To integrate Replit with LastPass Enterprise, store your LastPass API key in Replit Secrets, then call the LastPass Enterprise API from your server-side code to provision users, manage shared folders, and audit activity. The integration works via standard HTTPS requests β no SDK required, and all credentials stay secure in Replit's encrypted secrets store.
Automate Password Management with LastPass and Replit
LastPass Enterprise provides a REST API that allows IT teams and developers to automate the most time-consuming password management tasks: onboarding new employees, offboarding departing staff, managing shared folder access, and exporting audit logs for compliance. When combined with Replit, these operations can be turned into web services, scheduled jobs, or integration endpoints that connect to your HR system or identity provider.
Replit is an ideal environment for this type of automation because it runs server-side Node.js or Python code continuously, can expose secure webhook endpoints, and keeps your API credentials encrypted in its built-in Secrets panel. You never need to manage infrastructure β just write your provisioning logic, deploy on Replit Autoscale, and your LastPass automation runs reliably in the cloud.
Common use cases include syncing new hires from an HR platform (like Workday or BambooHR) into LastPass, revoking access immediately when someone leaves, and generating weekly security audit reports. This tutorial walks through setting up the API connection, writing provisioning code in both Python and Node.js, and deploying a production-ready service on Replit.
Integration method
The LastPass Enterprise API accepts HTTPS requests authenticated with your account-specific API key and provisioning hash. You call the API from your Replit server-side code (Node.js or Python) to manage users and shared folders. All secrets are stored securely in Replit's encrypted Secrets panel.
Prerequisites
- A LastPass Business or Enterprise account with API access enabled
- Your LastPass Enterprise API key and account provisioning hash (from Admin Console > Advanced > Enterprise API)
- A Replit account (free tier works for testing; Replit Core recommended for production)
- Basic familiarity with Node.js (Express) or Python (Flask)
- An understanding of REST API calls using fetch, axios, or the requests library
Step-by-step guide
Enable the LastPass Enterprise API and Retrieve Credentials
Enable the LastPass Enterprise API and Retrieve Credentials
Before writing any code, you need to enable API access in your LastPass Admin Console and collect your credentials. Log in to the LastPass Admin Console at lastpass.com/enterprise_console. In the left sidebar, navigate to Advanced Options, then select Enterprise API. If API access is not yet enabled, click Enable API Access and confirm. Once enabled, you will see your Account Number (the numeric ID for your enterprise account) and you will need to create a Provisioning Hash β this is a separate credential used specifically for user provisioning calls. To generate your Provisioning Hash, go to Admin Console > Company Settings > General and look for the Provisioning API section. Copy the hash displayed there. You will also need your standard API key, which is shown in the Enterprise API page. Note that the LastPass API uses a combination of your Account Number plus the API key for authentication headers, while provisioning operations use the Provisioning Hash. Keep both values safe β you will add them to Replit Secrets in the next step. Never paste these credentials directly into your code files, as Replit's Secret Scanner will flag them and they could be exposed if your Repl is made public.
Pro tip: LastPass has two separate credential sets: the Enterprise API key for reporting/audit calls, and the Provisioning Hash for user management calls. Make sure you collect both.
Expected result: You have your LastPass Account Number, API Key, and Provisioning Hash saved in a secure local note, ready to add to Replit Secrets.
Store API Credentials in Replit Secrets
Store API Credentials in Replit Secrets
Replit Secrets is the correct and secure place to store your LastPass credentials. Never hardcode API keys in your source files β Replit's Secret Scanner monitors your code and will warn you if it detects exposed credentials, but it's best practice to use Secrets from the start. Open your Replit project. In the left sidebar, click the lock icon (π) labeled Secrets. Click the + New Secret button. Create three secrets: set LASTPASS_ACCOUNT_NUMBER to your numeric account ID, LASTPASS_API_KEY to your API key value, and LASTPASS_PROVISIONING_HASH to your provisioning hash. Each secret is encrypted at rest and injected into your server process as environment variables at runtime. In your Python code, access them with os.environ['LASTPASS_API_KEY']. In Node.js, use process.env.LASTPASS_API_KEY. If you add secrets while your Repl is already running, stop and restart it β secrets are only injected at process startup. You can verify the secrets are loaded by adding a quick startup log: console.log('API key loaded:', !!process.env.LASTPASS_API_KEY) which prints true without exposing the value.
