This case study evaluates how a real Proton Pass API request behaves under automated structural testing.
Target endpoint:
POST https://pass.proton.me/api/pass/v1/share/{shareId}/itemThe request originates from the Proton Pass web application and creates or updates an item inside a shared vault. A real browser-generated cURL request was used as input. No configuration changes were applied before execution.
Structural Score
Rentgen structural score: 46%
Certificate status: Not issued
The score reflects protocol-level behavior consistency, not feature completeness. The goal is not to “pass or fail” a product — but to identify structural API signals that affect resilience and debugging clarity.
Payload Size Control
When sending an oversized request (~10MB body), the endpoint responds with:
400 Bad Request "Error": "JSON parsing of request body failed"This indicates the request body is accepted and processed before rejection. A stricter implementation would reject oversized payloads earlier with:
413 Payload Too LargeEarly rejection reduces unnecessary parsing overhead and protects against repetitive large-body stress patterns.
Authentication Gate Ordering
When authentication material is removed, the initial response is:
400 Bad RequestOnly after providing required headers does the API return:
401 UnauthorizedAuthentication enforcement exists. However, from a structural standpoint, authentication validation is ideally executed before secondary header validation. Clear gate ordering simplifies client diagnostics.
Route Resolution Semantics
When the endpoint path is modified to a non-existent route, the API responds with:
405 Method Not AllowedThe body indicates the route is not found. While functionally correct, a 404 Not Found status would more precisely reflect the condition. Status code precision improves client error handling and logging accuracy.
OPTIONS Handling
The endpoint returns:
200 OK
without an Allow header.
Returning supported methods explicitly improves discoverability and interoperability,
especially for tooling and API clients.
Context: Encrypted Content Model
Proton Pass operates under an end-to-end encryption model. The server stores encrypted blobs and does not process plaintext secrets. This limits semantic data validation testing without internal knowledge.
However, protocol-level structural testing remains fully applicable and continues to reveal deterministic signals.
Conclusion
The findings in this case study are not critical vulnerabilities. They represent structural behavior patterns observable through automated API hygiene testing.
Structural consistency matters — particularly in mature ecosystems where small protocol details accumulate over time.
Rentgen focuses on exposing these signals early, before they become operational noise.