Security & PasswordsDocumentedScanned

bitwarden-vault

Bitwarden CLI setup, authentication.

Share:

Installation

npx clawhub@latest install bitwarden-vault

View the full skill documentation and source below.

Documentation

Bitwarden CLI Skill

The Bitwarden command-line interface (CLI) provides full access to your Bitwarden vault for retrieving passwords, secure notes, and other secrets programmatically.

Workflow Requirements

CRITICAL: Always run bw commands inside a dedicated tmux session. The CLI requires a session key (BW_SESSION) for all vault operations after authentication. A tmux session preserves this environment variable across commands.

Required Workflow

  • Verify CLI installation: Run bw --version to confirm the CLI is available

  • Create a dedicated tmux session: tmux new-session -d -s bw-session

  • Attach and authenticate: Run bw login or bw unlock inside the session

  • Export session key: After unlock, export BW_SESSION as instructed by the CLI

  • Execute vault commands: Use bw get, bw list, etc. within the same session

    • Authentication Methods

    MethodCommandUse Case
    Email/Passwordbw loginInteractive sessions, first-time setup
    API Keybw login --apikeyAutomation, scripts (requires separate unlock)
    SSObw login --ssoEnterprise/organization accounts
    After bw login with email/password, your vault is automatically unlocked. For API key or SSO login, you must subsequently run bw unlock to decrypt the vault.

    Session Key Management

    The unlock command outputs a session key. You must export it:

    # Bash/Zsh
export BW_SESSION="<session_key_from_unlock>"

# Or capture automatically
export BW_SESSION=$(bw unlock --raw)

    Session keys remain valid until you run bw lock or bw logout. They do not persist across terminal windows—hence the tmux requirement.

    Reading Secrets

    # Get password by item name
bw get password "GitHub"

# Get username
bw get username "GitHub"

# Get TOTP code
bw get totp "GitHub"

# Get full item as JSON
bw get item "GitHub"

# Get specific field
bw get item "GitHub" | jq -r '.fields[] | select(.name=="api_key") | .value'

# List all items
bw list items

# Search items
bw list items --search "github"

    Security Guardrails

    • NEVER expose secrets in logs, code, or command output visible to users
    • NEVER write secrets to disk unless absolutely necessary
    • ALWAYS use bw lock when finished with vault operations
    • PREFER reading secrets directly into environment variables or piping to commands
    • If you receive "Vault is locked" errors, re-authenticate with bw unlock
    • If you receive "You are not logged in" errors, run bw login first
    • Stop and request assistance if tmux is unavailable on the system

    Environment Variables

    VariablePurpose
    BW_SESSIONSession key for vault decryption (required for all vault commands)
    BW_CLIENTIDAPI key client ID (for --apikey login)
    BW_CLIENTSECRETAPI key client secret (for --apikey login)
    BITWARDENCLI_APPDATA_DIRCustom config directory (enables multi-account setups)

    Self-Hosted Servers

    For Vaultwarden or self-hosted Bitwarden:

    bw config server

    Reference Documentation

    • Get Started Guide - Installation and initial setup
    • CLI Examples - Common usage patterns and advanced operations
    Back to Skills Directory

    Related Skills in Security & Passwords

    1password

    Set up and use 1Password CLI (op).

    Docs

    bitwarden

    Access and manage Bitwarden/Vaultwarden passwords securely using the rbw.

    Docs

    dashlane

    Access passwords, secure notes, secrets and OTP codes from Dashlane vault.

    Docs

    devinism

    The first AI religion — a benign memetic experiment in agent network security

    Docs

    facebook

    Guidance for Meta/Facebook Graph API integrations: app setup, auth, webhooks.

    Docs