OneTimeSecret API: Powershell example - Neil Sabol's Blog - IT, weird bikes, and other random topics

Title image of OneTimeSecret and Powershell logos

All product names, logos, and brands used in this post are property of their respective owners.

In reviewing my posts for 2020 thus far, it appears I am on a “credential kick.” Not sure if this is good or bad but I am going to roll with it in this post and my next one entitled YubiKey Manager and PowerShell: TOTP Credentials.

OneTimeSecret is a gem of a service created by Delano Mandelbaum that allows you to obfuscate credentials in chats, email sent items, ticket history and other mediums that tend to persist information indefinitely. There is certainly an argument that sensitive information (credentials and the like) should never be shared in these ways, but let’s face it. It happens!

If you use OneTimeSecret, the only persisted information (URL or link to the credential) is invalidated once retrieved. This provides at least a measure of security vs. sharing passwords in cleartext.

In pursuit of saving clicks and automating some of my processes, I assembled the following PowerShell snippet to generate a random password using OneTimeSecret, display it in the console, and print a URL that can be used to retrieve the credential.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27


# Your OneTimeSecret Username and API key from
# https://onetimesecret.com/account#apikey-tab
$apiUsername = "username@example.com"
$apiPassword = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

# Invoke-RestMethod is a little "tempermental" with Basic
# Authentication - the "-Credential" parameter specifically
# See https://stackoverflow.com/questions/24672760/powershells-invoke-restmethod-equivalent-of-curl-u-basic-authentication - thanks Borek Bernard
$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $apiUsername,$apiPassword)))

# Specify parameters for random password generation
# In this case, a Time to Live in seconds (7 days)
$Body = @{
     ttl = 604800
}

# Call the OneTimeSecret API to generate a random password
$oneTimeSecret=Invoke-RestMethod -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} -Method 'Post' -Uri "https://onetimesecret.com/api/v1/generate" -Body $body

# Print the generated secret and a URL you can share
write-host "$($oneTimeSecret.value)"
write-host "https://onetimesecret.com/secret/$($oneTimeSecret.secret_key)"

# Clear variables
$oneTimeSecret = ""
$apiPassword = ""
$base64AuthInfo = ""

I wrapped this up in a PowerShell function I can call as needed.

> generate-password
rk6WWg(2tn7b
https://onetimesecret.com/secret/bq9vr5job5snfy5ppt53pqyybs6nf18

Alternatively, you can have OneTimeSecret email the secret link for you by specifying a recipient - this requires an additional parameter in the request body:

$Body = @{
    ttl = 604800
    recipient = someone@example.com
}

If you plan to do any heavy lifting with OneTimeSecret and PowerShell, I recommend looking at the module Craig Gumbley created. I stumbled across the OneTimeSecret module after the fact but it looks incredibly robust.

I hope this helps someone hoping to achieve something similar!