diff --git a/api/v1/credentials/read.php b/api/v1/credentials/read.php
index 51706a1a..b0e041f5 100644
--- a/api/v1/credentials/read.php
+++ b/api/v1/credentials/read.php
@@ -11,7 +11,7 @@ $sql = false;
 if (isset($_GET['login_id']) && isset($_GET['api_key_decrypt_password'])) {
 
     $id = intval($_GET['login_id']);
-    $password = sanitizeInput($_GET['api_key_decrypt_password']);
+    $api_key_decrypt_password = $_GET['api_key_decrypt_password']; // No sanitization
 
     $sql = mysqli_query($mysqli, "SELECT * FROM logins WHERE login_id = '$id' AND login_client_id LIKE '$client_id' LIMIT 1");
 
@@ -26,12 +26,14 @@ if (isset($_GET['login_id']) && isset($_GET['api_key_decrypt_password'])) {
 // Usually we just output what is in the database, but credentials need to be decrypted first.
 
 if ($sql && mysqli_num_rows($sql) > 0) {
+
     $return_arr['success'] = "True";
     $return_arr['count'] = mysqli_num_rows($sql);
 
     $row = array();
     while ($row = mysqli_fetch_array($sql)) {
-        //$row['login_username'] = //decrypt
+        $row['login_username'] = apiDecryptLoginEntry($row['login_username'], $api_key_decrypt_hash, $api_key_decrypt_password);
+        $row['login_password'] = apiDecryptLoginEntry($row['login_password'], $api_key_decrypt_hash, $api_key_decrypt_password);
         $return_arr['data'][] = $row;
     }
 
diff --git a/api/v1/validate_api_key.php b/api/v1/validate_api_key.php
index 010bab0a..9cec942c 100644
--- a/api/v1/validate_api_key.php
+++ b/api/v1/validate_api_key.php
@@ -88,6 +88,7 @@ if (isset($api_key)) {
         // Set client ID, company ID & key name
         $row = mysqli_fetch_array($sql);
         $api_key_name = htmlentities($row['api_key_name']);
+        $api_key_decrypt_hash = $row['api_key_decrypt_hash']; // No sanitization
         $client_id = intval($row['api_key_client_id']);
 
         // Set limit & offset for queries
diff --git a/functions.php b/functions.php
index 3e39c957..4f3850f4 100644
--- a/functions.php
+++ b/functions.php
@@ -380,6 +380,21 @@ function encryptLoginEntry($login_password_cleartext)
     return $iv . $ciphertext;
 }
 
+function apiDecryptLoginEntry($login_ciphertext, $api_key_decrypt_hash, $api_key_decrypt_password)
+{
+    // TODO: try marking $api_key_decrypt_password as sensitive
+
+    // Split the login entry (username/password) into IV and Ciphertext
+    $login_iv =  substr($login_ciphertext, 0, 16);
+    $login_ciphertext = $salt = substr($login_ciphertext, 16);
+
+    // Decrypt the api hash to get the master key
+    $site_encryption_master_key = decryptUserSpecificKey($api_key_decrypt_hash, $api_key_decrypt_password);
+
+    // Decrypt the login password using the master key
+    return openssl_decrypt($login_ciphertext, 'aes-128-cbc', $site_encryption_master_key, 0, $login_iv);
+}
+
 // Get domain general info (whois + NS/A/MX records)
 function getDomainRecords($name)
 {