LastPass has no public REST API for individual vault access — this is intentional for security. For enterprise customers, LastPass offers an Enterprise Admin API for user provisioning and policy management. For building authentication and password management features in Bolt apps, use Auth0, Okta, or Supabase Auth instead. This guide covers the Enterprise API pattern and recommends the right tool for each use case.
LastPass and Bolt.new: Understanding the Intentional API Limitation
LastPass is a password manager. Unlike most SaaS tools, it does not provide a REST API for reading vault contents — and this is intentional security design, not an oversight. Vault data is encrypted client-side using the user's master password before it ever reaches LastPass servers. LastPass servers store only encrypted blobs. This zero-knowledge architecture means even LastPass cannot read your passwords, so there is no API endpoint that could return them. Any password manager claiming to offer a vault-reading REST API should raise immediate security concerns.
What LastPass does offer is the LastPass Enterprise Admin API — a limited HTTP API available exclusively to LastPass Enterprise and Teams plan customers. This API allows IT administrators to automate user management: create and delete user accounts, assign users to groups, manage sharing policies, and audit user activity. It is designed for IT automation workflows (onboarding/offboarding employees, syncing with HR systems), not for building authentication features inside web applications.
If you are building a Bolt.new app and wondering how to add login, user accounts, or credential management, LastPass is not the right tool. LastPass stores existing credentials — it does not issue authentication tokens, verify user identities for web applications, or act as an identity provider. The right tools for authentication in Bolt apps are Auth0 (feature-rich, generous free tier), Okta (enterprise identity), Supabase Auth (included with your Supabase backend), or Clerk (React-native, Bolt-friendly). This tutorial is honest about the LastPass API's limited scope and guides you to the right solution for your actual use case.
Integration method
LastPass deliberately has no REST API for reading vault contents — vault data is client-side encrypted and never readable by LastPass servers. The available integration is the LastPass Enterprise Admin API, which is restricted to enterprise administrators for user provisioning, group management, and policy enforcement. For any authentication or credential management feature inside a Bolt app, you should use a purpose-built identity provider like Auth0 or Supabase Auth. This guide covers the enterprise API pattern and the right tool selection for common use cases.
Prerequisites
- LastPass Enterprise or Teams plan (required for the Enterprise Admin API — individual LastPass accounts have no API access)
- LastPass account number and provisioning hash from your LastPass Enterprise admin dashboard
- A Bolt.new project using Next.js for API routes
- Understanding that the LastPass API manages users only — it does not provide access to vault passwords
- For authentication features: an Auth0, Okta, or Supabase account as the actual identity provider
Step-by-step guide
Understand What the LastPass API Can and Cannot Do
Understand What the LastPass API Can and Cannot Do
Before writing any code, it is essential to understand the exact scope of the LastPass API so you build the right solution for your use case. The LastPass Enterprise Admin API (available at lastpass.com/enterprise_apidoc.php) provides these operations: create users, delete users, update user group memberships, disable/enable user accounts, list users and groups, and retrieve usage reports. All of these are user management operations — creating accounts in the LastPass system and organizing them. The API does NOT provide: reading vault contents (impossible by design — zero-knowledge encryption), writing passwords to vaults, authenticating users for your web application, issuing JWT tokens or session credentials, or any form of SSO/SAML integration from a developer API. The API is authenticated via a hashed combination of your LastPass Enterprise account number and a provisioning hash, sent as an HTTP POST parameter. There is no OAuth flow, no Bearer tokens — just a simple API key approach. API calls are POST requests to https://lastpass.com/enterpriseapi.php with a JSON body containing the command and credentials. If your use case is: 'I want my Bolt app to have user accounts and login' — use Auth0, Supabase Auth, or Clerk. These are designed for app authentication. LastPass is for storing credentials that humans use via their browser extension or mobile app, not for app-to-app authentication. If your use case is: 'I need to automate employee onboarding/offboarding in LastPass Enterprise' — then the Enterprise Admin API is exactly right, and this tutorial covers that path in the steps below.
1// The LastPass Enterprise API endpoint2// POST https://lastpass.com/enterpriseapi.php3// Content-Type: application/json4//5// All requests follow this structure:6// {7// "cid": "your_company_account_number",8// "provhash": "your_provisioning_hash",9// "cmd": "command_name",10// "data": { ...command-specific data... }11// }12//13// Available commands:14// - getuserdata: list all users and their info15// - batchadd: create new users16// - batchdelete: delete/deactivate users17// - groupuseradd: add user to a group18// - groupuserdelete: remove user from group19//20// There is NO command to:21// - read vault contents22// - authenticate app users23// - issue tokens for your web appPro tip: The LastPass Enterprise API provisioning hash is different from your personal LastPass master password. Find it in LastPass Enterprise Admin Dashboard → Advanced → Enterprise API → Provisioning Hash. Keep it secret — it grants full admin control over your LastPass account.
