| name | bw-cli |
| description | Interact with Bitwarden password manager using the bw CLI. Covers authentication (login/unlock/logout/status), vault operations (list/get/create/edit/delete/restore items, folders, attachments, collections), password/passphrase generation, organization management, and Send/receive. Use for "bitwarden", "bw", "password safe", "vaultwarden", "vault", "password manager", "generate password", "get password", "unlock vault", "share send". |
| metadata | {"author":"tfm","version":"1.9.0","docs":"https://bitwarden.com/help/cli/","docs-md":"https://bitwarden.com/help/cli.md","api-key-docs":"https://bitwarden.com/help/personal-api-key/"} |
Bitwarden CLI
Complete reference for interacting with Bitwarden via the command-line interface.
Official documentation: https://bitwarden.com/help/cli/
Markdown version (for agents): https://bitwarden.com/help/cli.md
Quick Reference
Installation
npm install -g @bitwarden/cli
choco install bitwarden-cli
snap install bw
Authentication Flow (Preferred: Unlock First)
Standard-Workflow (unlock-first):
export BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw 2>/dev/null)
if [ -z "$BW_SESSION" ]; then
bw login "$BW_EMAIL" "$BW_PASSWORD"
export BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw)
fi
bw sync
bw lock
bw logout
Alternative: Direct login methods
bw login
bw login --apikey
bw login --sso
bw unlock
bw unlock --passwordenv BW_PASSWORD
Session & Configuration Commands
status
Check authentication and vault status:
bw status
Returns: unauthenticated, locked, or unlocked.
config
Configure CLI settings:
bw config server https://vault.example.com
bw config server https://vault.bitwarden.eu
bw config server
bw config server --web-vault <url> --api <url> --identity <url>
sync
Sync local vault with server (always run before vault operations):
bw sync
bw sync --last
update
Check for updates (does not auto-install):
bw update
serve
Start REST API server:
bw serve --port 8087 --hostname localhost
Vault Item Commands
list
List vault objects:
bw list items
bw list items --search github
bw list items --folderid <id> --collectionid <id>
bw list items --url https://example.com
bw list items --trash
bw list folders
bw list collections
bw list org-collections --organizationid <id>
bw list organizations
bw list org-members --organizationid <id>
get
Retrieve single values or items:
bw get password "GitHub"
bw get username "GitHub"
bw get totp "GitHub"
bw get notes "GitHub"
bw get uri "GitHub"
bw get item "GitHub"
bw get item <uuid> --pretty
bw get folder <id>
bw get collection <id>
bw get organization <id>
bw get org-collection <id> --organizationid <id>
bw get template item
bw get template item.login
bw get template item.card
bw get template item.identity
bw get template item.securenote
bw get template folder
bw get template collection
bw get template item-collections
bw get fingerprint <user-id>
bw get fingerprint me
bw get exposed <password>
bw get attachment <filename> --itemid <id> --output /path/
create
Create new objects:
bw get template folder | jq '.name="Work"' | bw encode | bw create folder
bw get template item | jq \
'.name="Service" | .login=$(bw get template item.login | jq '.username="user@example.com" | .password="secret"')' \
| bw encode | bw create item
bw get template item | jq \
'.type=2 | .secureNote.type=0 | .name="Note" | .notes="Content"' \
| bw encode | bw create item
bw get template item | jq \
'.type=3 | .name="My Card" | .card=$(bw get template item.card | jq '.number="4111..."')' \
| bw encode | bw create item
bw get template item | jq \
'.type=4 | .name="My Identity" | .identity=$(bw get template item.identity)' \
| bw encode | bw create item
bw get template item | jq \
'.type=5 | .name="My SSH Key"' \
| bw encode | bw create item
bw create attachment --file ./doc.pdf --itemid <uuid>
Item types: 1=Login, 2=Secure Note, 3=Card, 4=Identity, 5=SSH Key.
edit
Modify existing objects:
bw get item <id> | jq '.login.password="newpass"' | bw encode | bw edit item <id>
bw get folder <id> | jq '.name="New Name"' | bw encode | bw edit folder <id>
echo '["collection-uuid"]' | bw encode | bw edit item-collections <item-id> --organizationid <id>
bw get org-collection <id> --organizationid <id> | jq '.name="New Name"' | bw encode | bw edit org-collection <id> --organizationid <id>
delete
Remove objects:
bw delete item <id>
bw delete folder <id>
bw delete attachment <id> --itemid <id>
bw delete org-collection <id> --organizationid <id>
bw delete item <id> --permanent
restore
Recover from trash:
bw restore item <id>
Password Generation
generate
Generate passwords or passphrases:
bw generate
bw generate --uppercase --lowercase --number --special --length 20
bw generate -ulns --length 32
bw generate --passphrase --words 4 --separator "-" --capitalize --includeNumber
Send Commands (Secure Sharing)
send
Create ephemeral shares:
bw send -n "Secret" -d 7 --hidden "This text vanishes in 7 days"
bw send -n "Doc" -d 14 -f /path/to/file.pdf
bw send --password accesspass -f file.txt
receive
Access received Sends:
bw receive <url> --password <pass>
Organization Commands
move
Share items to organization:
echo '["collection-uuid"]' | bw encode | bw move <item-id> <organization-id>
confirm
Confirm invited members:
bw get fingerprint <user-id>
bw confirm org-member <user-id> --organizationid <id>
device-approval
Manage device approvals:
bw device-approval list --organizationid <id>
bw device-approval approve <request-id> --organizationid <id>
bw device-approval approve-all --organizationid <id>
bw device-approval deny <request-id> --organizationid <id>
bw device-approval deny-all --organizationid <id>
Import & Export
import
Import from other password managers:
bw import --formats
bw import lastpasscsv ./export.csv
bw import bitwardencsv ./import.csv --organizationid <id>
export
Export vault data:
bw export
bw export --format json
bw export --format encrypted_json
bw export --format encrypted_json --password <custom-pass>
bw export --format zip
bw export --output /path/ --raw
bw export --organizationid <id> --format json
Utilities
encode
Base64 encode JSON for create/edit operations:
bw get template folder | jq '.name="Test"' | bw encode | bw create folder
generate (password)
See Password Generation.
Global Options
Available on all commands:
--pretty
--raw
--response
--quiet
--nointeraction
--session <key>
--version
--help
Security Reference
Secure Password Storage (Workspace .secrets)
Store the master password in a .secrets file in the workspace root and auto-load it:
mkdir -p ~/.openclaw/workspace
echo "BW_PASSWORD=your_master_password" > ~/.openclaw/workspace/.secrets
chmod 600 ~/.openclaw/workspace/.secrets
echo ".secrets" >> ~/.openclaw/workspace/.gitignore
echo 'source ~/.openclaw/workspace/.secrets 2>/dev/null' >> ~/.bashrc
echo 'source ~/.openclaw/workspace/.secrets 2>/dev/null' >> ~/.zshrc
Now BW_PASSWORD is always available:
bw unlock --passwordenv BW_PASSWORD
Security requirements:
- File must be mode
600 (user read/write only)
- Must add
.secrets to .gitignore
- Never commit the .secrets file
- Auto-sourcing happens on new shell sessions; run
source ~/.openclaw/workspace/.secrets for current session
API Key Authentication (Workspace .secrets)
For automated/API key login, store credentials in the same .secrets file:
echo "BW_CLIENTID=user.xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" >> ~/.openclaw/workspace/.secrets
echo "BW_CLIENTSECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" >> ~/.openclaw/workspace/.secrets
chmod 600 ~/.openclaw/workspace/.secrets
Login with API key:
bw login --apikey
⚠️ Known Issue / Workaround
On some self-hosted Vaultwarden instances, bw login --apikey may fail with:
User Decryption Options are required for client initialization
Workaround - Use Email/Password Login:
echo "BW_EMAIL=your@email.com" >> ~/.openclaw/workspace/.secrets
bw login "$BW_EMAIL" "$BW_PASSWORD"
set -a && source ~/.openclaw/workspace/.secrets && set +a && bw login "$BW_EMAIL" "$BW_PASSWORD"
bw unlock --passwordenv BW_PASSWORD
Full workflow (recommended for self-hosted):
set -a && source ~/.openclaw/workspace/.secrets && set +a
export BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw 2>/dev/null)
if [ -z "$BW_SESSION" ]; then
bw login "$BW_EMAIL" "$BW_PASSWORD"
export BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw)
fi
bw sync
bw list items
Get your API key: https://bitwarden.com/help/personal-api-key/
Environment Variables
BW_CLIENTID
BW_CLIENTSECRET
BW_PASSWORD
BW_SESSION
BITWARDENCLI_DEBUG=true
NODE_EXTRA_CA_CERTS
BITWARDENCLI_APPDATA_DIR
Two-Step Login Methods
Method values: 0=Authenticator, 1=Email, 3=YubiKey.
bw login user@example.com password --method 0 --code 123456
URI Match Types
Values: 0=Domain, 1=Host, 2=Starts With, 3=Exact, 4=Regex, 5=Never.
Field Types
Values: 0=Text, 1=Hidden, 2=Boolean.
Organization User Types
0=Owner, 1=Admin, 2=User, 3=Manager, 4=Custom.
Organization User Statuses
0=Invited, 1=Accepted, 2=Confirmed, -1=Revoked.
Best Practices
- Unlock first, login only if needed: Try
bw unlock first as it's faster; only run bw login if unlock fails (vault not initialized)
- Always sync: Run
bw sync before any vault operation
- Secure session: Use
bw lock when done
- Protect secrets: Never log BW_SESSION or BW_PASSWORD
- Secure storage: Keep .secrets file at mode 600, never commit it
- Auto-source: Add to ~/.bashrc or ~/.zshrc for persistent env vars
- Verify fingerprints: Before confirming org members
Troubleshooting
| Issue | Solution |
|---|
| "Bot detected" | Use --apikey or provide client_secret |
| "Vault is locked" | Run bw unlock and export BW_SESSION |
| Self-signed cert error | Set NODE_EXTRA_CA_CERTS |
| Need debug info | export BITWARDENCLI_DEBUG=true |
References:
