Limited Permission API Keys

Feature name

Limited Permission API Keys

Feature function

Our situation is that we wish to have an on-premise script download our Bitwarden Organisation’s audit logs on a schedule, using the API.

The problem is that the Organisation’s API key has far more access than just ‘reading logs’; there’s the ability to manage and delete groups and collections, users, etc.

As a result, we’ve decided not to implement the functionality we wanted to with the API due to there being no way to lock down the access available to our single, org-wide API key.

It would be a great win for security if we could generate keys with restricted permissions, adopting a principle of least privilege approach for API keys.