1# Python β verify secrets are loaded at startup2import os34required_secrets = ['LASTPASS_ACCOUNT_NUMBER', 'LASTPASS_API_KEY', 'LASTPASS_PROVISIONING_HASH']5for secret in required_secrets:6 value = os.environ.get(secret)7 if not value:8 raise EnvironmentError(f'Missing required secret: {secret}')9 print(f'{secret}: loaded ({len(value)} chars)')1011print('All LastPass secrets loaded successfully.')Pro tip: After adding new secrets in the Secrets panel, always restart your Repl. Secrets are only injected at process start β a running process won't see newly added secrets until it restarts.
Expected result: Running the check script prints 'All LastPass secrets loaded successfully' without errors, confirming your credentials are accessible to your code.
Build a LastPass API Client
Build a LastPass API Client
The LastPass Enterprise API accepts POST requests to https://lastpass.com/enterpriseapi.php. All requests send a JSON body containing the command name, your account number, and authentication credentials. The response is always JSON. User provisioning calls (create user, delete user, manage groups) use your Provisioning Hash for the apikey field. Reporting and audit calls use your standard API key. Understanding this distinction is important β using the wrong key will return an authentication error. Below is a complete client implementation in both Python and Node.js. The Python version uses the requests library (pre-installed on Replit), and the Node.js version uses the built-in fetch API available in Node 18+. Both implementations follow the same pattern: build the request body with your credentials and command parameters, POST to the API endpoint, and parse the JSON response. Error handling checks for both HTTP errors and API-level error responses returned with a 200 status code.
1# Python LastPass Enterprise API client2import os3import requests4import json56ACCOUNT_NUMBER = os.environ['LASTPASS_ACCOUNT_NUMBER']7API_KEY = os.environ['LASTPASS_API_KEY']8PROV_HASH = os.environ['LASTPASS_PROVISIONING_HASH']9API_URL = 'https://lastpass.com/enterpriseapi.php'1011def lp_request(command, use_provisioning=False, **params):12 """Send a command to the LastPass Enterprise API."""13 payload = {14 'cid': ACCOUNT_NUMBER,15 'provhash': PROV_HASH if use_provisioning else API_KEY,16 'cmd': command,17 'data': params18 }19 response = requests.post(API_URL, json=payload, timeout=30)20 response.raise_for_status()21 result = response.json()22 if result.get('status') == 'FAIL':23 raise ValueError(f"LastPass API error: {result.get('error', 'Unknown error')}")24 return result2526# Provision a new user27def add_user(email, firstname, lastname):28 return lp_request('adduser', use_provisioning=True,29 username=email, firstname=firstname, lastname=lastname)3031# Deactivate a user (0=delete, 1=disable, 2=transfer vault)32def deactivate_user(email, delete_action=1):33 return lp_request('deleteuser', use_provisioning=True,34 username=email, deleteaction=delete_action)3536# Get all users37def list_users():38 return lp_request('getuserdata', use_provisioning=True)3940# Get audit events for date range41def get_events(from_date, to_date):42 return lp_request('reporting', use_provisioning=False,43 from_=from_date, to=to_date)4445if __name__ == '__main__':46 users = list_users()47 print(f"Total users: {len(users.get('Users', {}))}")Expected result: Running the script prints the total number of users in your LastPass Enterprise account, confirming API connectivity and authentication are working correctly.
