diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index 6e361724ea..0160b5e90b 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -1716,6 +1716,17 @@ class JobLaunchSerializer(BaseSerializer):
         read_only_fields = ('ask_variables_on_launch',)
         write_only_fields = ('credential','extra_vars',)
 
+    def to_native(self, obj):
+        res = super(JobLaunchSerializer, self).to_native(obj)
+        view = self.context.get('view', None)
+        if obj and hasattr(view, '_raw_data_form_marker'):
+            if obj.passwords_needed_to_start:
+                password_keys = dict([(p, u'') for p in obj.passwords_needed_to_start])
+                res.update(password_keys)
+            if self.get_credential_needed_to_start(obj) is True:
+                res.update(dict(credential=''))
+        return res
+
     def get_credential_needed_to_start(self, obj):
         return not (obj and obj.credential and obj.credential.active)
 
@@ -1732,6 +1743,20 @@ class JobLaunchSerializer(BaseSerializer):
         attrs[source] = credential
         return attrs
 
+    def validate_passwords_needed_to_start(self, attrs, source):
+        obj = self.context.get('obj')
+        passwords = self.context.get('passwords')
+        data = self.context.get('data')
+
+        # fill passwords dict with request data passwords
+        if obj.passwords_needed_to_start:
+            try:
+                for p in obj.passwords_needed_to_start:
+                    passwords[p] = data.get(p)
+            except KeyError:
+                raise serializers.ValidationError(obj.passwords_needed_to_start)
+        return attrs
+
     def validate_extra_vars(self, attrs, source):
         extra_vars = attrs.get(source, {})
         if not extra_vars:
diff --git a/awx/api/views.py b/awx/api/views.py
index 3c87ba613f..699f816e9f 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -1448,7 +1448,8 @@ class JobTemplateLaunch(RetrieveAPIView, GenericAPIView):
         if 'credential' not in request.DATA and 'credential_id' in request.DATA:
             request.DATA['credential'] = request.DATA['credential_id']
 
-        serializer = self.serializer_class(data=request.DATA, context={'obj': obj})
+        passwords = {}
+        serializer = self.serializer_class(data=request.DATA, context={'obj': obj, 'data': request.DATA, 'passwords': passwords})
         if not serializer.is_valid():
             return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
 
@@ -1456,6 +1457,8 @@ class JobTemplateLaunch(RetrieveAPIView, GenericAPIView):
             'credential': serializer.object.credential.pk,
             'extra_vars': serializer.object.extra_vars
         }
+        kv.update(passwords)
+
         new_job = obj.create_unified_job(**kv)
         result = new_job.signal_start(**kv)
         if not result:
diff --git a/awx/main/tests/jobs/jobs_monolithic.py b/awx/main/tests/jobs/jobs_monolithic.py
index 65d0e7aa66..b4c6c554f6 100644
--- a/awx/main/tests/jobs/jobs_monolithic.py
+++ b/awx/main/tests/jobs/jobs_monolithic.py
@@ -482,24 +482,37 @@ class JobTemplateTest(BaseJobTestMixin, django.test.TestCase):
         # Invalid auth can't trigger the launch endpoint
         self.check_invalid_auth(launch_url, {}, methods=('post',))
 
+        # Implicit, attached credentials
         with self.current_user(self.user_sue):
             response = self.post(launch_url, {}, expect=202)
             j = Job.objects.get(pk=response['job'])
             self.assertTrue(j.status == 'new')
 
+        # Explicit, override credentials
         with self.current_user(self.user_sue):
             response = self.post(launch_url, {'credential': self.cred_doug.pk}, expect=202)
             j = Job.objects.get(pk=response['job'])
             self.assertTrue(j.status == 'new')
+            self.assertEqual(j.credential.pk, self.cred_doug.pk)
+
+        # Explicit, override credentials
+        with self.current_user(self.user_sue):
+            response = self.post(launch_url, {'credential_id': self.cred_doug.pk}, expect=202)
+            j = Job.objects.get(pk=response['job'])
+            self.assertTrue(j.status == 'new')
+            self.assertEqual(j.credential.pk, self.cred_doug.pk)
 
         # Can't launch a job template without a credential defined (or if we
         # pass an invalid/inactive credential value).
         with self.current_user(self.user_sue):
             response = self.post(no_launch_url, {}, expect=400)
             response = self.post(no_launch_url, {'credential': 0}, expect=400)
+            response = self.post(no_launch_url, {'credential_id': 0}, expect=400)
             response = self.post(no_launch_url, {'credential': 'one'}, expect=400)
+            response = self.post(no_launch_url, {'credential_id': 'one'}, expect=400)
             self.cred_doug.mark_inactive()
             response = self.post(no_launch_url, {'credential': self.cred_doug.pk}, expect=400)
+            response = self.post(no_launch_url, {'credential_id': self.cred_doug.pk}, expect=400)
 
         # Job Templates without projects can not be launched
         with self.current_user(self.user_sue):