Passky

Passky is a lightweight, open‑source password manager designed for self‑hosting. At its core, the application functions as a secure vault that encrypts all user data client‑side using XChaCha20 before persisting it to the server. The master password is protected with Argon2id, ensuring resistance against brute‑force attacks while keeping latency low. The server exposes a RESTful API that the web, desktop, and mobile clients consume, allowing developers to integrate Passky into existing authentication flows or CI/CD pipelines.

Key Features

• Zero‑Trust Architecture – All sensitive data is encrypted locally; the server never sees plaintext credentials.
• Multi‑Factor Authentication – Supports both software and hardware TOTP, with optional WebAuthn for FIDO2 devices.
• Import/Export – Seamless migration from popular managers (1Password, Bitwarden, KeePass) via JSON or CSV.
• Internationalization & Theming – 25‑language support and a plug‑in style API for custom themes.

• Backend: Node.js (TypeScript) with Express/Koa, leveraging argon2 and libsodium-wrappers for cryptography.
• Database: PostgreSQL (or SQLite for lightweight deployments) storing encrypted blobs and metadata.
• Authentication: JWT‑based session tokens, optional OAuth2 provider integration.
• Frontend: React (Vite) for the web UI, Electron wrapper for desktop, and native Android/iOS clients.

• CRUD API for vault items (/api/items) with support for tags, categories, and sharing.
• Webhooks: Triggered on item creation, update, or deletion, enabling automation (e.g., sync with corporate SSO).
• Plugin System: Developers can write custom middleware in Node.js to extend authentication, logging, or data transformation.
• Audit Log: Immutable event stream for compliance and forensic analysis.

Passky is container‑first: a single Docker image (passky/server) exposes ports 80 and 443. For production, pair it with a reverse proxy (NGINX/Traefik) and Let’s Encrypt for TLS. The repository includes a docker-compose.yml that spins up the server and PostgreSQL with minimal configuration. Horizontal scaling is supported via a stateless API layer; only the database holds state, making read replicas straightforward.

• SDKs: Lightweight client libraries in JavaScript/TypeScript and Go for programmatic access.
• Custom Authentication: Override the default login flow by providing a custom Express middleware that validates against LDAP or SAML.
• Data Export: The API can stream encrypted backups, which can be decrypted client‑side with the master key.
• Theme API: Expose CSS variables and JSON theme descriptors that clients can load at runtime.

The project follows semantic versioning and maintains a comprehensive API reference in the docs/ directory. Community support is active on GitHub Discussions, and contributors are encouraged to submit pull requests for new features or language packs. Licensing is MIT, ensuring no restrictions on commercial use.

• Enterprise Password Vault – Deploy Passky behind an internal VPN, integrate with LDAP for single‑sign‑on, and use webhooks to sync credentials into CI pipelines.
• Developer Tooling – Embed the API in a local dev environment to store API keys, SSH credentials, and secrets while keeping them encrypted on disk.
• Open‑Source Projects – Host a self‑managed instance for contributors to share credentials securely without relying on third‑party services.

• Performance – XChaCha20 offers near‑native encryption speeds, keeping latency under 5 ms for typical payloads.
• Flexibility – The API is language‑agnostic; any client that can perform HTTP requests and handle JSON can interact with Passky.
• Privacy – Zero‑trust guarantees mean the server cannot reconstruct passwords, satisfying strict compliance regimes.
• Cost – Free and open source; no subscription fees for unlimited password storage in the premium tier.

Passky’s design prioritizes developer control, security, and ease of integration, making it an attractive choice for teams that need a customizable, self‑hosted password manager.