Teampass

TeamPass is a PHP‑based web application that functions as a collaborative password manager. At its core, it stores encrypted credentials, documents, and related metadata in a relational database while exposing fine‑grained access control to team members. The application is released under the GNU GPL‑3.0, ensuring that developers can inspect, modify, and redistribute the code without licensing constraints. TeamPass’s architecture is intentionally lightweight: it runs on a standard LAMP stack (Linux, Apache/Nginx, MySQL/MariaDB, PHP 8+) and can be deployed behind a reverse proxy or within a Docker container with minimal configuration.

Technical Stack

• Language & Frameworks: Pure PHP (≥ 7.4) with a custom MVC‑like structure; no heavy frameworks, which keeps the codebase approachable. The UI is built with Bootstrap 4/5 and jQuery, allowing developers to replace or extend the front‑end without touching the core logic.
• Encryption: Uses the Defuse PHP Encryption library, a battle‑tested cryptographic wrapper that implements AES‑256 in GCM mode. All sensitive fields (passwords, notes) are encrypted at rest; the master key is derived from a user‑supplied passphrase via PBKDF2.
• Database: MySQL/MariaDB is the default, but the schema is straightforward enough that switching to PostgreSQL or SQLite is feasible with minor adjustments. The database layer uses PDO with prepared statements, mitigating SQL injection risks.
• Session & Auth: Implements a custom session handler that stores tokens in the database, supporting multi‑factor authentication via TOTP (RFC 6238) and optional LDAP integration.

Core Capabilities & APIs

• Fine‑Grained ACLs: Items can be shared with individual users or groups, each with distinct permissions (read, write, delete). ACLs are stored as JSON blobs in the database, allowing developers to extend or replace them with custom policies.
• Item Types: Beyond plain passwords, TeamPass supports URLs, files (encrypted uploads), and custom fields. Each type can be extended through the plugin system.
• REST‑like Endpoints: While not a full REST API, TeamPass exposes JSON endpoints for CRUD operations on items and groups. These can be wrapped into a proper API layer or consumed directly by custom scripts.
• Webhooks & Events: The core triggers PHP callbacks on events such as item creation, update, or deletion. Developers can hook into these to integrate with external systems (e.g., Slack notifications, CI pipelines).

Deployment & Infrastructure

TeamPass is designed for self‑hosting on commodity hardware. A single Docker image (teampass/teampass) bundles the PHP runtime, Apache/Nginx, and all dependencies. For scaling, horizontal replication is straightforward: multiple application instances can share the same MySQL database and a shared filesystem (e.g., NFS or cloud‑based object storage) for encrypted files. The application supports HTTPS out of the box and can be placed behind a load balancer for high availability.

Integration & Extensibility

The plugin architecture is intentionally minimalistic: a plugins/ directory where each sub‑folder contains PHP classes implementing specific interfaces (ItemTypeInterface, AuthProviderInterface). Developers can add new item types, authentication backends (OAuth2, SAML), or UI widgets without modifying the core. The public API documentation is hosted on GitHub and includes sample code snippets for common integration patterns.

Developer Experience

TeamPass’s documentation is comprehensive, covering installation, configuration, and plugin development. The source repository is actively maintained with a clear issue triage process and a supportive community on GitHub Discussions. Because the code is modular, developers can cherry‑pick components or fork the project for custom enterprise features. The licensing (GPL‑3.0) ensures that any derivative work remains open source, fostering collaboration.

Use Cases

• Enterprise Credential Management: Organizations can host TeamPass on their intranet, ensuring that secrets are stored in a single, auditable location while still allowing role‑based sharing.
• DevOps Automation: CI/CD pipelines can programmatically retrieve credentials via the JSON endpoints, enabling secure deployment scripts.
• Open‑Source Projects: Maintainers can host a shared credential store for contributors, with fine‑grained access to CI tokens or API keys.
• Educational Environments: Universities can use TeamPass as a teaching tool for secure password handling, allowing students to experiment with encryption and access controls.

Advantages

TeamPass offers a blend of performance, flexibility, and open‑source freedom that sets it apart from commercial password managers. Its lightweight PHP codebase runs efficiently on modest hardware, while the modular plugin system allows developers to tailor functionality precisely. The GPL‑3.0 license guarantees that enhancements remain community‑owned, and the active development cycle ensures timely security updates. For developers needing a self‑hosted, extensible password manager that can be integrated into existing workflows or extended with custom logic, TeamPass delivers a robust and technically sound foundation.