bitwarden-agent-vault-mcp
Provides tools for storing, retrieving, listing, and rotating secrets in Bitwarden Secrets Manager, including injecting secrets into allowlisted executables.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@bitwarden-agent-vault-mcpStore my AWS secret key as 'aws_secret'"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Bitwarden Agent Vault MCP
An unofficial, open-source Codex plugin and local MCP server for using Bitwarden Secrets Manager as durable credential storage for agent workflows.
The server runs locally over MCP stdio. It does not open a network port and it does not contain a Bitwarden token, organization ID, project ID, password, or API key. Every installation must supply its own Bitwarden machine account and private configuration.
This community project is not affiliated with or endorsed by Bitwarden, Inc.
What it does
Stores and rotates stable agent credentials in Bitwarden Secrets Manager.
Lists projects and secret metadata without returning values.
Retrieves a secret when plaintext is explicitly required.
Injects selected secrets into an allowlisted executable without placing them in the normal command output.
Opens the Bitwarden Secrets Manager web vault on macOS.
Includes a Codex skill for automatically saving durable credentials that Codex creates, receives, or discovers.
Related MCP server: Agentic Vault
Security model
Codex MCP client
| local JSON-RPC over stdin/stdout
v
Bitwarden Agent Vault MCP server
| machine token from macOS Keychain or BWS_ACCESS_TOKEN
v
Bitwarden Secrets Manager API via bwsThe MCP server uses stdio and has no HTTP listener.
The machine token is read from macOS Keychain by default. On other platforms, it must be supplied to the MCP process as
BWS_ACCESS_TOKEN.Bitwarden project and secret permissions remain the authoritative access boundary. Use a least-privilege machine account.
store_secretrefuses to overwrite an existing key unlessoverwrite: trueis explicitly supplied.get_secretis disabled by default and requires an explicit privateallowPlaintextRevealopt-in.run_with_secretsis disabled by default. When enabled, it requires an absolute executable allowlist and injects only the requested secret keys.Command output is redacted for exact secret values. Redaction cannot prevent an executable from encoding, transforming, writing, or transmitting a secret. Only allowlist purpose-built programs you trust.
get_secretintentionally returns plaintext to the MCP client. Do not expose this server to untrusted clients or untrusted prompt sources.
See SECURITY.md for reporting and operational guidance.
Requirements
Node.js 20 or later
A Bitwarden Secrets Manager organization, project, and machine account
Bitwarden Secrets Manager CLI (
bws)Codex with local plugin/MCP support
macOS for the included Keychain helper; Linux can use an MCP-process environment variable
The server may work on Windows when bws is installed and
BWS_ACCESS_TOKEN is provided, but the helper scripts are currently tested for
macOS and Linux shells only.
Install
Clone the repository into the conventional personal plugin source location:
git clone https://github.com/ceweldy/bitwarden-agent-vault-mcp.git \
"$HOME/plugins/bitwarden-agent-vault"
cd "$HOME/plugins/bitwarden-agent-vault"
npm ciInstall bws with the checksum-verifying helper, or install it from Bitwarden's
official release process:
./scripts/install-bws.shCreate a Bitwarden Secrets Manager project and a machine account with only the required project permissions. Copy the machine access token once.
On macOS, store the token in Keychain without placing it in a file or shell history:
./scripts/store-machine-token.shOn non-macOS systems, configure BWS_ACCESS_TOKEN only in the MCP host's
private process environment. Do not commit it or place it in a shared shell
profile.
Create the private configuration:
mkdir -p "$HOME/.config/bitwarden-agent-vault"
cp config.example.json "$HOME/.config/bitwarden-agent-vault/config.json"
chmod 600 "$HOME/.config/bitwarden-agent-vault/config.json"Replace defaultProjectId with your Bitwarden project UUID. The UUID is not a
secret, but keeping deployment metadata outside the repository avoids leaking
your vault structure.
Check the live connection:
./scripts/doctor.shAdd the Codex plugin
Add this entry to the plugins array in your personal Codex marketplace at
~/.agents/plugins/marketplace.json. Preserve any entries already in that
file.
{
"name": "bitwarden-agent-vault",
"source": {
"source": "local",
"path": "./plugins/bitwarden-agent-vault"
},
"policy": {
"installation": "AVAILABLE",
"authentication": "ON_INSTALL"
},
"category": "Productivity"
}Then install it:
codex plugin add bitwarden-agent-vault@personalStart a new Codex task so the MCP tools and skill are loaded.
Configuration
The server reads ~/.config/bitwarden-agent-vault/config.json unless
BITWARDEN_AGENT_CONFIG points to another file.
Field | Required | Meaning |
| No | Bitwarden API server; defaults to Bitwarden cloud. |
| Recommended | Project used when a tool call omits |
| No | Must be exactly |
| No | Must be exactly |
| When enabled | Absolute paths to trusted executable files. |
To opt into command execution, use a private configuration such as:
{
"serverUrl": "https://vault.bitwarden.com",
"defaultProjectId": "replace-with-your-bitwarden-project-id",
"allowPlaintextReveal": false,
"allowCommandExecution": true,
"allowedExecutables": [
"/absolute/path/to/a-purpose-built-tool"
]
}Avoid allowlisting shells, general-purpose interpreters, download tools, or network clients. They defeat the purpose of an executable allowlist.
MCP tools
Tool | Behavior |
| Checks local token, CLI, optional remote access, and command-execution state. |
| Returns accessible project metadata. |
| Returns secret names and metadata, never values. |
| Returns one exact secret value when privately enabled. |
| Creates a secret or explicitly rotates an exact-key match. |
| Runs an enabled, allowlisted executable with selected secret keys. |
| Opens the Bitwarden Secrets Manager web UI on macOS. |
Development
npm ci
npm run check
npm audit --omit=devTests use a fake bws fixture and contain no real credentials. Never add live
tokens, vault exports, .env files, personal configuration, or customer data
to tests or issue reports.
License
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/ceweldy/bitwarden-agent-vault-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server