc-cli setup
This performs a key exchange with KeePassXC (you will be prompted to allow the association in the KeePassXC GUI). The association is saved to ~/.keepassxc/browser-api.json.
Usage
Global options
keepassxc-cli [--config PATH] [--browser-api-config PATH] [-v] COMMAND [COMMAND OPTIONS]
| Option | Description |
|---|---|
--config |
Path to CLI config file (default: ~/.keepassxc/cli.json) |
--browser-api-config |
Path to browser API config file (default: ~/.keepassxc/browser-api.json) |
-v, --verbose |
Enable verbose/debug logging |
Some commands support a -j / --json flag for JSON output — pass it anywhere after the subcommand name:
keepassxc-cli show https://github.com -j
keepassxc-cli status -j
Commands
setup — Associate with KeePassXC
keepassxc-cli setup
status — Connection and association status
keepassxc-cli status
keepassxc-cli status -j
show — Show entries for a URL
keepassxc-cli show https://github.com
keepassxc-cli show https://github.com -p # reveal password and TOTP
keepassxc-cli show https://github.com -j
Without -p, password and TOTP are omitted from the output entirely.
totp — Get TOTP code
keepassxc-cli totp https://github.com
keepassxc-cli totp https://github.com -j
clip — Copy a field to clipboard
keepassxc-cli clip password https://github.com
keepassxc-cli clip username https://github.com
keepassxc-cli clip totp https://github.com
add — Add a new entry
# Password is prompted securely if --password is not given
keepassxc-cli add --url https://example.com --username user@example.com
keepassxc-cli add --url https://example.com --username user --password mypass
# Place the entry in a specific group by UUID
keepassxc-cli add --url https://example.com --username user --group-uuid <group-uuid>
Note: The entry title is always derived from the URL hostname by KeePassXC. The protocol has no field to set a custom title.
edit — Edit an entry
# Get the UUID first
keepassxc-cli show https://github.com -p
# Then edit — --url is required to resolve the current entry
keepassxc-cli edit <uuid> --url https://github.com --username newuser
keepassxc-cli edit <uuid> --url https://github.com --password newpass --title "New Title"
rm — Delete an entry
keepassxc-cli rm <uuid> # prompts for confirmation
keepassxc-cli rm <uuid> --yes # skip confirmation
lock — Lock the database
keepassxc-cli lock
mkdir — Create a group
keepassxc-cli mkdir "Work"
keepassxc-cli mkdir "Work/Projects" # create Projects inside Work
Use /-separated paths to create nested groups. KeePassXC creates any missing path segments automatically.
group-uuid — Look up a group's UUID by path
keepassxc-cli group-uuid "Work"
keepassxc-cli group-uuid "Work/Projects"
keepassxc-cli group-uuid "Work/Projects" -j
Returns the UUID for the group at the given path (relative to the database root). Useful for scripting — pipe the UUID into add --group-uuid.
JSON output (-j):
{
"path": "Work/Projects",
"name": "Projects",
"uuid": "<uuid>"
}
version — Show the CLI version
keepassxc-cli version
Does not require a running KeePassXC instance.
Configuration
CLI config (~/.keepassxc/cli.json)
Only non-default values are stored. Available options:
| Key | Default | Description |
|---|---|---|
browser_api_config_path |
~/.keepassxc/browser-api.json |
Path to the browser API config |
default_format |
table |
Default output format (table or json) |
Example ~/.keepassxc/cli.json:
{
"default_format": "json"
}
Browser API config (~/.keepassxc/browser-api.json)
Shared with keepassxc-browser-api. Contains the association keys created during keepassxc-cli setup. This file is automatically created and updated by the setup command.
Both config files are stored with 0o600 permissions (owner read/write only).
Exit codes
| Code | Meaning |
|---|---|
0 |
Success |
1 |
Generic error (unexpected KeePassXC error, OS error, config parse error) |
2 |
KeePassXC is not running or the socket is not found (ConnectionError) |
3 |
Database unlock timed out (DatabaseLockedError) |
4 |
Access denied by user — either the access prompt was cancelled or "Allow access to all entries" was denied |
These codes are stable and suitable for scripting, e.g.:
keepassxc-cli show https://example.com || case $? in
2) echo "Start KeePassXC first" ;;
3) echo "Unlock timed out" ;;
4) echo "Access denied" ;;
esac
Development
This package depends on keepassxc-browser-api, which handles the KeePassXC browser extension protocol. The browser API credentials are stored in ~/.keepassxc/browser-api.json and are shared with keepassxc-ssh-agent if installed.
git clone https://github.com/mietzen/keepassxc-cli
git clone https://github.com/mietzen/keepassxc-browser-api
cd keepassxc-cli
python3 -m venv .venv
source .venv/bin/activate
# Install local keepassxc-browser-api dependency first
pip install ../mietzen-keepassxc-browser-api/
# Install in editable mode with dev dependencies
pip install -e ".[dev]"
# Run tests
pytest --tb=short -q
# Run tests with coverage
pytest --cov=keepassxc_cli --cov-report=term-missing
# Lint
ruff check --ignore=E501 --exclude=__init__.py ./keepassxc_cli
Known Limitations
- Requires KeePassXC to be running and the database to be open (or biometric auto-unlock configured).
- The
clipcommand requirespyperclipand a working clipboard (e.g.,xclip/xselon Linux, built-in on macOS/Windows). - The browser integration protocol does not support moving entries between groups directly.
- Entry lookup is by URL/hostname only (same as the browser extension). Title-based search is not supported by the protocol.
- String fields (
string_fieldsin JSON output) require the KeePassXC setting "Support KPH fields" to be enabled, and custom attributes must be prefixed withKPH:in the KeePassXC entry's "Advanced" tab. This is a server-side KeePassXC requirement, not something the CLI can control.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file keepassxc_cli-1.6.0.tar.gz.
File metadata
- Download URL: keepassxc_cli-1.6.0.tar.gz
- Upload date:
- Size: 10.6 MB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
135c649359c4e7c15696473bdc1298e1e76647df529434040b41f237c60a9de2
|
|
| MD5 |
d3cd302baafce77dfdbb23e1f8eb76f1
|
|
| BLAKE2b-256 |
d1d1b5049e4bcf5f17b8d20808734c4107b1b947b620ddaccb77eae3efbfa6c5
|
Provenance
The following attestation bundles were made for keepassxc_cli-1.6.0.tar.gz:
Publisher:
pypi.yml on mietzen/keepassxc-cli
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
keepassxc_cli-1.6.0.tar.gz -
Subject digest:
135c649359c4e7c15696473bdc1298e1e76647df529434040b41f237c60a9de2 - Sigstore transparency entry: 1552405884
- Sigstore integration time:
-
Permalink:
mietzen/keepassxc-cli@6508a8f65c46377a765f5a07e6d308fd96fab8d3 -
Branch / Tag:
refs/tags/v1.6.0 - Owner: https://github.com/mietzen
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
pypi.yml@6508a8f65c46377a765f5a07e6d308fd96fab8d3 -
Trigger Event:
release
-
Statement type:
File details
Details for the file keepassxc_cli-1.6.0-py3-none-any.whl.
File metadata
- Download URL: keepassxc_cli-1.6.0-py3-none-any.whl
- Upload date:
- Size: 18.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
af841cd0c0f45e6097fc3870557add4b8ec9f2bee3403f8fa2dbb539b9908202
|
|
| MD5 |
79066b906b323b7d1340ab780f666e7a
|
|
| BLAKE2b-256 |
d3cd34c5e6bafa720745d31ae17d617ee3d3fe678fb5349b3684a08fec7c517b
|
Provenance
The following attestation bundles were made for keepassxc_cli-1.6.0-py3-none-any.whl:
Publisher:
pypi.yml on mietzen/keepassxc-cli
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
keepassxc_cli-1.6.0-py3-none-any.whl -
Subject digest:
af841cd0c0f45e6097fc3870557add4b8ec9f2bee3403f8fa2dbb539b9908202 - Sigstore transparency entry: 1552405905
- Sigstore integration time:
-
Permalink:
mietzen/keepassxc-cli@6508a8f65c46377a765f5a07e6d308fd96fab8d3 -
Branch / Tag:
refs/tags/v1.6.0 - Owner: https://github.com/mietzen
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
pypi.yml@6508a8f65c46377a765f5a07e6d308fd96fab8d3 -
Trigger Event:
release
-
Statement type: