Warden MCP Server
The Warden MCP Server enables programmatic management of Bitwarden/Vaultwarden password vaults through the Model Context Protocol, allowing LLM agents and automation tools to securely interact with vault items without implementing client-side cryptography (backed by the official Bitwarden CLI).
Vault Item Management
Search, retrieve, create, update, delete, restore, and bulk-manage vault items (logins, secure notes, cards, identities, SSH keys)
Set/merge URIs, custom fields, and attachments on login items
Secret & Credential Retrieval
Get usernames, passwords, TOTP codes, notes, URIs, and password history
Sensitive fields are redacted by default; use
reveal: trueto expose themCheck if a password has been exposed in a data breach
Folder & Organization Management
Full CRUD on personal folders
List organizations and collections; create, edit, delete org collections; move items to organizations
Attachment Handling
Create, delete, and download file attachments (base64-encoded)
Bitwarden Sends
List, create (text or file), edit, set/remove passwords, delete, and receive Sends from URLs
Generation & Utilities
Generate passwords/passphrases and usernames with customizable parameters
Base64-encode strings, check vault status (locked/unlocked), sync vault, get SDK version
Security Controls
Forced redaction (
NOREVEAL), read-only mode (READONLY), session guardrails, and network isolation support
Deployment Flexibility
stdiomode for local single-tenant use orHTTPmode for shared multi-tenant access; Docker supportedDesigned to integrate with browser-capable LLM agents for end-to-end authenticated workflows (e.g., logging into websites using retrieved credentials and TOTP codes)
Enables programmatic management of Bitwarden vaults, allowing agents to create, search, read, update, and move vault items, manage attachments, and handle organization or collection operations.
Enables programmatic management of Vaultwarden vaults, allowing agents to create, search, read, update, and move vault items, manage attachments, and handle organization or collection operations.
warden-mcp
Vaultwarden MCP server for credential-aware AI agents.
warden-mcp lets MCP clients search, create, update, move, and read
Vaultwarden or Bitwarden vault items through the official Bitwarden CLI (bw).
It is built for agents and automation that need credentials, TOTP codes, secure
notes, attachments, Sends, folders, organizations, and collections without
re-implementing Bitwarden client-side crypto.
Use it when an agent needs to log in to real systems during a browser or admin workflow, but you do not want passwords hardcoded in prompts, config files, or one-off scripts.
Quick Start
Use stdio mode when a local MCP host launches the server directly. It is the simplest and most portable setup for desktop agents.
Prerequisites:
Node.js 24+
npm
a Vaultwarden or Bitwarden account
either a Bitwarden API key pair or username/password login
Run the server:
BW_HOST=https://vaultwarden.example.com \
BW_CLIENTID=user.xxxxx \
BW_CLIENTSECRET=xxxxx \
BW_PASSWORD='your-master-password' \
npx -y @icoretech/warden-mcp@latest --stdioUsername login also works:
BW_HOST=https://vaultwarden.example.com \
BW_USER=user@example.com \
BW_PASSWORD='your-master-password' \
npx -y @icoretech/warden-mcp@latest --stdioIf the package is useful, star the repository so other agent builders can find it.
Related MCP server: MCP Vaultwarden Server
Install In MCP Hosts
Most local hosts should use stdio. The examples below use API-key auth; replace
BW_CLIENTID and BW_CLIENTSECRET with BW_USER if you prefer username login.
Claude Code
claude mcp add-json warden '{"command":"npx","args":["-y","@icoretech/warden-mcp@latest","--stdio"],"env":{"BW_HOST":"https://vaultwarden.example.com","BW_CLIENTID":"user.xxxxx","BW_CLIENTSECRET":"xxxxx","BW_PASSWORD":"your-master-password"}}'Codex
codex mcp add warden \
--env BW_HOST=https://vaultwarden.example.com \
--env BW_CLIENTID=user.xxxxx \
--env BW_CLIENTSECRET=xxxxx \
--env BW_PASSWORD='your-master-password' \
-- npx -y @icoretech/warden-mcp@latest --stdioCodex TOML config:
[mcp_servers.warden]
command = "npx"
args = ["-y", "@icoretech/warden-mcp@latest", "--stdio"]
startup_timeout_sec = 30
[mcp_servers.warden.env]
BW_HOST = "https://vaultwarden.example.com"
BW_CLIENTID = "user.xxxxx"
BW_CLIENTSECRET = "xxxxx"
BW_PASSWORD = "your-master-password"startup_timeout_sec = 30 gives npx enough time for a cold first launch.
