🤖 Bitwarden MCP server

kbabcock · July 10, 2025, 2:40pm

Agentic AI is rapidly changing the way we work. With the new Model Context Protocol (MCP) server, Bitwarden enables AI assistants to access, generate, retrieve, and manage passwords while maintaining zero-knowledge encryption. Read the announcement article to learn more.

The Bitwarden MCP server is available for testing and exploration via the Bitwarden GitHub repository. Please share any feedback or findings with the community here!

jmorahan · July 10, 2025, 4:15pm

It’s disappointing to see Bitwarden jumping on the generative AI bandwagon, despite the many valid concerns about the technology’s impact on the environment, labour, art, mental health… though in all honesty, given the “enterprise” focus in your messaging nowadays, it’s not entirely surprising.

But… even if this was something worth doing to begin with, the approach you’ve taken is terrible, and obviously so. When I saw “secure AI authentication” in your announcement, I imagined something like a tool that a chatbot could use to access services that require authentication, without ever exposing the credentials/secrets to the context. But that’s clearly not what you’ve done here. You’re letting a hallucinating chatbot, inherently vulnerable to prompt injection, loose on an unlocked password vault!

Let’s recap what your demo shows:

To unlock the vault, you have to enter your master password into the chatbot’s context. From this point on, it’s vulnerable to exfiltration via prompt injection. If another tool is present that’s capable of making external web requests, say, then it’s potentially game over very quickly.
The entire contents of the vault, even including TOTP codes, are similarly vulnerable, as the chatbot can choose at any time to invoke the tool to extract any data. Even freshly generated credentials that are stored directly into the vault are vulnerable.
All of these are also echoed back by the chatbot and therefore clearly visible to anyone looking over the user’s shoulder.

This is so obviously a terrible idea that it’s making me question your competence at security architecture.

dwbit · July 10, 2025, 4:23pm

Hey there, and thanks for the feedback! Regarding security and environmental concerns, you can both self-host Bitwarden and self-host any LLM that supports MCP.

jmorahan · July 10, 2025, 4:26pm

I’m aware of that, and to be honest the idea that anyone would even think about doing this with a cloud LLM didn’t even occur to me. But if your goal is to support so-called “agentic AI” then presumably there will be other tools present in the context along with this one (otherwise it’s just a pointlessly inefficient alternative Bitwarden UI). So secrets should be protected from other tools, and the only reliable way to do that is to keep them out of the model’s context.

dwbit · July 10, 2025, 4:32pm

Rest assured the Bitwarden MCP Server is a completely optional tool for those looking to integrate with their vault locally,

jmorahan · July 10, 2025, 4:36pm

Indeed, I am aware of that too. And I’m clearly not the target market (ref. my opening paragraph). I’m just concerned by the lack of thought that seems to have been put into it, from a security perspective.

dwbit · July 10, 2025, 4:42pm

Feedback is always welcome! In addition to self-hosting your applications locally, we also included the following in the blog (updated):

IMPORTANT SECURITY NOTE

MCP servers are on the frontier of the AI wave, enabling new, to-be-imagined applications. At the same time, frontiers, when not explored carefully, can be risky. Users of the Bitwarden MCP server are encouraged to keep security and care in mind. Some examples that Bitwarden demonstrates may not be appropriate for all users and use cases. It is strongly recommended to leverage a local and private LLM option when using the MCP server.

x4d6165 · July 11, 2025, 7:52pm

this is a horrible idea and like jmorahan mentioned, the fact that bitwarden is ignoring all of the horrible external effects of AI is incredibly disappointing. I was considering getting a year long membership, but now I don’t want to give you a single red cent knowing it will just go to nonsense like this and boiling oceans. retract this now.

dwbit · July 11, 2025, 7:54pm

Hey there, regarding environmental cost, this setup is intended to run locally on your own machine, and is a separate optional repo from the standard Bitwarden server/client.

grb · July 11, 2025, 9:34pm

I think the concern expressed by @x4d6165 is with the environmental impact of the LLM training. When running a local model, it is pre-trained, so the damage is already done — but it would not be unreasonable to see the use of local LLMs (or the promotion of such use) as tacit approval (or at least acceptance) of the resource consumption required for LLM training.

CliveSB · July 12, 2025, 8:41pm

Long time Bitwarden Premium user, I really hate that you’re trying to go after the GenAI trend. Huge downvote on my part on all of this.
Don’t loose your way, that’s not what Bitwarden is about.

jmorahan · July 13, 2025, 11:57am

“You don’t have to use it” isn’t a great defence of something you’re promoting.

You also haven’t actually addressed my concerns about the security risks that your implementation poses to those people. You’ve only dismissed them as irrelevant because you can run it locally (which doesn’t solve the problem, as I explained above) or not at all.

But let me try again.

