Option to configure per-domain or per-folder default matching rule

Hi and congratulation for Bitwarden!

Would you consider adding the possibility to have per-domain or per-folder URI matching rules ?

I am an IT guy and even if the default “Base Domain” matching rule works well for the public Internet, all those intranet networks definitely need the “Host” matching criteria. Examples are:

  • wifi.corporate.local
  • intranet.corporate.local
  • firewall.corporate.local

My only solution so far has been to group the entries of the private domains in separate folders and use some cli-fu with the bw binary to batch update the entries.

Also, when quickly saving new credentials for such domains, they are obviously added using the default matching criteria so I need to run those scripts on a regular basis.

A domain-based option or a folder-based option (with inheritance) would work for me.

Thanks a ton for considering this request!

I think this is a good idea, thanks for creating the topic!


While waiting for this feature, I have written the following bash script that uses the “bw” Linux binary as well as “jq” to mass update the matching method in my vault.

It creates a regular expression that contains all the internal domains (listed at the top of the script) and then logs into BitWarden to extract a list of entry IDs that need an update. Finally the matching method is updated on those entries.


# list of domains that require host-level matching for URIs

# bitwarden username
bwuser="[email protected]"

# bitwarden executable name

if [[ ! -x $(command -v "$bw_bin") ]]; then
echo "BitWarden executable not found: $bw_bin"

# jq executable name

if [[ ! -x $(command -v "$jq_bin") ]]; then
echo "BitWarden executable not found: $jq_bin"

# build jq regexp
domregexp=$(IFS="|" ; echo "${domains[*]}")

# login to bitwarden
echo "* Logging into BitWarden"
bwsession=$($bw_bin --raw login $bwuser)

# sync vault
#echo "* Syncing vault"
#$bw_bin --session $bwsession sync

# extract list of id that need update
echo "* Extracting list of items that require URI match update"
readarray -t array1 <<< $($bw_bin --session $bwsession list items | \
                        $jq_bin --arg DOMEXP $domregexp -r \
                            '.[] |
                            select(.type == 1) |
                            select((.login.uris | length) > 0) |
                            select(any(.login.uris[]; .uri | test($DOMEXP))) |
                            select(any(.login.uris[]; .match != 1)) |
                            [.id, .name] |

if [[ -z $array1 ]]; then
echo "* noting to do"
echo "* Number of items found: $count"

for index in ${!array1[@]}; do
    read id name <<<$(echo ${array1[$index]})
    echo "* ($(( $index + 1))/$count) updating $id ($name)"
    $bw_bin --session $bwsession get item $id | \
        $jq_bin '.login.uris[].match = 1' | \
        $bw_bin --session $bwsession encode | \
        $bw_bin --quiet --session $bwsession edit item $id

# logout from bitwarden
echo "* Logging out of BitWarden"
$bw_bin --session $bwsession logout

I have found one small bug which is that it would also match entries with URLs containing the internal domains as part of the path/arguments and not only as the actual domain name. For instance, if I want to update the matching method for “internal.local” entries, the script would update this entry:

URL: https://www.googe.com/[email protected]

Might fix that at some point.

Some subdomains and main domains use different passwords. Can I add a setting to specify such domains? The following is the lastpass setting

I wish this idea had more traction, this is a common annoyance of mine and I think it would be a huge value-add QoL improvement, especially for corporate/enterprise users.