Cursor, Claude Desktop, And JSON Config Hosts
{
"mcpServers": {
"warden": {
"command": "npx",
"args": ["-y", "@icoretech/warden-mcp@latest", "--stdio"],
"env": {
"BW_HOST": "https://vaultwarden.example.com",
"BW_CLIENTID": "user.xxxxx",
"BW_CLIENTSECRET": "xxxxx",
"BW_PASSWORD": "your-master-password"
}
}
}
}Common locations:
Host | Config file |
Cursor |
|
Claude Desktop |
|
Codex |
|
Why Use It
Agent login flows - fetch usernames, passwords, and TOTP codes during real browser automation without storing secrets in the agent prompt
Safe by default - secret fields stay redacted unless a tool supports
reveal: trueand the client explicitly asks for itVault administration - create, update, move, restore, and delete common Bitwarden item types, folders, organization collections, attachments, and Sends
Shared HTTP mode - one long-running service can front multiple vault hosts or identities through per-request
X-BW-*headersText-only client support - safe identifiers are mirrored into text output for MCP hosts that ignore
structuredContentVaultwarden-first CI - the integration suite exercises real local Vaultwarden and
bwauth/session flows, not only mocked SDK behavior
How It Works
flowchart LR
Agent["AI agent or MCP client"] --> Transport["stdio or Streamable HTTP"]
Transport --> Server["warden-mcp"]
Server --> BW["Bitwarden CLI (bw)"]
BW --> Vault["Vaultwarden or Bitwarden"]
Server --> State["per-profile bw state"]warden-mcp shells out to bw and keeps profile state under
KEYCHAIN_BW_HOME_ROOT. In HTTP mode, profile selection and credentials come
from request headers. In stdio mode, credentials are loaded from BW_* env vars
when the process starts.
The HTTP server exposes:
Endpoint | Purpose |
| liveness check; does not validate vault credentials |
| session and runtime guardrail metrics |
| MCP Streamable HTTP endpoint |
Run As A Shared HTTP Service
HTTP mode is useful when one service should serve multiple clients or multiple vault profiles.
Start the server:
npx -y @icoretech/warden-mcp@latestVerify liveness:
curl -fsS http://localhost:3005/healthzMCP tool calls must include these headers unless env fallback is explicitly enabled:
Header | Meaning |
| HTTPS origin only, for example |
| master password used to unlock the vault |
| Bitwarden API key client id |
| Bitwarden API key client secret |
| username/email alternative to API key login |
| optional unlock interval in seconds; default |
Example HTTP MCP config for hosts that support custom headers:
{
"mcpServers": {
"warden": {
"url": "http://localhost:3005/sse?v=2",
"headers": {
"X-BW-Host": "https://vaultwarden.example.com",
"X-BW-ClientId": "user.xxxxx",
"X-BW-ClientSecret": "xxxxx",
"X-BW-Password": "your-master-password"
}
}
}
}Some browser-hosted MCP clients can connect to an HTTP/SSE endpoint but cannot
send custom X-BW-* headers. For those clients, run a single-tenant HTTP server
with env fallback:
BW_HOST=https://vaultwarden.example.com \
BW_CLIENTID=user.xxxxx \
BW_CLIENTSECRET=xxxxx \
BW_PASSWORD='your-master-password' \
KEYCHAIN_ALLOW_ENV_FALLBACK=true \
npx -y @icoretech/warden-mcp@latestOnly use KEYCHAIN_ALLOW_ENV_FALLBACK=true behind a trusted network boundary.
Every client that can reach the endpoint inherits the configured vault identity.
For hosted clients that require HTTPS, put a reverse proxy, private tunnel, VPN,
or equivalent protected endpoint in front of warden-mcp, then connect to:
https://warden-mcp.example.com/sse?v=2Docker
docker run --rm \
-p 127.0.0.1:3005:3005 \
-v warden-mcp-data:/data \
ghcr.io/icoretech/warden-mcp:latestThe production image runs as the non-root node user with uid/gid 1000, sets
HOME=/data, and stores Bitwarden profile state under /data/bw-profiles by
default. If you use a bind mount, make it writable by uid/gid 1000.
Runtime Requirements
warden-mcp requires Node.js 24+ when running from npm or source. The Docker
image includes the supported Node runtime.
The server resolves bw in this order:
BW_BIN, when setbundled
@bitwarden/clioptional dependency, when installedsystem
bwfromPATH
The bundled @bitwarden/cli version is currently 2026.6.0. This project keeps
that version vetted instead of blindly tracking every upstream release, because
auth and unlock behavior can change in ways that break automation.
If your package manager skips optional dependencies and bw is missing, install
the CLI explicitly or point BW_BIN to a known binary:
npm install -g @bitwarden/cli@2026.6.0
BW_BIN=/absolute/path/to/bw npx -y @icoretech/warden-mcp@latest --stdioSecurity Model
There is no built-in authentication layer in v1. Protect the transport before you expose it.
