The Bitwarden Blog
Bringing a RESTful API to the Bitwarden CLI
Bitwarden began with an open source approach that remains today, designed by developers and with other developers in mind. Through an engaged open source development community, Bitwarden has been able to integrate community feedback and contributions into our product.
In the spirit of our continued support of the developer community, Bitwarden now has a new feature for the Command Line Interface (CLI) to make IT professionals' workflows easier: the ability to invoke a RESTful API providing access to an encrypted vault.
Every business operates differently and has unique needs or methods for integrating with Bitwarden. Bitwarden itself already provides several integration methods, the most common are user management and directory integrations.
Sometimes a business might need to integrate or automate management of encrypted vault data. However, due to the nature of the Bitwarden end-to-end encryption design, all operations that deal with vault data need to take place within an authenticated client environment. These operations cannot simply be hosted and called on a public server API. To date, this means that any programmatic integration on encrypted items required the Bitwarden CLI vault management commands to be executed as a binary.
Many developers building integrated tools expect a RESTful API for consistency across their applications. RESTful APIs are language agnostic and are what most developers seek.
With the latest CLI release, Bitwarden provides a way to serve a RESTful API from the CLI, preserving an end-to-end encrypted environment. Executing the
serve command will spin up a HTTP web server hosting the API locally, as a client, allowing the execution of encrypted operations.
bw serve --port <number> --hostname <hostname>
Now it’s possible to call localhost on the port, for example, GET /object/item <id> from an HTTP interface. Most of the existing CLI commands have been translated into RESTful endpoints which should be familiar and intuitive for developers. A list of the RESTful endpoints and additional documentation regarding the new
serve command can be found on the Bitwarden Help Center.
The support for a RESTful API opens possibilities for new levels of integration. An instance can run on a local machine, or within a private network that allows for several applications to connect with a central web server for programmatic access to a Bitwarden vault.
One scenario where this would be useful is new employee onboarding. You may want to provision them in your directory, the accounts they belong to, and create for them a Bitwarden account to grant them access to all of the logins they need on Day 1. You could implement this in an automated fashion with the RESTful API endpoints provided by
We can’t wait to see what our developer community does with this new feature. Share your creative setups and uses on our Bitwarden community forum - we would love to hear what you’re doing!
Editor's note: Updated on 4/26/22 with added --hostname functionality
On this page
Back to Blog