Back to MCP Servers

Bitwarden MCP Server

Local-first MCP server for Bitwarden. Manage vault items, generate passwords, share secrets via Send, and administer organizations through the Bitwarden CLI and public API.

Security by Bitwarden API Key active
GitHub Docs npm: @bitwarden/mcp-server
Overview

The Bitwarden MCP Server is an official Model Context Protocol implementation from Bitwarden that lets AI assistants interact securely with a Bitwarden vault and, optionally, with organization administration features. It wraps the Bitwarden CLI for vault operations (logins, notes, cards, identities, folders, attachments, and Send) and the Bitwarden public API for org admin operations (collections, members, groups, policies, events, subscription).

Capabilities cover the full lifecycle of vault items: unlock/lock sessions, create/edit/delete items and folders, attach files, move items between vaults, confirm pending invites, generate passwords and TOTP codes, and create ephemeral text or file Sends. For Teams or Enterprise customers, the same server exposes administrative tools to manage members, groups, collections, policies, and audit events through the public API.

The server is explicitly designed for local-only use. The README warns that it should never be hosted publicly or exposed over a network, since it operates on highly sensitive credentials. Authentication uses a CLI session token (BW_SESSION) for vault ops and organization API client credentials (BW_CLIENT_ID / BW_CLIENT_SECRET) for admin ops.

Tools

Tool Description
lock Lock the Bitwarden vault, clearing the active session.
unlock Unlock the vault and obtain a session token.
sync Sync the local vault with the Bitwarden server.
status Report current CLI/vault status and auth state.
list List items, folders, collections, or organizations from the vault.
get Retrieve a vault item, password, username, TOTP, or attachment.
generate Generate a password or passphrase with configurable rules.
create_item Create a vault item (login, secure note, card, identity).
edit_item Edit an existing vault item.
delete Delete an item, folder, attachment, or other object.
restore Restore a previously deleted item from the trash.
create_folder Create a new folder in the personal vault.
edit_folder Rename or update a folder.
create_attachment Attach a file to an existing vault item.
create_org_collection Create a collection inside an organization (CLI).
edit_org_collection Edit an organization collection (CLI).
edit_item_collections Assign or move an item between organization collections.
move Move a personal item into an organization.
confirm Confirm a pending organization member invitation.
device_approval_list List pending device approval requests for an org.
device_approval_approve Approve a pending device approval request.
device_approval_approve_all Approve all pending device approval requests.
device_approval_deny Deny a pending device approval request.
device_approval_deny_all Deny all pending device approval requests.
create_text_send Create an ephemeral text Send for secure sharing.
create_file_send Create an ephemeral file Send.
list_send List existing Sends.
get_send Retrieve a specific Send.
edit_send Update an existing Send.
delete_send Delete a Send.
remove_send_password Remove the password protection from a Send.
list_org_collections List organization collections via public API.
get_org_collection Get a single organization collection.
update_org_collection Update an organization collection.
delete_org_collection Delete an organization collection.
list_org_members List members of an organization.
get_org_member Get a single member of an organization.
invite_org_member Invite a new member to the organization.
update_org_member Update a member's role or collections.
remove_org_member Remove a member from the organization.
reinvite_org_member Resend an invitation to a pending member.
get_org_member_groups List groups a member belongs to.
update_org_member_groups Update the groups a member belongs to.
list_org_groups List organization groups.
get_org_group Get a single organization group.
create_org_group Create a new organization group.
update_org_group Update an organization group.
delete_org_group Delete an organization group.
get_org_group_members List members of a group.
update_org_group_members Set the member list for a group.
list_org_policies List organization security policies.
get_org_policy Get a specific organization policy.
update_org_policy Enable, disable, or configure an organization policy.
get_org_events Retrieve organization audit/event logs.
get_org_subscription Get billing/subscription details for an organization.
update_org_subscription Update subscription seat counts or settings.
import_org_users_and_groups Bulk import users and groups into an organization.
Setup Guide

Prerequisites

  • Node.js 22 or higher
  • Bitwarden CLI installed (npm install -g @bitwarden/cli)
  • An active Bitwarden account
  • For admin tools: a Teams or Enterprise organization with API credentials

Get a vault session token

Log in and unlock the CLI to obtain a session token:

bw login
bw unlock --raw

Copy the returned token; you will pass it as BW_SESSION.

