Secrets Manager can use access tokens, in addition to master passwords, to decrypt vault secrets. Specifically, this is done in secrets injection scenarios like the examples here.
Conceptually, access tokens consist of two component pieces:
An API key, containing a client id and secret for authentication with Bitwarden servers.
A unique encryption key, which will be used to decrypt an encrypted payload containing your organization symmetric encryption key.
When an access token is used, for example when authenticating a CLI command like
bws get secret:
A request is sent to Bitwarden servers containing the API key's client id and client secret.
Bitwarden servers use these credentials to authenticate the client session, and send a response containing an encrypted payload. This encrypted payload contains the organization symmetric key.
Once received, the organization symmetric key is decrypted locally using the access token's unique encryption key.
A subsequent request is sent to Bitwarden APIs for the data called for in the
bwscommand, for example a secret.
Bitwarden determines whether the called-for data can be provided based on a service account identifier in the request. If yes, a response is sent to the client with the encrypted data.
The data is decrypted locally using the organization symmetric key. Relevant values are used however you're using Secrets Manager, for example saving a decrypted
"key": ""value to an environment variable.