Connect Retool to LastPass Enterprise using a REST API Resource with the LastPass Provisioning API and HMAC-SHA256 authentication. Build a password policy compliance dashboard in Retool that manages users, groups, and shared folders, monitors security scores, and tracks policy violations across your organization's password vault — giving IT security teams faster visibility than LastPass's native admin console.
| Fact | Value |
|---|---|
| Tool | LastPass |
| Category | Auth |
| Method | REST API Resource |
| Difficulty | Intermediate |
| Time required | 25 minutes |
| Last updated | April 2026 |
Build a LastPass Enterprise Admin and Security Compliance Panel in Retool
LastPass Enterprise's native admin console provides visibility into password vault usage, but IT security teams managing hundreds of employees often need faster ways to audit policy compliance, bulk-manage user access, and report on security scores across departments. Retool connects to LastPass's Provisioning API and Reporting API to build purpose-built compliance and administration dashboards that surface the data security teams care about without navigating LastPass's full admin interface.
With a Retool-LastPass integration, you can build a security score dashboard showing each user's LastPass security score alongside department and manager information from your HRIS, a shared folder audit panel listing which users have access to sensitive credential folders and when that access was last reviewed, a user lifecycle management panel for onboarding new employees with initial LastPass account setup and offboarding departed employees by deactivating their vaults, and a password age compliance tracker showing which shared passwords haven't been rotated in over 90 days.
LastPass's API is structured around two main endpoints: the Provisioning API (for user and group management) and the Reporting API (for security data and audit logs). Both use the same Account Number and Provisioning Hash authentication mechanism, but have different base URLs and request formats. The API is available to LastPass Business and Enterprise plan customers — Teams plan customers have more limited API access.
Integration method
LastPass Enterprise provides a Provisioning API at lastpass.com/enterpriseapi.php for user, group, and shared folder management, authenticated with an Account Number and Provisioning Hash (an API secret key generated in the LastPass Admin Console). A separate Reporting API provides security score and audit data. In Retool, you configure a REST API Resource with the LastPass API endpoint and pass Account Number and Provisioning Hash as request body parameters or headers. Retool proxies all requests server-side, keeping credentials off the browser.
Prerequisites
- A LastPass Business or Enterprise account with Admin access
- Your LastPass Account Number (found in the Admin Console under Advanced → Enterprise API)
- A Provisioning Hash generated from the LastPass Admin Console (Advanced → Enterprise API → Generate Provisioning Hash)
- A Retool account with permission to create Resources
- Familiarity with Retool's Query Editor and REST API Resources
Step-by-step guide
Locate your LastPass Account Number and generate a Provisioning Hash
The LastPass Provisioning API authenticates using two credentials: your account's Account Number (a numeric identifier for your LastPass Business or Enterprise account) and a Provisioning Hash (a secret API key). Log in to the LastPass Admin Console at lastpass.com/company. In the Admin Console left navigation, expand the Advanced section and click 'Enterprise API'. On this page, you will see your Account Number displayed at the top — it is a numeric string like 12345678. Below the account number, you will find the option to generate or view your Provisioning Hash. If no hash exists, click 'Generate Provisioning Hash' to create one. Copy the hash value — it is a long alphanumeric string that serves as your API secret key. Store it securely. Note that the Provisioning Hash can be regenerated at any time in the Admin Console (invalidating the previous one), so treat it like a password and store it in Retool's Configuration Variables rather than hardcoding it anywhere. Also note the API endpoint URL shown on this page — LastPass's Provisioning API base URL is https://lastpass.com/enterpriseapi.php. Unlike typical REST APIs, LastPass's Provisioning API uses POST requests for most operations with a JSON body that includes the command type and authentication credentials.
Pro tip: LastPass's Provisioning API is available only on Business and Enterprise plans. If you are on the Teams plan, API access is more limited. Check with your LastPass account manager to confirm which API endpoints your plan includes before building the Retool integration.
