Your comments

Thanks for the reply, and thanks for all the tireless and hard work! :)

I'd like to have specific API keys that can't see raw passwords.  This way automation can retrieve account metadata without exposing credentials.  Specifically, I want to store password hash (as description right now) and have puppet clients pull it directly from Teampass for rollout without having to widely distribute an API key that has access to the entire store.

I would still want API keys that function like today as well so I can have automation interact with the password store (distributing changed passwords, etc).

Does that help at all?

Would love to also be able to flag custom fields as private so that if in the future, API access can be granted to special keys that can read metadata from TeamPass, private keys are not exposed (for example).

The current version does not require a bind user.  The username/password fields on the LDAP configuration page are for testing settings.