Expected result: You have a clear understanding of whether the LastPass Enterprise API matches your use case. If you need app authentication rather than user provisioning, proceed to the Auth0 alternative in Step 4. If you need enterprise user provisioning, continue to Step 2.
Set Up LastPass Enterprise API Credentials
Set Up LastPass Enterprise API Credentials
For enterprise user provisioning, retrieve your LastPass API credentials from the LastPass Enterprise Admin Dashboard. Log into your LastPass Enterprise admin console at lastpass.com/enterpriseadmin/. Navigate to Advanced → Enterprise API. Here you will find your Company Account Number (a numeric ID) and can generate a Provisioning Hash — a long hexadecimal string that authenticates API requests. The Provisioning Hash grants full administrative control over your LastPass Enterprise account: it can create, modify, and delete any user. Treat it like a root password. Store it only in server-side environment variables and never include it in client-side code, commit it to version control, or log it. In your Bolt project, add these to the .env file: LASTPASS_ACCOUNT_NUMBER (the numeric company ID) and LASTPASS_PROVISION_HASH (the hex provisioning hash). Both are used in every API request and should be server-side only — no NEXT_PUBLIC_ prefix. The LastPass Enterprise API does not have a sandbox or test environment. All API calls affect your live LastPass enterprise account. For testing, create a set of test user email addresses that you control (e.g., testuser1+lastpass@yourcompany.com) and use those for development. Clean up test users after development to avoid billing for unused accounts. Note that during development in Bolt's WebContainer, outbound HTTPS POST requests to https://lastpass.com/enterpriseapi.php work fine — the WebContainer supports outbound HTTP/HTTPS. Incoming webhooks (LastPass can push event notifications to a URL) require a deployed endpoint and cannot reach the WebContainer.
Create a .env file with LASTPASS_ACCOUNT_NUMBER=your_company_id and LASTPASS_PROVISION_HASH=your_hex_hash as placeholders. Create lib/lastpass.ts with a lastpassRequest helper function that POSTs to https://lastpass.com/enterpriseapi.php with the account number and provisioning hash in the body. Export typed helper functions: listUsers(), createUser(email, firstName, lastName), deleteUser(username), addUserToGroup(username, groupName). Add TypeScript interfaces for the API response shapes.
Paste this in Bolt.new chat
1// lib/lastpass.ts2const ACCOUNT_ID = process.env.LASTPASS_ACCOUNT_NUMBER!;3const PROV_HASH = process.env.LASTPASS_PROVISION_HASH!;45interface LastPassUser {6 username: string;7 fullname: string;8 mpstrength: string;9 sites: string;10 notes: string;11 formfills: string;12 applications: string;13 attachments: string;14 groups: string[];15}1617interface LastPassResponse {18 status: string;19 count?: number;20 Users?: Record<string, LastPassUser>;21}2223async function lastpassRequest(24 cmd: string,25 data?: Record<string, unknown>26): Promise<LastPassResponse> {27 const res = await fetch('https://lastpass.com/enterpriseapi.php', {28 method: 'POST',29 headers: { 'Content-Type': 'application/json' },30 body: JSON.stringify({31 cid: ACCOUNT_ID,32 provhash: PROV_HASH,33 cmd,34 data,35 }),36 });37 if (!res.ok) {38 throw new Error(`LastPass API error: ${res.status} ${await res.text()}`);39 }40 return res.json();41}4243export async function listUsers(): Promise<LastPassUser[]> {44 const result = await lastpassRequest('getuserdata', { getgroups: true });45 return Object.values(result.Users ?? {});46}4748export async function createUser(49 email: string,50 firstName: string,51 lastName: string52): Promise<LastPassResponse> {53 return lastpassRequest('batchadd', {54 op: [{ username: email, firstname: firstName, lastname: lastName }],55 });56}5758export async function deleteUser(59 username: string,60 deleteAction: 0 | 1 | 2 = 061): Promise<LastPassResponse> {62 // deleteAction: 0=deactivate, 1=delete keep data, 2=delete all data63 return lastpassRequest('batchdelete', {64 op: [{ username, deleteaction: deleteAction }],65 });66}6768export async function addUserToGroup(69 username: string,70 groupName: string71): Promise<LastPassResponse> {72 return lastpassRequest('groupuseradd', {73 op: [{ username, groupname: groupName }],74 });75}Pro tip: The deleteUser function's deleteAction parameter is important: 0 deactivates the account (user cannot login but data is preserved), 1 permanently deletes the account but preserves shared folder data, 2 permanently deletes everything. For offboarding employees, use 0 initially and move to 1 or 2 after confirming no critical shared data needs to be recovered.