Expected result: You have your LastPass Account Number and Provisioning Hash copied and stored securely, and you know the Provisioning API endpoint URL.
Create the LastPass API Resource in Retool
In Retool, navigate to the Resources tab in the left sidebar and click Add Resource. Select REST API from the resource type list. Name the resource 'LastPass Enterprise API'. LastPass's Provisioning API uses a single endpoint URL for all operations (a command pattern rather than separate REST endpoints), so in the Base URL field enter https://lastpass.com. Do not append any path to the base URL — the API path /enterpriseapi.php will be specified in individual query configurations. Leave the Authentication dropdown set to None since LastPass authentication is handled by including the Account Number and Provisioning Hash in the request body. Add a default header for Content-Type with value application/json. Click Save Changes. LastPass's API design is unusual: almost all operations use HTTP POST to /enterpriseapi.php, and the operation type is specified as a 'cmd' field in the JSON request body, along with 'apiuser', 'apikey' credentials, and operation-specific parameters. This means each Retool query will be a POST request to /enterpriseapi.php with a different body depending on the operation. Store your Account Number and Provisioning Hash in Retool's Configuration Variables (Settings → Configuration Variables, mark both as secrets) rather than embedding them in individual query bodies — reference them as {{ retoolContext.configVars.LASTPASS_ACCOUNT_NUMBER }} and {{ retoolContext.configVars.LASTPASS_PROVISIONING_HASH }}.
Pro tip: Because LastPass uses a single endpoint with a command field rather than separate REST paths, consider creating all your LastPass queries in a single Retool app rather than distributing them across multiple apps — this makes it easier to see the full credential usage pattern and ensures the same configuration variables are used consistently.
Expected result: The LastPass Enterprise API resource appears in your Resources list. Note that you cannot test the connection from the Resource settings page alone — testing requires creating an actual query with the authentication body.
Query users and security data
Create a new query named 'getUsers' in your Retool app's Code panel. Select your LastPass Enterprise API resource. Set Method to POST and Path to /enterpriseapi.php. Set Body Type to JSON. In the Body field, write the JSON payload for the 'getuserdata' command — this returns data for all users in your LastPass Enterprise account including usernames, email addresses, group memberships, admin status, and account creation dates. The JSON body must include the 'cmd', 'apiuser' (your Account Number), and 'apikey' (your Provisioning Hash) fields. The response is a JSON object where the 'Users' key contains an object keyed by username, where each value is a user record with fields for username, groups, admin, disabled, mpasswdreset, and more. Add a transformer to convert this object format (keyed by username) into an array of rows suitable for a Retool Table. To get security score data, create a second query named 'getSecurityScores' also POSTing to /enterpriseapi.php with the 'getuserdata' command plus the 'data' parameter set to 'securityemail,score' to request security-related fields. Note: Security score data may require the LastPass Reporting API at a different endpoint depending on your plan.
1// Request body for getUsers query (POST to /enterpriseapi.php)2{3 "apiuser": "{{ retoolContext.configVars.LASTPASS_ACCOUNT_NUMBER }}",4 "apikey": "{{ retoolContext.configVars.LASTPASS_PROVISIONING_HASH }}",5 "cmd": "getuserdata",6 "data": {7 "pagesize": 1000,8 "pagenum": 09 }10}Pro tip: LastPass's 'getuserdata' response uses the username as a key in the Users object rather than returning an array. The transformer must use Object.entries() or Object.values() to convert this into an array. Preview the raw response in the Retool query Results panel before writing the transformer to understand the actual response structure.
Expected result: The getUsers query returns a response with a 'Users' object. The transformer converts it to a flat array of user records visible in the Results panel.
