bw-cliSecurely interact with Bitwarden password manager via the bw CLI. Covers authentication (login/unlock/logout), vault operations (list/get/create/edit/delete...
Install via ClawdBot CLI:
clawdbot install 0x7466/bw-cliComplete reference for interacting with Bitwarden via the command-line interface.
Official documentation: https://bitwarden.com/help/cli/
Markdown version (for agents): https://bitwarden.com/help/cli.md
# Native executable (recommended)
# https://bitwarden.com/download/?app=cli
# npm
npm install -g @bitwarden/cli
# Linux package managers
choco install bitwarden-cli # Windows via Chocolatey
snap install bw # Linux via SnapStandard-Workflow (unlock-first):
# 1. Try unlock first (fast, most common case)
export BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw 2>/dev/null)
# 2. Only if unlock fails, fall back to login
if [ -z "$BW_SESSION" ]; then
bw login "$BW_EMAIL" "$BW_PASSWORD"
export BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw)
fi
# 3. Sync before any vault operation
bw sync
# 4. End session
bw lock # Lock (keep login)
bw logout # Complete logoutAlternative: Direct login methods
bw login # Interactive login (email + password)
bw login --apikey # API key login (uses BW_CLIENTID/BW_CLIENTSECRET from .secrets)
bw login --sso # SSO login
bw unlock # Interactive unlock
bw unlock --passwordenv BW_PASSWORD # Auto-available from sourced .secretsCheck authentication and vault status:
bw statusReturns: unauthenticated, locked, or unlocked.
Configure CLI settings:
# Set server (self-hosted or regional)
bw config server https://vault.example.com
bw config server https://vault.bitwarden.eu # EU cloud
bw config server # Check current
# Individual service URLs
bw config server --web-vault <url> --api <url> --identity <url>Sync local vault with server (always run before vault operations):
bw sync # Full sync
bw sync --last # Show last sync timestampCheck for updates (does not auto-install):
bw updateStart REST API server:
bw serve --port 8087 --hostname localhostList vault objects:
# Items
bw list items
bw list items --search github
bw list items --folderid <id> --collectionid <id>
bw list items --url https://example.com
bw list items --trash # Items in trash
# Folders
bw list folders
# Collections
bw list collections # All collections
bw list org-collections --organizationid <id> # Org collections
# Organizations
bw list organizations
bw list org-members --organizationid <id>Retrieve single values or items:
# Get specific fields (by name or ID)
bw get password "GitHub"
bw get username "GitHub"
bw get totp "GitHub" # 2FA code
bw get notes "GitHub"
bw get uri "GitHub"
# Get full item JSON
bw get item "GitHub"
bw get item <uuid> --pretty
# Other objects
bw get folder <id>
bw get collection <id>
bw get organization <id>
bw get org-collection <id> --organizationid <id>
# Templates for create operations
bw get template item
bw get template item.login
bw get template item.card
bw get template item.identity
bw get template item.securenote
bw get template folder
bw get template collection
bw get template item-collections
# Security
bw get fingerprint <user-id>
bw get fingerprint me
bw get exposed <password> # Check if password is breached
# Attachments
bw get attachment <filename> --itemid <id> --output /path/Create new objects:
# Create folder
bw get template folder | jq '.name="Work"' | bw encode | bw create folder
# Create login item
bw get template item | jq \
'.name="Service" | .login=$(bw get template item.login | jq '.username="user@example.com" | .password="secret"')' \
| bw encode | bw create item
# Create secure note (type=2)
bw get template item | jq \
'.type=2 | .secureNote.type=0 | .name="Note" | .notes="Content"' \
| bw encode | bw create item
# Create card (type=3)
bw get template item | jq \
'.type=3 | .name="My Card" | .card=$(bw get template item.card | jq '.number="4111..."')' \
| bw encode | bw create item
# Create identity (type=4)
bw get template item | jq \
'.type=4 | .name="My Identity" | .identity=$(bw get template item.identity)' \
| bw encode | bw create item
# Create SSH key (type=5)
bw get template item | jq \
'.type=5 | .name="My SSH Key"' \
| bw encode | bw create item
# Attach file to existing item
bw create attachment --file ./doc.pdf --itemid <uuid>Item types: 1=Login, 2=Secure Note, 3=Card, 4=Identity, 5=SSH Key.