Expected result: The LastPass API client is configured with credentials from .env. Calling listUsers() in a test API route returns your org's user list. The create, delete, and group management helpers are ready to use.
Build Employee Provisioning API Routes
Build Employee Provisioning API Routes
With the LastPass client utility ready, create the Next.js API routes that your Bolt frontend will call for user provisioning operations. These routes wrap the LastPass API calls with proper input validation, error handling, and authentication to ensure only authorized administrators can trigger provisioning actions. The most important provisioning operations are: creating a LastPass account when a new employee joins (triggered from HR system or admin dashboard), adding the new user to the appropriate group based on their department or role, and deactivating or deleting the account when an employee leaves. These three actions cover the core employee lifecycle from a LastPass perspective. Input validation is critical here: the username is an email address, so validate email format before calling the API. Group names must match exactly the group names configured in LastPass Enterprise — a typo means the user is not added to their correct group. Consider fetching the list of available groups from the API and using a dropdown selector in the UI to prevent typos. For the admin UI side, build a simple table of current LastPass users fetched from the getuserdata command, a form to add new users with first name, last name, email, and group selection, and action buttons for deactivating users. Bolt can scaffold this entire admin panel UI from a prompt — describe the table, form, and action buttons and it will generate production-quality React components.
Create Next.js API routes for LastPass Enterprise provisioning. Build: POST /api/lastpass/users (create user — validate email format, require firstName and lastName), DELETE /api/lastpass/users/[username] (deactivate user — default deleteAction=0), POST /api/lastpass/users/[username]/groups (add user to group), GET /api/lastpass/users (list all users with their groups). Add basic API key authentication — check an x-admin-key header against an ADMIN_API_KEY environment variable. Import from lib/lastpass.ts. Return appropriate HTTP status codes and descriptive error messages.
Paste this in Bolt.new chat
1// app/api/lastpass/users/route.ts2import { NextResponse } from 'next/server';3import { listUsers, createUser } from '@/lib/lastpass';45function checkAdminKey(request: Request): boolean {6 return request.headers.get('x-admin-key') === process.env.ADMIN_API_KEY;7}89export async function GET(request: Request) {10 if (!checkAdminKey(request)) {11 return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });12 }13 try {14 const users = await listUsers();15 return NextResponse.json(users);16 } catch (error: unknown) {17 const e = error as { message: string };18 return NextResponse.json({ error: e.message }, { status: 500 });19 }20}2122export async function POST(request: Request) {23 if (!checkAdminKey(request)) {24 return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });25 }26 try {27 const { email, firstName, lastName } = await request.json();28 const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;29 if (!email || !emailRegex.test(email)) {30 return NextResponse.json({ error: 'Invalid email address' }, { status: 400 });31 }32 if (!firstName?.trim() || !lastName?.trim()) {33 return NextResponse.json({ error: 'First and last name are required' }, { status: 400 });34 }35 const result = await createUser(email, firstName.trim(), lastName.trim());36 return NextResponse.json(result, { status: 201 });37 } catch (error: unknown) {38 const e = error as { message: string };39 return NextResponse.json({ error: e.message }, { status: 500 });40 }41}Pro tip: Protect admin API routes with at minimum a static API key (ADMIN_API_KEY in .env) checked via a header. For a real internal admin tool, add proper authentication using Auth0 or Supabase Auth so only authenticated admin users can access the provisioning routes.
Expected result: POST /api/lastpass/users creates a new LastPass user and returns success. GET /api/lastpass/users lists all users in the org. DELETE /api/lastpass/users/[username] deactivates the specified user. All routes require the x-admin-key header.
