Looking at the API documentation and just… grrr. A goal I have is, as part of an authentication application with a sort of ‘distributed credential’ system, to pull a custom field from vault items, for a specific Collection. I have a dedicated user for this, I have their API auth stuff - this all seemed pretty straightforward, until I looked at the documentation.
The Public API seems really well documented, better than the CLI, with the caveat that it can not access individual items - it’s basically managing org structure only. You’d think it would be called ‘Structure’ API, or something that distinguishes it from ‘Vault Management’. Anyway - this points me to the Vault Management API, which doesn’t have a well-written API reference page like Public API does - just the reference, and repeated mentions that I need to start an Express server, via the BW CLI for reasons explained as: ‘‘Using the Vault Management API requires that you use the serve command from the CLI to start a local express web server from which to make requests.‘ or elsewhere, as “Using the Vault Management API request that you use the servecommand from the CLI to start a local express web server from which to make requests” – I’m not sure if this sentence is encrypted or something - is the web server sending requests? receiving requests? Receiving the requests it sends.. to itself? Idk, but it doesn’t really say ‘you can’t authenticate against the cloud, and make requests for specific info from the cloud’ or even ‘this API is just for managing the CLI remotely’ - but that’s the impression I’m getting after research
The goal was a C# application that authenticates against some bitwarden url/endpoint, then gets data from a specific entry (or entries), using REST queries - it was intended to be a somewhat secure way to store mildly important identifiers. I’m not self-hosting, and it seems counter-productive to the security aspect to introduce a CLI I don’t fully understand (which itself, has documentation I find… something. According to itself, it’s ‘well documented’, so.. ok.)
CoPilot has explained that the CLI pulls the whole (encrypted) vault into memory, after authenticating. Then, it’s decrypted as needed. As for the Vault Management API, it’s just an API to manage that running CLI instance by sending REST queries to an Express server. Is this accurate? I sort of see how I can do what I was intending to do, with this method - but it seems… idk. I don’t like the thought of maintaining an Authenticated CLI session and my entire vault in memory, first off. But also, if the API just targets the CLI, then I can skip setting up a server and using REST calls, and just… use the CLI, probably.
But I’m still unnerved about the fact that the entire vault gets stored in memory by the CLI - I haven’t used it very much, as 1) this is my first BitWarden-related project and 2) I found the docs similarly off-putting; and now I’m wondering if this is actually how the Web Clients work as a whole - storing the entire vault in memory immediately, and the interface just being… well, lies. lol
Just for clarity, here’s a bit of pseudo for what the intentions were -
input $companyName:______
Get www.bitwarden.login
Post identity to bitwarden.login.token | $authorization = token
Get Bitwarden.collection.$companyName.fieldY credetials: $token | $companyId = FieldY
Post Graph.Microsoft.thing/application123/companyId