LastPass exposes a public API that can be used by enterprise accounts to create users, deprovision users, and manage groups.

We are often asked about the difference between the AD Sync Client and the API. The main difference is that unlike the API, the AD Sync Client requires 0 coding/integration. The API is more powerful, but requires some integration by you to avoid having to duplicate actions.

Out of the box, the AD Sync Client will automatically track changes to your AD/LDAP server (new user is added, existing user removed/disabled, user changes groups, etc.) and invoke appropriate actions for LastPass accounts. Similarly if you delete or disable a user in their AD, the associated LastPass account will also be disabled.  These functions are also supported using the API, however they require integration on your part.

For a full list of the API details and instructions, please go to the:  Enterprise Console > Setup > Create New Users > LastPass Provisioning API option.

If you would like to use the API to automatically add users to shared folders, you will need to perform encryption operations yourself. Thus, you will need to know some things about the underlying encryption operations LastPass uses. They will be documented below.