Build the user security compliance dashboard UI
In the app canvas, add a stat row at the top with three Statistic components: Total Users (COUNT of users from getUsers.data), Users with Score Below 50 (filtered count), and Average Security Score (computed from transformer). Below the stats, add filter controls: a Text Input for username/email search and a Number Range Slider for security score filtering (0-100). Add a Table component bound to {{ getUsers.data }} with columns for username, email, groups (displayed as a comma-joined string), security_score (with conditional formatting — red for <50, yellow for 50-75, green for >75), disabled status, and last_login. Create a query named 'updateUser' with POST method, Path /enterpriseapi.php, and Body Type JSON. The body should use the 'editusergroups' or 'disableuser' command depending on the selected action. Add an action panel below the table with: a 'Disable User' button (triggers 'disableuser' command with { username: selectedRow.username }) and a 'Reset Master Password' button (triggers 'resetpassword' command). Both should have Confirm Modal dialogs before executing. Create a second query named 'getGroups' using the 'getgroupdata' command to list all LastPass groups — use this to populate a group assignment Select component in the user detail panel.
1// Transformer: convert LastPass Users object to array2const usersObj = data.Users || {};3return Object.entries(usersObj).map(([username, user]) => ({4 username: username,5 email: user.username || username,6 fullname: user.fullname || '',7 groups: Array.isArray(user.groups) ? user.groups.join(', ') : '',8 admin: user.admin === '1' ? 'Yes' : 'No',9 disabled: user.disabled === '1' ? 'Disabled' : 'Active',10 security_score: user.score ? parseInt(user.score) : null,11 created: user.created || '',12 last_login: user.last_login || 'Never'13}));Pro tip: Use Retool's Table column formatting to display the security score as a colored badge: set the column type to 'Tag' and configure the tag color based on the numeric value range. This makes the compliance status immediately visible at a glance across the user list without having to read each number.
Expected result: A security compliance dashboard shows all LastPass users with color-coded security scores, group memberships, and account status, with action buttons for user management operations.
Add shared folder audit and group management panels
Create a query named 'getSharedFolders' using the 'getsfdata' command in a POST to /enterpriseapi.php — this returns all shared folders (shared credential groups) in your LastPass Enterprise account with their names, members, and access levels. Add a transformer to flatten the shared folder data into rows: each shared folder becomes a row with name, member_count, hidden status, and the list of member usernames. Create a detail panel for selected shared folders that shows the full member list with their access level (can_administer, read_only, give). Add a 'Remove from Folder' button per member that triggers a POST with the 'updatesharedfolderusers' command to revoke access. Create a third query named 'getGroupData' using the 'getgroupdata' command to list all LastPass groups (these are different from shared folders — groups organize users while shared folders store credentials). Build a Tab component with three tabs: Users (main security dashboard), Shared Folders (access audit), and Groups (group management). For the Groups tab, show a Table of all groups with member counts and add a group membership editor that allows adding or removing users from groups using the 'adduserstogroup' and 'deleteusersfromgroup' commands. For complex security compliance reporting combining LastPass data with your HRIS, Active Directory, or identity provider, RapidDev's team can help architect your Retool security operations solution.
1// Request body for getSharedFolders query2{3 "apiuser": "{{ retoolContext.configVars.LASTPASS_ACCOUNT_NUMBER }}",4 "apikey": "{{ retoolContext.configVars.LASTPASS_PROVISIONING_HASH }}",5 "cmd": "getsfdata"6}Pro tip: Cross-reference shared folder membership with your HR system by connecting Retool to your HRIS database or API as a second Resource. JOIN shared folder access data with employee department and status data to flag cases where departed employees still appear in LastPass shared folders — a common security audit finding.
Expected result: The app has three tabs for Users, Shared Folders, and Groups, each showing the relevant LastPass data with management action buttons.
Common use cases
Build a user security score and password health dashboard
Create a Retool security compliance panel that shows all LastPass users alongside their security score (0-100), number of weak passwords, reused passwords, and the date they last logged into LastPass. Include department-level aggregation showing average security scores per team, enabling security managers to identify departments that need password hygiene training or intervention.
