Pass Password to curl Without Command History

When using curl for API calls or web requests that require authentication, passing passwords directly in the command line exposes them to your shell history and the system’s process list. This article demonstrates the most secure methods to pass passwords to curl—including interactive prompts, configuration files, the .netrc file, and environment variables—ensuring your sensitive credentials remain protected.

Method 1: Use the Interactive Prompt

The simplest way to keep your password out of the command history is to let curl prompt you for it interactively. If you provide the username but omit the password, curl will securely mask your input as you type.

curl -u username https://api.example.com/data

After running this command, you will see a prompt: Enter host password for user 'username':. Enter your password, and curl will execute the request without saving the password to your .bash_history or .zsh_history file.

Method 2: Use a Configuration File

For automated scripts, you can store your credentials in a separate configuration file and restrict its read permissions.

  1. Create a file named curl.config and add your credentials:

    user = "username:your_secret_password"

  2. Secure the file so only your user can read it:

    chmod 600 curl.config

  3. Run curl by referencing the configuration file with the -K or --config flag:

    curl -K curl.config https://api.example.com/data

Method 3: Use the .netrc File

The .netrc file is a standard way to store autologin credentials for transfer programs. Curl natively supports this file.

  1. Create or edit the ~/.netrc file in your home directory:

    machine api.example.com
login username
password your_secret_password

  2. Restrict the file permissions:

    chmod 600 ~/.netrc

  3. Run curl with the --netrc (or -n) flag. Curl will automatically look up the credentials matching the host name:

    curl -n https://api.example.com/data

Method 4: Read from standard input (stdin)

If you are using a bash script and want to prompt the user for a password without displaying it on the screen, you can use the read command with the -s (silent) flag, then pass the variable to curl.

read -sp "Enter Password: " MY_PASSWORD
curl -u "username:$MY_PASSWORD" https://api.example.com/data
unset MY_PASSWORD

Using unset MY_PASSWORD immediately after the command ensures that the password does not linger in your active shell environment memory.