Bind locally by default - use
WARDEN_MCP_HOST=127.0.0.1, Docker-p 127.0.0.1:3005:3005, a firewall, VPN, or an authenticated reverse proxyUse TLS for HTTP mode -
X-BW-*headers carry vault credentialsAvoid env fallback on shared networks -
KEYCHAIN_ALLOW_ENV_FALLBACK=truemakes server-side vault credentials available to headerless clientsUse read-only mode when writes are not needed -
READONLY=trueorKEYCHAIN_READONLY=truehides mutating tools and rejects direct write callsUse no-reveal mode for untrusted agent contexts -
NOREVEAL=trueorKEYCHAIN_NOREVEAL=trueforces all secret-returning tools to stay redactedKeep debug logs off in production - do not enable
KEYCHAIN_DEBUG_BWorKEYCHAIN_DEBUG_HTTPunless actively troubleshootingRestrict profile storage - protect
KEYCHAIN_BW_HOME_ROOT, which stores localbwprofile stateProtect
/metricszif needed - it is unauthenticated for scraper compatibility and exposes runtime/session counters
Redacted fields include login passwords, TOTP seeds/codes, card numbers and codes, identity SSNs/passport/license numbers, hidden custom fields, SSH private keys stored through the secure-note convention, signed attachment URLs, and password history entries.
Configuration
Variable | Default | Purpose |
|
| HTTP listen port |
| all interfaces | HTTP bind host |
|
| force stdio mode without |
|
| advertised MCP server name |
|
| public tool namespace |
|
| public tool separator; set |
|
| root for per-profile |
|
| allow HTTP calls to inherit server |
|
| run |
|
| hide and reject mutating tools |
|
| force |
| unset | set |
|
| max tracked HTTP sessions |
|
| inactive session TTL |
|
| session cleanup interval |
|
| memory fuse; set |
|
| periodic metrics logging; |
KEYCHAIN_TEXT_COMPAT_MODE=structured_json mirrors supported
structuredContent into plain text. That helps MCP clients that only pass
content[] to the model, but any revealed secret will also appear in the text
transcript.
Tool Reference
Tool names default to keychain_*. Change the prefix with TOOL_PREFIX and the
separator with TOOL_SEPARATOR.
Start with these:
keychain_status- inspect rawbwstatuskeychain_sync- pull latest vault data withbw synckeychain_search_items- find items by name, URI, username, folder, collection, or typekeychain_get_item- read a full item by id, redacted by defaultkeychain_get_username,keychain_get_password,keychain_get_totp- fetch common login values; password and TOTP requirereveal: truekeychain_create_login,keychain_update_item,keychain_move_item_to_organization- common write paths
Full tool groups:
Group | Tools |
Vault/session |
|
Items |
|
Folders |
|
Organizations and collections |
|
Attachments |
|
Sends |
|
Direct |
|
Notes:
keychain_create_loginscreates several independent login items in one call and reports per-item failures without aborting the whole batchkeychain_set_login_urisreplaces or merges a login item's URI list without editing the entire item payloadkeychain_delete_itemssupports bulk soft-delete or hard-delete by idkeychain_get_itemexposes safe attachment metadata, includingid,fileName, and size, while redacting signed download URLskeychain_get_attachmentaccepts an attachment id or an unambiguous filename and returns{ filename, bytes, contentBase64 }keychain_send_getreturns owned Send metadata and text content; usekeychain_receivewith a SendaccessUrlto receive shared Sends or download file Send bytesAmbiguous login lookups return
AMBIGUOUS_LOOKUPwith visible candidate ids; retry with the exact item id
Local Development
Use Docker Compose when you need the full Vaultwarden-backed stack.
cp .env.example .env
make upmake up starts local Vaultwarden, an HTTPS proxy for bw, bootstraps a test
account, and runs the MCP server in the foreground.
Useful commands:
Command | Purpose |
| watch-mode server from source |
| compile TypeScript to |
| run the compiled server |
| Biome autofix plus |
| build, then run all compiled tests |
| build, then run compose-backed integration tests |
| build, then run Node test coverage |
| run the compose-backed Vaultwarden integration path |
| run the organization-focused compose stack |
| stop the local compose stack |
For a quick live MCP smoke against local Vaultwarden, see agent-instructions/testing.md.
Compatibility
Vaultwarden is the continuously proven target in CI. Official Bitwarden compatibility is intended, but it is not continuously proven without a real Bitwarden tenant.
@bitwarden/cli upgrades are treated as compatibility decisions. The suite
checks direct bw auth behavior, SDK behavior, and MCP integration behavior
against a local Vaultwarden instance before a CLI bump should ship.
Known Limitations
bw list items --search, and thereforekeychain_search_items, does not reliably search inside custom field valuesSSH keys are stored as secure notes with standard fields until
bwsupports native SSH key item creationhigh-risk
bwfeatures such as export/import are intentionally not exposedVaultwarden report pages are not mirrored as MCP tools; the current report-like helper is
keychain_get_exposed
Project Links
npm package:
@icoretech/warden-mcpDocker image:
ghcr.io/icoretech/warden-mcpChangelog: CHANGELOG.md
Security policy: SECURITY.md
Threat model: THREAT_MODEL.md
Repository guidance: AGENTS.md
Contributing
Issues and PRs are welcome. Run npm run lint and the relevant test command
before opening a PR; use make test when behavior depends on real Vaultwarden
or bw interaction.
License
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/icoretech/warden-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server