Build a Retool security dashboard querying the LastPass Reporting API for user security scores. Show a Table with username, email, department, security score, weak password count, reused password count, and last active date. Add a Chart showing average security score by department and filter controls for score range and last active date.
Copy this prompt to try it in Retool
Build a shared folder access audit panel
Create a Retool panel that lists all LastPass shared folders with their members, access levels (read-only vs full access), and whether each folder is marked as hidden. Enable security administrators to review who has access to sensitive credential folders (e.g., 'Production Servers', 'AWS Root Accounts'), remove users from folders directly from the Retool interface, and generate audit-ready access reports.
Build a Retool shared folder audit panel querying LastPass's group/folder endpoints. Show a Table of shared folders with name, member count, and hidden status. Selecting a folder shows a detail panel with the list of members and their access levels. Include a Remove Access button that calls the LastPass API to revoke a user's folder access.
Copy this prompt to try it in Retool
Build a user lifecycle management panel for IT onboarding and offboarding
Create a Retool IT operations panel for managing LastPass user provisioning during employee onboarding and offboarding. Include a form for creating new LastPass user accounts, a group assignment panel for adding users to appropriate shared folder groups based on department, and an offboarding section that deactivates a user's LastPass account and optionally transfers their shared passwords to a manager.
Build a Retool user management panel with a Create User form (email, first name, last name, groups to assign) and an Offboard User section. The offboard flow deactivates the selected user's account and shows their group memberships for cleanup. Include a Table of recent account changes with timestamp and action type.
Copy this prompt to try it in Retool
Troubleshooting
API returns 'Invalid credentials' or authentication error
Cause: The Account Number or Provisioning Hash in the request body is incorrect, or the Provisioning Hash has been regenerated (invalidating the old one). The 'apiuser' field must be the numeric Account Number, not the admin user's email address.
Solution: Return to the LastPass Admin Console → Advanced → Enterprise API and verify the Account Number matches what is in your Retool Configuration Variables. Check whether the Provisioning Hash was recently regenerated — if a new hash was generated, update your Retool Configuration Variable with the new value. Ensure the 'apiuser' field contains the numeric Account Number (e.g., 12345678), not an email address.
API response contains a 'Users' object that cannot be directly bound to a Retool Table
Cause: LastPass's getuserdata API response uses usernames as object keys rather than returning a standard JSON array. Retool Tables require array-format data and cannot automatically iterate over object keys.
Solution: Add a JavaScript transformer to the query that converts the Users object to an array using Object.entries(): const usersObj = data.Users || {}; return Object.entries(usersObj).map(([key, user]) => ({ username: key, ...user }));. This produces an array with one object per user that Retool Tables can render directly.
1const usersObj = data.Users || {};2return Object.entries(usersObj).map(([username, user]) => ({3 username,4 email: user.username || username,5 groups: Array.isArray(user.groups) ? user.groups.join(', ') : '',6 admin: user.admin === '1',7 disabled: user.disabled === '1'8}));Some API commands return 'Permission denied' even with valid credentials
Cause: LastPass Enterprise API permissions are scoped to specific capabilities — not all commands are available on all plan levels, and some commands require the authenticated admin account to have specific admin roles within LastPass.
Solution: Verify your LastPass plan includes the API features you are using (Business vs Enterprise feature sets differ). Ensure the admin account whose credentials are used in the Provisioning Hash has Super Admin privileges in LastPass, not just standard Admin. Check the LastPass Enterprise API documentation for your specific version to confirm which commands are available on your plan tier.
Security score data is missing or null for some users
Cause: LastPass security scores are only available for users who have logged in to LastPass and have at least some password data in their vault. New users or users who have never logged in will not have a security score. Additionally, security score data may require specific API flags in the getuserdata request.
Solution: Add a null safety check in your transformer: security_score: user.score ? parseInt(user.score) : 'N/A'. For the security score query, ensure you include the appropriate 'data' parameter in the getuserdata request body to request score data specifically. Display 'N/A' or 'Not Available' in the table for users without scores, and filter them out of score average calculations using .filter(u => u.security_score !== null).
