Unable to Assign Permissions to Group for Multiple Collections via API

Hi Vaultwarden community,

I’m trying to assign permissions to a specific group for multiple collections via the API, but I am encountering some issues. I have followed the API documentation and am attempting to make a POST request to the endpoint: POST /api/organizations/{org_id}/collections/{col_id}/users

However, I’m receiving a 422 Unprocessable Entity error, even though the request appears to be correctly formatted. My goal is to assign the “manage” permission to the group with ID badf10ca-b2a6-4ec5-89b5-33393a4ec0b8 for the collection with ID b60433f9-1035-42f4-bf4e-fc6c74c60b5c.

Here is the request I am sending:

curl -X POST “https://secure.mondomaine.fr/api/organizations/cbd65e6c-a1a0-4c66-8b75-196506ec7aaf/collections/b60433f9-1035-42f4-bf4e-fc6c74c60b5c
-H “Content-Type: application/json”
-H “Authorization: Bearer eyJ0eXAiOiJKV1QiLCJ2j2Nuf7VBMStNVTYqg”
-d ‘{
“external_id”: null,
“groups”: [
{
“id”: “badf10ca-b2a6-4ec5-89b5-33393a4ec0b8”,
“read_only”: false,
“hide_passwords”: false,
“manage”: true
}
],
“users”:
}’

Despite using the correct syntax and including the proper authorization token, I keep getting a 422 error. Could anyone point me in the right direction or let me know if I’m missing something?

Thank you in advance for your help!

Best regards,

Michael

What do the vaultwarden logs say?

I think you are missing the (encrypted) name value of the Collection which is a non-optional field, when deserializing the FullCollectionData:

btw: With the new bulk-access endpoint (available in the latest release: 1.33.2) you should be able to assign multiple collections.

Thank you for your message.
How can I encrypt/decrypt the com of a collection via API?

How to use bulk-access to add permission to a group to a collection ?

Here is what I have in the logs:

[2025-02-11 10:01:49.966][vaultwarden::api::core::organizations::_][WARN] Data guard Json < NewCollectionData > failed: Parse(“{\n "external_id": null,\n "groups": [\n {\n "id": "badf10ca-b2a6-4ec5-89b5-33393a4ec0b8",\n "read_only": false,\n "hide_passwords": false,\n "manage": true\n }\n ],\n "users": \n }”, Error(“missing field hidePasswords”, line: 9, column: 14)).

I modified the curl call this way, and I no longer have any issues; but it doesn’t find the collection because the name is not encrypted.

curl -X POST “https://secure.soluris.fr/api/organizations/cbd65e6c-a1a0-4c66-8b75-196506ec7aaf/collections/b60433f9-1035-42f4-bf4e-fc6c74c60b5c
-H “Content-Type: application/json”
-H “Authorization: Bearer APIKEYxxxxxxxxxxxx”
-d ‘{
“name”: “toto”,
“external_id”: null,
“groups”: [
{
“id”: “badf10ca-b2a6-4ec5-89b5-33393a4ec0b8”,
“readOnly”: false,
“hidePasswords”: false,
“manage”: true
}
],
“users”:
}’

I’m making some progress.

If I create a collection in the frontend and assign it an externalId, it is not encrypted. This allows me to retrieve the encrypted name and the correct collection ID by making the following request:

curl -X POST “https://secure.soluris.fr/api/organizations/cbd65e6c-a1a0-4c66-8b75-196506ec7aaf/collections/b60433f9-1035-42f4-bf4e-fc6c74c60b5c

Response:

{
“externalId”: “aaaa”,
“id”: “c4ed4eee-642e-4c8c-9c85-9ba80c2413f3”,
“name”: “2.uLE2Z8wedEPwz2ZM2CZaLw==|+88HfOKRqNQ6P+pxRM/VrQ==|ARGb7PJ4IlHmeROd4EjnaQ+rTnzBBAhB86Ez+zR4BVw=”,
“object”: “collection”,
“organizationId”: “cbd65e6c-a1a0-4c66-8b75-196506ec7aaf”
}

Then, I try to modify the permissions with this request:

curl -X POST “https://secure.soluris.fr/api/organizations/cbd65e6c-a1a0-4c66-8b75-196506ec7aaf/collections/b60433f9-1035-42f4-bf4e-fc6c74c60b5c
-H “Content-Type: application/json”
-H “Authorization: Bearer APIKEY”
-d ‘{
“name”: “2.uLE2Z8wedEPwz2ZM2CZaLw==|+88HfOKRqNQ6P+pxRM/VrQ==|ARGb7PJ4IlHmeROd4EjnaQ+rTnzBBAhB86Ez+zR4BVw=”,
“id”: “c4ed4eee-642e-4c8c-9c85-9ba80c2413f3”,
“external_id”: null,
“groups”: [
{
“id”: “badf10ca-b2a6-4ec5-89b5-33393a4ec0b8”,
“readOnly”: false,
“hidePasswords”: false,
“manage”: true
}
],
“users”: [
{
“id”: “bbacafd5-331f-4771-8898-8d2b5f1c6270”,
“readOnly”: false,
“hidePasswords”: false,
“manage”: true
}
]
}’

However, this request creates a new collection instead of modifying the existing one.

If it’s still called that you should update your vaultwarden instance, because this struct has been renamed in the latest release…