Your announcement post says:

The new Bitwarden MCP server allows AI assistants to access, generate, retrieve, and manage passwords through a local-first architecture where credentials remain on a user’s machine, maintaining zero-knowledge encryption.

Credentials remain on a user’s machine. Except… what’s the point? If the point was to allow the user to access and view their own credentals - frankly, that would be bad enough. It would be a step backward from the existing clients that allow credentials to be auto-populated into forms or copied to the clipboard without being exposed to the display. But it would also be completely pointless, because those clients exist, they work well, and nobody needs to go through the pain of installing and running a local LLM to “improve” that experience.

The point, therefore, can only be to allow the LLM “agent” to access and use those credentials. Your announcement even calls this out explicitly:

How will AI agents authenticate without human involvement?

And to use them, it needs to pass them to another tool. Which means that other tool must be present and available to the “agent”. And unless you’re advising people to only use this with tools that make no external network requests - which would, again. make it almost entirely useless - you run the risk of prompt injection causing the secrets that have been exposed to the LLM context by your tool to be exposed remotely by another one.

I keep going on about how you’ve done it wrong, and I realize that might give the impression that I want you to do it right. I don’t. I wish you hadn’t done it at all. But you have, and you’ve done it so carelessly that I’m left questioning your judgement, not only on what’s right and wrong but also on how to build secure software.

JohnKennyUK · July 13, 2025, 5:54pm

So will this also work with Bitwarden Secrets manager or the bws.exe cli app or is it currently bw.exe only? I’d rather use mcp-server for Bitwarden Secrets rather than my Vault for same reasons I tend to shy away from bw.exe for secrets management as I don’t utilise Organisations currently, plus I prefer how bws.exe uses tokens which have there own access control policies. Granted I would like to see some more features in bws, but it works and I will be trying BitWarden MCP with it shortly…

Thanks

jtio · July 14, 2025, 1:06pm

I’m not a fan of this overall. The 4 minute video is a security nightmare for IT folks. “Let’s take the most important secrets we have for our connected lives and allow an online service full access.” is not a good look. I really wish you would have demoed it locally with a local LLM at least.

But my real question is, will Enterprises and families be able to to disallow this for all users on their accounts? If not, I can’t see use staying with Bitwarden much longer.

183231bcb · July 17, 2025, 3:55pm

Hi, I’m a Bitwarden Premium user since 2019. I have a few questions about this.

For the moment, let’s ignore the privacy issues of a cloud-based LLM and assume everyone uses this self-hosted. Do you think it is safe to let an AI move and manipulate passwords? How can the AI can be trusted not to incorrectly copy or corrupt a password?
You’ve repeatedly stated that the MCP is separate from the “main” Bitwarden clients and server. Can we trust that you will never, under any circumstance, inject AI into the main Bitwarden experience?
Are you using AI to develop the main Bitwarden clients and server?
Circling back to the thing I said to ignore in question (1), why did you choose to demo this with a cloud-based proprietary AI instead of a local open source one?

grb · July 17, 2025, 4:32pm

Your question may in part be answered by the existence of a draft version of PR #15213, which creates this artifact:

github.com/bitwarden/clients

.github/copilot-instructions.md

a15b17412

This document provides explicit instructions for Copilot Agent to follow when working with this
repository. It outlines the coding standards, project structure, and best practices to ensure
high-quality contributions that align with the repository's goals and maintainability standards.

## Repository Overview

This repository is organized as a **monorepo** containing multiple applications and libraries. The
main directories are:

- `apps/` – Contains all application projects (e.g., browser, cli, desktop, web). Each app is
  self-contained with its own configuration, source code, and tests.
- `libs/` – Contains shared libraries and modules used across multiple apps. Libraries are organized
  by domain or functionality (e.g., common, ui, platform, key-management).

**Strict boundaries** must be maintained between apps and libraries. Do not introduce
cross-dependencies that violate the intended modular structure. Always consult and respect the
dependency rules defined in `eslint.config.mjs`, `nx.json`, and other configuration files.

## Coding Standards and Best Practices

This file has been truncated. show original

183231bcb · July 17, 2025, 4:40pm

Thanks,
and that’s disappointing.

EDIT: I sent those same questions to Bitwarden customer service via email, and here’s the response I got back.

Thanks for your interest in the Bitwarden MCP project! This is a standalone project that is separate from all other Bitwarden products like Password Manager. The project is considered a proof of concept and not suitable for production use.

If you have any feedback on the MCP server, please join in on the discussion in our community forums : http://community.bitwarden.com

If you would like to contribute to the project or have an issue to report, please refer to the project GitHub repository: GitHub - bitwarden/mcp-server: MCP server for interaction with the Bitwarden vault.

It doesn’t seem like they answered any of my questions, which is not encouraging for my continued use of Bitwarden.

Nail1684 · January 23, 2026, 2:08pm

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.