1// Safe security score calculation in transformer2const rows = Object.entries(data.Users || {}).map(([username, user]) => ({3 username,4 security_score: user.score ? parseInt(user.score) : null5}));6const scored = rows.filter(r => r.security_score !== null);7const avgScore = scored.length > 0 ? Math.round(scored.reduce((s, r) => s + r.security_score, 0) / scored.length) : 0;Best practices
- Store the LastPass Account Number and Provisioning Hash in Retool Configuration Variables as secrets (Settings → Configuration Variables) — never hardcode them in query bodies where they could be visible to all Retool workspace members in the query editor
- Use a LastPass Super Admin account dedicated to the Retool integration rather than a personal admin account, so credential rotation is independent of individual employee accounts
- Regularly audit the users shown in your Retool LastPass dashboard against your HR system to identify orphaned accounts for departed employees — build a JOIN query that compares LastPass usernames to active employee emails
- Build Retool Workflows for periodic security score reports — schedule a weekly Workflow that queries LastPass user security scores, identifies users below 50, and sends a Slack notification to the IT security team with the at-risk user list
- Add Confirm Modal dialogs before all destructive operations (disable user, reset master password, remove from shared folder) to prevent accidental security operations that could lock employees out of their vaults
- Cross-reference shared folder access against your HRIS or Active Directory by connecting Retool to both data sources — flag shared folder members whose employment status has changed to 'Terminated' in your HR system for immediate access review
- Use Retool's audit logging (available on Business plan) to track which Retool users performed which LastPass management actions — this creates a compliance trail for security audit purposes
Alternatives
Duo Security is a better choice if your primary IT security need is multi-factor authentication management rather than password vault administration.
Okta provides broader identity management including SSO and lifecycle management — a better choice for organizations that need identity governance beyond password management.
Auth0 is a better fit if your security team needs to manage authentication for developer-built applications rather than enterprise password vault administration.
Frequently asked questions
Does Retool have a native LastPass connector?
No, Retool does not have a native LastPass connector. You connect via a REST API Resource using the LastPass Provisioning API with your Account Number and Provisioning Hash. Unlike typical REST APIs that use separate endpoints per resource type, LastPass uses a single endpoint (/enterpriseapi.php) with a command-based request pattern where the operation type is specified in the JSON body.
What LastPass plan is required for API access?
LastPass API access is available on Business and Enterprise plans. The Teams plan has more limited or no API access. The full Provisioning API including user management, group operations, and shared folder management requires at least a Business plan. Security reporting features may require an Enterprise plan. Contact your LastPass account manager to confirm which API endpoints are included in your current plan.
Can I create new LastPass user accounts from Retool?
Yes. Use the 'batchadd' command in a POST to /enterpriseapi.php with an array of user objects in the 'userdata' field — each object specifying username (email), password (temporary), and optionally fullname and groupids for initial group assignment. LastPass will provision the accounts and trigger invitation emails to the new users. This is useful for automating the IT onboarding process from a Retool HR operations dashboard.
How do I deactivate a LastPass user when an employee leaves?
Use the 'disableuser' command in a POST to /enterpriseapi.php with the departing employee's username (email) in the 'username' field of the data object. This deactivates the account and prevents login without deleting the vault data. For complete offboarding, also remove the user from shared folders using 'updatesharedfolderusers' and from groups using 'deleteusersfromgroup'. Build a Retool offboarding workflow that performs all three operations in sequence.
Can I export a user's vault contents from LastPass via the API?
No. LastPass's Provisioning API does not allow exporting individual users' vault contents — this is an intentional security restriction since vault items are encrypted with the user's master password. LastPass provides vault export functionality only to the individual vault owner from within the LastPass extension or web vault. For security incident response, work with LastPass enterprise support directly rather than attempting to access vault contents via the API.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation