CLI apikey flow


can anybody explain the flow for apikey authentication? I thought apikey auth would prevent the use of the master password.

However if I set the api-key shell variables and login successfully, the unlock command requires the use of the master password.

Is this the way it should be, or am I missing something? If not why wouldn’t I stay with email and master password for login and unlock?

I am on 2023.4.0 on an M1 Mac.

Thank you.


From the BW’s doc: Password Manager CLI | Bitwarden Help Center

  • Logging in with the personal API key is recommended for automated workflows or providing access to an external application.
  • Logging in with email and password is recommended for interactive sessions.


Logging in using email and master password uses your master password and can therefore string together the login and unlock commands to authenticate your identity and decrypt your vault in tandem. Using an API key or SSO will require you to follow-up the login command with an explicit bw unlock if you will be working with vault data directly.

This is because your master password is the source of the key needed to decrypt vault data. There are, however, a few commands that do not require your vault to be decrypted, including config, encode, generate, update, and status.