Modify existing objects:
# Edit item
bw get item <id> | jq '.login.password="newpass"' | bw encode | bw edit item <id>
# Edit folder
bw get folder <id> | jq '.name="New Name"' | bw encode | bw edit folder <id>
# Edit item collections
echo '["collection-uuid"]' | bw encode | bw edit item-collections <item-id> --organizationid <id>
# Edit org collection
bw get org-collection <id> --organizationid <id> | jq '.name="New Name"' | bw encode | bw edit org-collection <id> --organizationid <id>Remove objects:
# Send to trash (recoverable 30 days)
bw delete item <id>
bw delete folder <id>
bw delete attachment <id> --itemid <id>
bw delete org-collection <id> --organizationid <id>
# Permanent delete (irreversible!)
bw delete item <id> --permanentRecover from trash:
bw restore item <id>Generate passwords or passphrases:
# Password (default: 14 chars)
bw generate
bw generate --uppercase --lowercase --number --special --length 20
bw generate -ulns --length 32
# Passphrase
bw generate --passphrase --words 4 --separator "-" --capitalize --includeNumberCreate ephemeral shares:
# Text Send
bw send -n "Secret" -d 7 --hidden "This text vanishes in 7 days"
# File Send
bw send -n "Doc" -d 14 -f /path/to/file.pdf
# Advanced options
bw send --password accesspass -f file.txtAccess received Sends:
bw receive <url> --password <pass>Share items to organization:
echo '["collection-uuid"]' | bw encode | bw move <item-id> <organization-id>Confirm invited members:
bw get fingerprint <user-id>
bw confirm org-member <user-id> --organizationid <id>Manage device approvals:
bw device-approval list --organizationid <id>
bw device-approval approve <request-id> --organizationid <id>
bw device-approval approve-all --organizationid <id>
bw device-approval deny <request-id> --organizationid <id>
bw device-approval deny-all --organizationid <id>Import from other password managers:
bw import --formats # List supported formats
bw import lastpasscsv ./export.csv
bw import bitwardencsv ./import.csv --organizationid <id>Export vault data:
bw export # CSV format
bw export --format json
bw export --format encrypted_json
bw export --format encrypted_json --password <custom-pass>
bw export --format zip # Includes attachments
bw export --output /path/ --raw # Output to file or stdout
bw export --organizationid <id> --format jsonBase64 encode JSON for create/edit operations:
bw get template folder | jq '.name="Test"' | bw encode | bw create folderSee Password Generation.
Available on all commands:
--pretty # Format JSON output with tabs
--raw # Return raw output
--response # JSON formatted response
--quiet # No stdout (use for piping secrets)
--nointeraction # Don't prompt for input
--session <key> # Pass session key directly
--version # CLI version
--help # Command helpStore the master password in a .secrets file in the workspace root and auto-load it:
# Create .secrets file
mkdir -p ~/.openclaw/workspace
echo "BW_PASSWORD=your_master_password" > ~/.openclaw/workspace/.secrets
chmod 600 ~/.openclaw/workspace/.secrets
# Add to .gitignore
echo ".secrets" >> ~/.openclaw/workspace/.gitignore
# Auto-source in shell config (run once)
echo 'source ~/.openclaw/workspace/.secrets 2>/dev/null' >> ~/.bashrc
# OR for zsh:
echo 'source ~/.openclaw/workspace/.secrets 2>/dev/null' >> ~/.zshrcNow BW_PASSWORD is always available:
bw unlock --passwordenv BW_PASSWORDSecurity requirements:
600 (user read/write only).secrets to .gitignoresource ~/.openclaw/workspace/.secrets for current sessionFor automated/API key login, store credentials in the same .secrets file:
# Add API credentials to .secrets
echo "BW_CLIENTID=user.xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" >> ~/.openclaw/workspace/.secrets
echo "BW_CLIENTSECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" >> ~/.openclaw/workspace/.secrets
chmod 600 ~/.openclaw/workspace/.secretsLogin with API key:
bw login --apikey⚠️ Known Issue / Workaround
On some self-hosted Vaultwarden instances, bw login --apikey may fail with:
User Decryption Options are required for client initializationWorkaround - Use Email/Password Login:
# Add EMAIL to .secrets
echo "BW_EMAIL=your@email.com" >> ~/.openclaw/workspace/.secrets
# Login with email + password (instead of --apikey)
bw login "$BW_EMAIL" "$BW_PASSWORD"
# Or as one-liner
set -a && source ~/.openclaw/workspace/.secrets && set +a && bw login "$BW_EMAIL" "$BW_PASSWORD"
# Then unlock as usual
bw unlock --passwordenv BW_PASSWORDFull workflow (recommended for self-hosted):
# Source the .secrets file
set -a && source ~/.openclaw/workspace/.secrets && set +a
# Try unlock first (faster, works if already logged in)
export BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw 2>/dev/null)
# Only login if unlock failed (vault not initialized)
if [ -z "$BW_SESSION" ]; then
bw login "$BW_EMAIL" "$BW_PASSWORD"
export BW_SESSION=$(bw unlock --passwordenv BW_PASSWORD --raw)
fi
# Ready to use
bw sync
bw list itemsGet your API key: https://bitwarden.com/help/personal-api-key/
BW_CLIENTID # API key client_id
BW_CLIENTSECRET # API key client_secret
BW_PASSWORD # Master password for unlock
BW_SESSION # Session key (auto-used by CLI)
BITWARDENCLI_DEBUG=true # Enable debug output
NODE_EXTRA_CA_CERTS # Self-signed certs path
BITWARDENCLI_APPDATA_DIR # Custom config directoryMethod values: 0=Authenticator, 1=Email, 3=YubiKey.
bw login user@example.com password --method 0 --code 123456Values: 0=Domain, 1=Host, 2=Starts With, 3=Exact, 4=Regex, 5=Never.
Values: 0=Text, 1=Hidden, 2=Boolean.
0=Owner, 1=Admin, 2=User, 3=Manager, 4=Custom.
0=Invited, 1=Accepted, 2=Confirmed, -1=Revoked.
bw unlock first as it's faster; only run bw login if unlock fails (vault not initialized)bw sync before any vault operationbw lock when done| Issue | Solution |
|-------|----------|
| "Bot detected" | Use --apikey or provide client_secret |
| "Vault is locked" | Run bw unlock and export BW_SESSION |
| Self-signed cert error | Set NODE_EXTRA_CA_CERTS |
| Need debug info | export BITWARDENCLI_DEBUG=true |
References:
Generated Mar 1, 2026
IT administrators use the Bitwarden CLI to automate password retrieval and updates for infrastructure services like servers, databases, and network devices. They can generate secure passwords, sync vaults across teams, and manage access via collections for different departments, ensuring compliance and reducing manual errors in credential handling.
Customer support teams in e-commerce integrate the CLI into scripts to quickly access shared credentials for platforms like Shopify or payment gateways during troubleshooting. This allows agents to securely retrieve login details without exposing passwords, improving response times and maintaining security for customer accounts and transactions.
Healthcare organizations leverage the CLI to manage passwords for electronic health record systems and secure patient data access. Staff can generate strong passphrases, audit password usage, and enforce policies through automated vault syncing, helping meet HIPAA requirements and protect sensitive information from breaches.
Development teams use the CLI to share API keys, database credentials, and environment variables securely across projects. By integrating with CI/CD pipelines, they automate credential injection during deployments, reduce hardcoded secrets in code, and manage access via collections for different roles like developers and QA testers.
Financial institutions employ the CLI to handle passwords for banking systems and client portals, using features like Send for secure file transfers and organization management for team access control. This enables auditors and analysts to retrieve credentials on-demand while maintaining audit trails and encryption standards for regulatory compliance.
Offer a paid service where users subscribe to access advanced CLI features like automated password generation, multi-user vault syncing, and priority support. Revenue is generated through monthly or annual fees, with tiers based on storage limits, number of users, and integration capabilities for enterprise clients.
Provide consulting to businesses for integrating the Bitwarden CLI into their existing workflows, such as setting up automation scripts, configuring self-hosted servers, and training staff on secure usage. Revenue comes from one-time project fees or ongoing retainer agreements for maintenance and support.
Offer a free basic version of the CLI with core features like password retrieval and generation, while monetizing through premium add-ons such as advanced reporting, custom templates, and enhanced API access. Revenue is driven by upsells to individual power users and small teams seeking additional functionality.
💬 Integration Tip
Integrate the CLI into automation scripts by setting environment variables for credentials and using the unlock-first workflow to maintain session security, ensuring seamless vault access without manual intervention.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Perform a comprehensive read-only security audit of Clawdbot's own configuration. This is a knowledge-based skill that teaches Clawdbot to identify hardening opportunities across the system. Use when user asks to "run security check", "audit clawdbot", "check security hardening", or "what vulnerabilities does my Clawdbot have". This skill uses Clawdbot's internal capabilities and file system access to inspect configuration, detect misconfigurations, and recommend remediations. It is designed to be extensible - new checks can be added by updating this skill's knowledge.
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.