Use Auth0 for App Authentication (Recommended Alternative)
Use Auth0 for App Authentication (Recommended Alternative)
If your goal is to add login, user accounts, and authentication to your Bolt app — rather than manage enterprise LastPass accounts — then Auth0 is the correct integration to use. Auth0 is an identity platform specifically built for web and mobile application authentication. It provides what LastPass deliberately does not: the ability to verify who a user is, issue JWT tokens, manage user sessions, and protect routes in your application. Auth0's free tier supports 7,500 monthly active users and unlimited logins — more than enough for most Bolt projects. It supports dozens of social login providers (Google, GitHub, Apple), email/password login with automatic password hashing and storage, magic link (passwordless) login, multi-factor authentication, and comprehensive user management. The Auth0 Next.js SDK (@auth0/nextjs-auth0) integrates with the App Router through a single dynamic route handler. Users are redirected to Auth0's hosted login page (you can customize its appearance), authenticate, and are redirected back to your app with a session. The SDK manages token refresh automatically. Protected routes check the session server-side using the getSession() function from the SDK. In Bolt's WebContainer, Auth0 login redirects work correctly during development because the preview URL is a real HTTPS URL that Auth0 can redirect back to. Set your Auth0 application's Allowed Callback URLs to include the Bolt preview URL. After deployment, add your Netlify or Vercel URL to the allowed list as well.
Add Auth0 authentication to my Next.js Bolt app. Install @auth0/nextjs-auth0. Create app/api/auth/[auth0]/route.ts with the handleAuth() handler. In app/layout.tsx, wrap the children with UserProvider from @auth0/nextjs-auth0. Create a /login route that redirects to Auth0. Create a protected /dashboard route that checks authentication via getSession() and redirects to /login if not authenticated. Show a logout button with user's avatar and name when logged in. Add these env variables to .env: AUTH0_SECRET (generate with: openssl rand -hex 32), AUTH0_BASE_URL=http://localhost:3000, AUTH0_ISSUER_BASE_URL=https://your-tenant.auth0.com, AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET.
Paste this in Bolt.new chat
1// app/api/auth/[auth0]/route.ts2import { handleAuth } from '@auth0/nextjs-auth0';3export const GET = handleAuth();45// app/dashboard/page.tsx6import { getSession } from '@auth0/nextjs-auth0';7import { redirect } from 'next/navigation';89export default async function Dashboard() {10 const session = await getSession();11 if (!session) redirect('/api/auth/login');1213 const { user } = session;14 return (15 <div className="p-8">16 <div className="flex items-center gap-4 mb-6">17 {user.picture && (18 <img19 src={user.picture}20 alt={user.name ?? 'User'}21 className="w-12 h-12 rounded-full"22 />23 )}24 <div>25 <h1 className="text-2xl font-bold">{user.name}</h1>26 <p className="text-gray-500">{user.email}</p>27 </div>28 <a29 href="/api/auth/logout"30 className="ml-auto px-4 py-2 bg-red-500 text-white rounded hover:bg-red-600"31 >32 Logout33 </a>34 </div>35 <p>Welcome to your dashboard!</p>36 </div>37 );38}Pro tip: In Bolt's WebContainer preview, set AUTH0_BASE_URL to the Bolt preview URL (starts with https://bolt.new or similar). Auth0 requires the callback URL to match exactly. Update AUTH0_BASE_URL and Auth0's Allowed Callback URLs each time the preview URL changes — or deploy to Netlify for a stable URL.
Expected result: Auth0 authentication works in the Bolt preview. Clicking Login redirects to the Auth0 login page. After logging in with Google or email/password, users are redirected back to /dashboard with their profile displayed. The Logout button ends the session.
Deploy the Admin Portal to Netlify
Deploy the Admin Portal to Netlify
Whether you are building the LastPass Enterprise provisioning admin tool or the Auth0-authenticated dashboard, deploying to Netlify gives you a stable public URL and proper environment variable management. Deploy via Bolt's Settings → Applications → Netlify → Publish. After deployment, set environment variables in Netlify Dashboard → Site Settings → Environment Variables. For the LastPass integration: add LASTPASS_ACCOUNT_NUMBER, LASTPASS_PROVISION_HASH, and ADMIN_API_KEY. For Auth0: add AUTH0_SECRET, AUTH0_ISSUER_BASE_URL, AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET, and update AUTH0_BASE_URL to your Netlify domain. For the Auth0 integration specifically, you must add the Netlify URL to Auth0's application settings: go to Auth0 Dashboard → Applications → your app → Settings → Allowed Callback URLs and add https://your-app.netlify.app/api/auth/callback. Do the same for Allowed Logout URLs: https://your-app.netlify.app. LastPass Enterprise incoming webhooks — LastPass can push event notifications to a URL when user activity occurs — require the deployed Netlify URL. Create a POST /api/webhooks/lastpass route to receive these events. Register the URL in LastPass Enterprise Admin → Advanced → SIEM. Since Bolt's WebContainer has no public URL, webhook testing is only possible after deployment. During development, simulate webhook payloads by calling your API route directly from the Bolt preview with test JSON payloads.