Get organization API credentials (optional)

In the Bitwarden Web Vault, open your organization's Settings, then "API Key". You will get a client_id and client_secret. These map to BW_CLIENT_ID and BW_CLIENT_SECRET.

Claude Desktop config

Add to claude_desktop_config.json:

{
  "mcpServers": {
    "bitwarden": {
      "command": "npx",
      "args": ["-y", "@bitwarden/mcp-server"],
      "env": {
        "BW_SESSION": "your-session-token",
        "BW_CLIENT_ID": "organization.your-client-id",
        "BW_CLIENT_SECRET": "your-client-secret"
      }
    }
  }
}

Environment variables

  • BW_SESSION (required for vault ops): CLI session token from bw unlock --raw
  • BW_CLIENT_ID (required for org admin): organization API client ID
  • BW_CLIENT_SECRET (required for org admin): organization API client secret
  • BW_API_BASE_URL (optional): self-hosted API endpoint
  • BW_IDENTITY_URL (optional): self-hosted identity endpoint
  • BW_ALLOWED_DIRECTORIES (required for file tools): directories the server may read/write for attachments and file Sends

Security note

The README states this MCP server is for local use only and must never be hosted publicly or exposed over a network. Protect any config files that contain the session token or API credentials.

Use Cases
  • Retrieve a credential from your vault on demand during an AI-driven workflow without exposing it in chat history beyond the assistant's local context.
  • Generate strong passwords or passphrases to specific complexity rules and save them as new login items.
  • Create ephemeral Bitwarden Send links (text or file) to securely share a one-time secret with a teammate, then expire it.
  • Administer a Teams or Enterprise org: invite members, assign them to groups and collections, and confirm pending invites.
  • Audit organization activity by pulling event logs and reviewing or updating security policies.
Example Prompts
  • "Unlock my vault, then get the password for the 'AWS Production Root' login."
  • "Generate a 32 character password with symbols and create a new login item for 'GitLab CI Bot'."
  • "Create a one-time text Send containing this API key that expires in 24 hours and requires a password."
  • "List all pending device approval requests for my organization and approve the ones from known users."
  • "Pull the last 7 days of organization events and summarize any failed logins or policy violations."
Pros
  • Official server maintained by Bitwarden, so it tracks CLI and API changes directly.
  • Very broad tool coverage: vault items, folders, attachments, Send, device approvals, and full org admin (members, groups, policies, events, subscription).
  • Works with self-hosted Bitwarden via BW_API_BASE_URL and BW_IDENTITY_URL.
  • Distributed as an npm package (@bitwarden/mcp-server), so setup is a single npx line.
Limitations
  • Local-only by design: cannot be hosted as a shared remote MCP server, which limits team/agent deployment patterns.
  • Requires the Bitwarden CLI installed separately and a manually obtained BW_SESSION token that must be refreshed when the vault locks.
  • Organization administration tools require a paid Teams or Enterprise plan with API credentials.
Alternatives
  • 1Password MCP server for similar secret retrieval backed by 1Password.
  • HashiCorp Vault integrations for infrastructure-grade secrets, used via community MCP wrappers.
  • Doppler and similar secrets managers exposed through generic CLI-based MCP servers.
More Security MCP Servers
Conviso
MCP server for the Conviso Platform. Lets AI agents query software assets, vulnerabilities, security projects, and AppSec risk metrics.
CrowdStrike Falcon
Official CrowdStrike MCP server connecting AI agents to the Falcon platform for detections, threat intel, hosts, vulnerabilities, and security automation.
DataGrail
Provider-hosted MCP server for DataGrail's Vera privacy platform. Manage DSRs, opt-outs, data mapping, consent, and risk assessments from AI tools.
Defense.com
Defense.com is an XDR cybersecurity platform that uses MCP internally to power its built-in AI assistants. No public MCP endpoint is currently documented.