Create a Node.js Version with Express Endpoints
Create a Node.js Version with Express Endpoints
For teams that prefer JavaScript, here is a complete Node.js implementation using Express to expose LastPass operations as HTTP endpoints. This pattern is useful when you want other systems (like your HR platform or a Slack bot) to trigger LastPass operations via webhook calls to your Replit server. The server exposes three routes: POST /users/provision to create new accounts, DELETE /users/:email to deactivate accounts, and GET /users to list all users. Each route reads credentials from process.env and calls the LastPass API using the native fetch function. The server binds to 0.0.0.0 on port 3000, which is required for Replit's networking to correctly expose the service. For production use, add authentication to these endpoints β for example, require a shared secret header that matches a value in your Replit Secrets. Without authentication, anyone who knows your Replit URL could trigger user provisioning. The example includes a basic API key check via the X-Webhook-Secret header.
1// Node.js Express server for LastPass Enterprise API2const express = require('express');3const app = express();4app.use(express.json());56const ACCOUNT_NUMBER = process.env.LASTPASS_ACCOUNT_NUMBER;7const API_KEY = process.env.LASTPASS_API_KEY;8const PROV_HASH = process.env.LASTPASS_PROVISIONING_HASH;9const WEBHOOK_SECRET = process.env.WEBHOOK_SECRET;10const API_URL = 'https://lastpass.com/enterpriseapi.php';1112// Middleware: require webhook secret on all routes13app.use((req, res, next) => {14 if (req.headers['x-webhook-secret'] !== WEBHOOK_SECRET) {15 return res.status(401).json({ error: 'Unauthorized' });16 }17 next();18});1920async function lpRequest(command, useProvisioning = false, data = {}) {21 const payload = {22 cid: ACCOUNT_NUMBER,23 provhash: useProvisioning ? PROV_HASH : API_KEY,24 cmd: command,25 data26 };27 const response = await fetch(API_URL, {28 method: 'POST',29 headers: { 'Content-Type': 'application/json' },30 body: JSON.stringify(payload)31 });32 const result = await response.json();33 if (result.status === 'FAIL') {34 throw new Error(`LastPass API error: ${result.error}`);35 }36 return result;37}3839// POST /users/provision β add a new user40app.post('/users/provision', async (req, res) => {41 const { email, firstname, lastname } = req.body;42 if (!email) return res.status(400).json({ error: 'email required' });43 try {44 const result = await lpRequest('adduser', true, { username: email, firstname, lastname });45 res.json({ success: true, result });46 } catch (err) {47 res.status(500).json({ error: err.message });48 }49});5051// DELETE /users/:email β deactivate a user52app.delete('/users/:email', async (req, res) => {53 try {54 const result = await lpRequest('deleteuser', true, {55 username: req.params.email, deleteaction: 156 });57 res.json({ success: true, result });58 } catch (err) {59 res.status(500).json({ error: err.message });60 }61});6263// GET /users β list all users64app.get('/users', async (req, res) => {65 try {66 const result = await lpRequest('getuserdata', true);67 res.json(result);68 } catch (err) {69 res.status(500).json({ error: err.message });70 }71});7273app.listen(3000, '0.0.0.0', () => console.log('LastPass service running on port 3000'));Pro tip: Add WEBHOOK_SECRET to Replit Secrets and require it as a header on all requests. This prevents unauthorized callers from provisioning or deleting users through your endpoint.
Expected result: The Express server starts on port 3000 and Replit displays a web preview URL. Sending a POST request to /users/provision with a valid email creates a new LastPass user.
Deploy on Replit Autoscale for Production
Deploy on Replit Autoscale for Production
Once your LastPass integration is working in development, deploy it to Replit Autoscale for production reliability. Autoscale is the correct deployment type for this integration because it handles variable traffic (provisioning requests come in bursts during onboarding cycles) and scales to zero when idle, keeping costs low. To deploy, click the Deploy button in the top-right corner of your Replit editor. Select Autoscale deployment. Choose a machine size β for the LastPass API client, 0.25 vCPU and 256MB RAM is sufficient. Set the run command to node index.js (Node.js) or python app.py (Python). Click Deploy and wait 30-60 seconds for the build to complete. After deployment, Replit gives you a permanent production URL (your-repl-name.your-username.repl.co). This URL stays stable and can be registered as a webhook endpoint in your HR system or other triggers. Your Replit Secrets are automatically available in the deployed environment β you do not need to re-enter them. For high-volume provisioning (hundreds of users per batch), consider rate limiting your API calls to stay within LastPass API limits. Add a small delay between requests in batch operations using time.sleep(0.1) in Python or a delay helper in Node.js.