Prepare my app for Netlify deployment. Create netlify.toml with build command 'npm run build', publish directory '.next', Node version 20, and @netlify/plugin-nextjs plugin. Create a POST /api/webhooks/lastpass route that receives LastPass Enterprise SIEM events (JSON body with user, action, and timestamp fields) and logs them. Add a GET /api/health endpoint that returns app status and lists which environment variables are configured (without exposing their values).
Paste this in Bolt.new chat
1# netlify.toml2[build]3 command = "npm run build"4 publish = ".next"56[build.environment]7 NODE_VERSION = "20"89[[plugins]]10 package = "@netlify/plugin-nextjs"Pro tip: After deploying to Netlify, test the LastPass API connection immediately by visiting /api/lastpass/users (with the correct admin key header) from a REST client like Postman. If it fails, check Netlify's function logs for the specific error — the most common issue is missing or misspelled environment variables.
Expected result: The app is deployed to Netlify with all environment variables configured. LastPass Enterprise API calls work in production. Auth0 authentication works with the Netlify URL registered in Auth0's allowed callback URLs.
Common use cases
Enterprise User Provisioning Automation
If your organization uses LastPass Enterprise, you can automate user account creation and deactivation when employees join or leave. A Bolt-built admin portal can trigger the LastPass Enterprise API to add users to the correct groups and apply policy sets, integrated with your HR or identity system. This is the primary legitimate use of the LastPass API from an application.
Build an employee onboarding tool that calls the LastPass Enterprise Admin API. Create a POST /api/lastpass/provision route that accepts {email, firstName, lastName, groups} and calls the LastPass Enterprise API to create the user and assign them to the specified groups. Read LASTPASS_ACCOUNT_NUMBER and LASTPASS_PROVISION_HASH from environment variables. Create a simple admin form UI where I can enter a new employee's details and provision their LastPass account with a single click.
Copy this prompt to try it in Bolt.new
API Key Management Workflow (No API Required)
For developers using Bolt.new who want to organize their API credentials securely, LastPass Vault (without any API) is a practical tool: store each service's API key, secret, and any notes as a secure note or password entry. When starting a new Bolt project, retrieve the relevant keys from LastPass and paste them into the Bolt .env file. This is a workflow tip rather than an API integration — but it is how most individual developers actually use LastPass with Bolt.
Create a .env file for my Bolt project with placeholder entries for all the API keys I need: STRIPE_SECRET_KEY, OPENAI_API_KEY, SENDGRID_API_KEY, SUPABASE_URL, SUPABASE_ANON_KEY. Add a comment above each variable explaining where to find it. Create a .env.example file that I can commit to version control with the same variables but empty values.
Copy this prompt to try it in Bolt.new
Authentication Feature Using Auth0 Instead of LastPass
If you searched for 'LastPass integration' because you want to add login and user accounts to a Bolt app, Auth0 is the right choice. Auth0 is a dedicated identity provider with social login (Google, GitHub), email/password, MFA, and a comprehensive dashboard. It integrates with Next.js via the Auth0 Next.js SDK and works perfectly in Bolt's WebContainer for development.
Add Auth0 authentication to my Next.js Bolt app. Install @auth0/nextjs-auth0. Create the Auth0 API route at app/api/auth/[auth0]/route.ts. Wrap my app layout with UserProvider. Add a login button that redirects to Auth0. Create a protected /dashboard route that requires authentication and shows the logged-in user's name and email. Read AUTH0_SECRET, AUTH0_BASE_URL, AUTH0_ISSUER_BASE_URL, AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET from environment variables.
Copy this prompt to try it in Bolt.new
Troubleshooting
LastPass API returns '{"status":"FAILED","errors":["Invalid company_id or provision_hash"]}'
Cause: The LASTPASS_ACCOUNT_NUMBER or LASTPASS_PROVISION_HASH values are incorrect. The account number is a numeric ID, and the provision hash is a long hex string — both must match exactly what is shown in the LastPass Enterprise Admin Dashboard.
Solution: Log into your LastPass Enterprise admin console at lastpass.com/enterpriseadmin/, go to Advanced → Enterprise API, and copy both values again. Ensure there are no trailing spaces or line breaks in your .env file values. The provisioning hash is case-sensitive.
Auth0 login redirects back to app with 'Callback URL mismatch' error
Cause: The URL that Auth0 redirected back to (your app's /api/auth/callback) does not exactly match any URL in Auth0's Allowed Callback URLs list for this application.
Solution: Go to Auth0 Dashboard → Applications → your application → Settings. In 'Allowed Callback URLs', add the exact URL being used: for Bolt preview, add https://your-bolt-preview-url.bolt.new/api/auth/callback. For Netlify, add https://your-app.netlify.app/api/auth/callback. URL matching is exact — http vs https, trailing slashes, and subdomains all matter.
LastPass API call succeeds in Bolt preview but fails after Netlify deployment
Cause: Environment variables were not added to Netlify before deployment, or were added after the last deploy (Netlify does not automatically redeploy when you add environment variables).
Solution: In Netlify Dashboard → Site Settings → Environment Variables, verify all variables are present. Then trigger a manual redeploy: Netlify Dashboard → Deploys → 'Trigger deploy' → 'Deploy site'. The new deploy will pick up the environment variables.
Best practices
- Never search for a 'LastPass vault API' — no such API exists by design, and any third-party claiming to offer one is a security risk
- Store the LastPass Provisioning Hash in server-side environment variables only — it grants full admin control over your enterprise account and must never appear in client code or version control
- Use Auth0, Supabase Auth, or Clerk for application authentication in Bolt apps — LastPass is a credential manager for humans, not an identity provider for web apps
- Use the deleteaction=0 (deactivate) option when offboarding employees rather than permanent deletion, to allow data recovery if needed within your retention period
- Protect admin API routes that call LastPass with both an API key check and ideally a full authentication layer, since these routes can create and delete user accounts
- The LastPass Enterprise API has no sandbox — test with disposable test email addresses and clean up after development
- During Bolt WebContainer development, outbound calls to LastPass API work fine — only incoming webhook events from LastPass require a deployed URL
Alternatives
Auth0 is a dedicated identity provider for web apps — it handles user authentication, JWT tokens, social login, and MFA, making it the right choice when you need login functionality in a Bolt app rather than a password manager.
Okta is an enterprise identity platform with robust API for user provisioning, SSO, and directory sync — a stronger choice than LastPass's admin API for enterprise user lifecycle management at scale.
Duo Security specializes in multi-factor authentication and can layer MFA on top of existing identity systems — useful for adding security to enterprise portals without replacing the existing directory.
Frequently asked questions
Why does LastPass not have an API for reading vault passwords?
LastPass uses zero-knowledge encryption: vault data is encrypted client-side with the user's master password before it reaches LastPass servers. LastPass servers only store encrypted ciphertext — they cannot decrypt it and therefore cannot expose it via an API. This is a deliberate security architecture. Any tool that could read your vault via an API would mean LastPass stores your keys in a retrievable form, which would be a major security vulnerability.
Can I use LastPass to manage API keys for my Bolt projects?
Yes, as a manual workflow without any API integration. Store each project's API keys as Secure Notes in your LastPass vault, organized by project or service. When setting up a new Bolt project, retrieve the relevant keys from the LastPass browser extension and paste them into the Bolt .env file. This is how most individual developers use LastPass alongside Bolt — there is no programmatic connection needed.
Does the LastPass Enterprise API work in Bolt's WebContainer preview?
Yes, for outbound calls. Bolt's WebContainer supports outbound HTTPS requests, so POST calls to https://lastpass.com/enterpriseapi.php work in the preview. You can test user listing, creation, and deactivation directly in the Bolt preview. Incoming webhooks from LastPass (SIEM event notifications) require a publicly accessible HTTPS URL and cannot reach the WebContainer — test those after deploying to Netlify.
What is the LastPass Enterprise API pricing?
The Enterprise Admin API is included with LastPass Enterprise (currently $7/user/month billed annually) and LastPass Teams plans. It is not available on individual LastPass accounts (Free, Premium, or Families). There are no separate API call fees — API usage is included in the subscription.
Can LastPass be used as an SSO provider for my Bolt app?
LastPass does offer SSO capabilities (LastPass SSO product), but these use SAML 2.0 rather than a developer API — they are designed for enterprise IT administrators to configure SSO for SaaS applications, not for developers to implement custom OAuth flows. For SSO in a Bolt app, Auth0 (supports SAML, OIDC, and custom connections) or Okta is the right choice.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation