Start Building

LastPass Developer Documentation

Show/hide navigation

Secured Auth API

This document offers instruction for consuming the LastPass secured (Encrypted) Authentication API services. 

The authentication client exchanges JSON messages with LastPass API. Generic API Key is a required attribute for every message. You can retrieve the API Key as instructed here.

Since all the following endpoints are secured by Public Key cryptography in addition to the default TLS, you need to study the “Encryption” section first.

All the requests need to be formatted as base64 and put inside “Request.Payload” parameter. All the responses need to be parsed from decrypted ‘Response.Value.Payload’

Here is the list of all methods:

POST /Generic/Login

Pings the user’s active phone to login synchronously. Request finishes after the user take actions on the phone or after 60 seconds.

Example Request and Response in JSON:

Attribute Type Description
APIKey* String ‘Generic’ API Key
Username* String User’s email as an identifier
IPAddress* String IP address of the user. User will see the geo-location of this IP address on the phone
BrowserId String Unique identifier of browser that can be stored on the cookie
DeviceName String User device description (i.e “Windows, Chrome”)
FirstName String User’s first name. This attribute is optional and is used for auto-provisioning. 
LastName String User’s last name. This attribute is optional and is used for auto-provisioning.   

Attribute Type Description
Succeeded* Boolean Indicates the login process status
Message* String Error message from the server
Value.AuthStatus String Authentication status of a user
Value.Username String User’s email as an identifier  

AuthStatus. The server returns AuthStatus with the following values:

Status Description
Success Successful authentication
InvalidUser User is invalid
DoesNotExist User does not exist
UnpairedUser User exists but is not active (No registered phone/device)
LockedUser User is locked by administrator or User’s device is in Lock status
NoResponse User did not respond to the request
NoResponseTimeout User did not respond to the request  
Alert Auth request is flagged as an alert ( Suspicious activity)
Denied User/server denied the request 
Denied by Geofencing Request is denied by Geofencing policy
Denied by Policy Request is denied by other policies
No Location Request is denied because the user’s device/phone was not able to confirm the user’s location
LogError Server internal error
Password Indicates user is using a password as an authentication method

If an admin has enabled the ‘Auto provisioning’ feature from Admin portal and FirstName and LastName were provided in the request, then the API will create a new user (If it does not exist already). Then UnpairedUser status will be returned in the response. 

POST /Generic/LoginAsync

Pings the user’s active phone to login synchronously. Request returns token that can be used to check login status via /Generic/CheckLoginToken

Example Request and Response in JSON:

Attribute Type Description
Succeeded* Boolean Indicates the login process status
Message* String Error message from the server
Value.AuthStatus String Authentication status of user
Value.Username String User’s email as an identifier  
Value.AsyncLoginToken String Auth Token generated for checking the request status periodically

AuthStatus. The server can return AuthStatus with the following values:

Status Description
Success Successful authentication
InvalidUser User is invalid
DoesNotExist User does not exist
UnpairedUser User exists but is not active (No registered phone/device)
LockedUser User is locked by administrator or User’s device is in Lock status
NoResponse User did not respond to the request
NoResponseTimeout User did not respond to the request  
Alert Auth request is flagged as an alert ( Suspicious activity)
Denied User/server denied the request 
Denied by Geofencing Request is denied by Geofencing policy
Denied by Policy Request is denied by other policy  
No Location Request is denied because the user’s device/phone was not able to confirm the user’s location
LogError Server internal error
Password Indicates User is using a password as an authentication method
WaitingForResponse Indicates Async call. Use AsyncLoginToken to check the Auth request status.

If an admin has enabled the “Auto-provisioning” feature from Admin portal and FirstName and LastName were provided in the request, then the API will create a new user (If it does not exist already). Then UnpairedUser status will be returned in the response. 

POST /Generic/CheckLoginToken

Checks the Auth request status by token received from /Generic/LoginAsync

Encrypted payload – async login token received from LoginAsync

Example Response in JSON:

Attribute Type Description
Succeeded* Boolean Indicates the login process status  
Message* String Error message from the server  
Value.AuthStatus String Authentication status of the user  
Value.Username String User’s email as an identifier    

AuthStatus can have one of the following values:

Status Description
Success Success authentication
NoResponse No response from the user
NoResponseTimeout No response from the user  
Alert Request outdated
Denied Denied by user
No Location No location from the phone
LogError Internal error
WaitingForResponse Still waiting for the user to response

POST /Generic/CancelLogin

Cancels the authentication request by token received from /Generic/LoginAsync.

Encrypted payload – async login token received from LoginAsync

Example Response in JSON:

Attribute Type Description
Succeeded* Boolean Value indicating that login was canceled.
Message* String Error message if something goes wrong.

POST /Generic/SearchForPhone

Check if the user responded on request.

Encrypted payload – username.

Example Response in JSON:

Attribute Type Description
Succeeded* Boolean Indicates the login process status  
Message* String Error message from the server  
Value Boolean True if the user is responding  

Copyright@2020LogMeIn, Inc. All Rights Reserved