1# .replit deployment configuration2# Add this to your .replit file34# For Node.js:5# [deployment]6# run = ["node", "index.js"]7# deploymentTarget = "cloudrun"8#9# [[ports]]10# internalPort = 300011# externalPort = 801213# For Python:14# [deployment]15# run = ["python", "app.py"]16# deploymentTarget = "cloudrun"17#18# [[ports]]19# internalPort = 300020# externalPort = 80Pro tip: After deploying, test your production endpoint from a tool like Postman or curl before connecting it to your HR system. Verify that the X-Webhook-Secret header is required and that invalid keys get 401 responses.
Expected result: Your Replit Autoscale deployment is live with a permanent URL. Provisioning requests to the /users/provision endpoint successfully create LastPass users and return a 200 response.
Common use cases
Employee Onboarding Automation
When a new employee is added to your HR system, a webhook triggers your Replit server to automatically provision their LastPass Enterprise account, assign them to the correct shared folders for their team, and send a welcome email. This eliminates manual IT tickets and gets new hires access to credentials on day one.
Build a Node.js Express server that receives a webhook from our HR system with a new employee's email and department, then calls the LastPass Enterprise API to create their account and add them to the correct shared folder for their department.
Copy this prompt to try it in Replit
Offboarding and Access Revocation
When HR marks an employee as departed, your Replit service calls the LastPass API to immediately deactivate their account, remove them from all shared folders, and log the action for compliance records. This prevents ex-employees from retaining access to sensitive credentials.
Create a Python Flask endpoint that accepts a POST request with an employee email, calls LastPass Enterprise API to deactivate their account and remove them from all shared folders, then logs the action to a database.
Copy this prompt to try it in Replit
Security Audit Report Generator
A scheduled Replit job fetches LastPass audit event logs daily, filters for security-relevant events (failed logins, password shares, master password changes), and emails a formatted report to your IT security team. This automates compliance reporting without requiring manual log review.
Write a Python script that calls the LastPass Enterprise reporting API to fetch all audit events from the last 24 hours, filters for security events, and formats them into a summary email sent via SendGrid.
Copy this prompt to try it in Replit
Troubleshooting
API returns {"status": "FAIL", "error": "Invalid credentials"}
Cause: The wrong credential set is being used for the command type. Provisioning commands (adduser, deleteuser) require the Provisioning Hash, while reporting commands use the standard API key. Mixing them causes authentication failures.
Solution: Check which command you are calling and ensure you pass the correct credential. In the client code, provisioning commands should set use_provisioning=True (Python) or useProvisioning: true (Node.js). Verify that your Replit Secrets contain the Provisioning Hash separately from the API key.
EnvironmentError: Missing required secret: LASTPASS_API_KEY even though the secret is set
Cause: Secrets added to Replit are only injected at process startup. If you added or changed a secret while the Repl was already running, the running process cannot see the new values.
Solution: Stop the Repl using the Stop button in the editor, then click Run to restart it. The fresh process will pick up all current secret values. In deployed Autoscale instances, redeploying after changing secrets ensures the new values are used.
Requests time out or return connection errors when calling the LastPass API
Cause: The LastPass Enterprise API endpoint (lastpass.com/enterpriseapi.php) requires outbound HTTPS on port 443. Some Replit networking configurations, or VPNs in your local environment, may block this. On free Replit accounts, outbound network access is sometimes restricted.
Solution: Ensure you are on a Replit Core or paid plan for reliable outbound network access. Test connectivity by adding a simple health check that pings the LastPass API with a known-good request. If deploying to Autoscale, outbound internet access is always available.
1import requests2try:3 r = requests.get('https://lastpass.com', timeout=10)4 print('LastPass reachable:', r.status_code)5except Exception as e:6 print('Connection failed:', e)User provisioning succeeds (200 response) but the user never appears in LastPass Admin Console
Cause: The user was created in LastPass but may be in a 'pending' state waiting for email confirmation, or your Admin Console view has a filter applied that hides newly provisioned users.
Solution: In the LastPass Admin Console, go to Users and check the Status filter β set it to show All Users including Pending. New users provisioned via API receive an invitation email and remain in Invited status until they accept. If you want to skip the invitation step, check the LastPass API documentation for the 'autoenroll' parameter.
Best practices
- Always store LastPass credentials (API key, Provisioning Hash, Account Number) in Replit Secrets β never in source code or comments.
- Use the correct credential type for each command: Provisioning Hash for user management operations, API key for reporting and audit queries.
- Protect your Replit provisioning endpoints with a webhook secret or IP allowlist to prevent unauthorized user creation or deletion.
- Log all provisioning actions (user created, user deactivated, folder assignment) to a database or log file for audit trail compliance.
- Implement retry logic with exponential backoff for API calls β LastPass may rate-limit requests during high-volume provisioning batches.
- For bulk operations (onboarding a new department), add a delay between API calls and process users in batches of 10-20 to avoid hitting rate limits.
- Test deactivation logic in a staging LastPass account before running it against production β deleteaction=1 disables the user rather than permanently deleting their vault.
- Deploy on Replit Autoscale for production provisioning services; use Reserved VM only if you need 24/7 uptime for a webhook listener.
Alternatives
Auth0 is an identity platform for authenticating your app's users, while LastPass manages password storage and sharing for your internal team β choose Auth0 if you need SSO and login flows for your application.
McAfee/Trellix provides endpoint security and threat intelligence APIs, making it a better fit if your use case is security monitoring rather than password management.
If your goal is notifying IT teams about provisioning events rather than automating the provisioning itself, a Slack integration can send alerts when new users are added or access is revoked.
Frequently asked questions
Does LastPass have a free API for personal accounts?
The LastPass Enterprise API is only available on Business and Enterprise plans. Personal and Teams accounts do not have API access. You need at least a LastPass Business subscription to use the provisioning and reporting API endpoints covered in this tutorial.
How do I store my LastPass API key in Replit?
Open your Replit project, click the lock icon (π) in the left sidebar to open the Secrets panel, then click + New Secret. Create secrets named LASTPASS_API_KEY, LASTPASS_ACCOUNT_NUMBER, and LASTPASS_PROVISIONING_HASH with your respective values. Access them in code via os.environ['LASTPASS_API_KEY'] (Python) or process.env.LASTPASS_API_KEY (Node.js). Restart the Repl after adding secrets.
Can I use Replit to sync LastPass users with my HR system?
Yes. Build a Replit server that receives a webhook from your HR system (e.g., Workday, BambooHR, or HiBob) when an employee is hired or terminated. The webhook handler calls the LastPass Enterprise API to provision or deactivate the corresponding account. Deploy on Replit Autoscale for a reliable, always-available webhook endpoint.
What is the difference between the LastPass API key and the Provisioning Hash?
The API key is used for reporting and audit operations (fetching event logs, usage reports). The Provisioning Hash is specifically for user management operations (creating users, deleting users, managing group memberships). Both are found in your LastPass Admin Console but serve different API commands β using the wrong one results in authentication errors.
Is Replit secure enough for storing LastPass enterprise credentials?
Replit Secrets are encrypted at rest and only accessible to your Repl's runtime processes. Replit also runs a Secret Scanner that detects if API keys are accidentally pasted into code files. For enterprise use, ensure your Replit project is set to Private, and consider using Replit Teams or Replit Core for additional security controls and audit logging.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation