Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| BW_BIN | No | Explicit path to the Bitwarden CLI binary (bw). By default it looks for the bundled binary or system PATH. | |
| BW_HOST | No | The URL of the Bitwarden or Vaultwarden server (e.g., https://vaultwarden.example.com). | |
| BW_USER | No | The email address for Bitwarden/Vaultwarden login. | |
| READONLY | No | Set to 'true' to block all write operations (create/edit/delete/move/restore/attachments). | |
| BW_CLIENTID | No | The Bitwarden API Client ID for authentication. | |
| BW_PASSWORD | No | The master password required to unlock the vault. | |
| BW_CLIENTSECRET | No | The Bitwarden API Client Secret for authentication. | |
| KEYCHAIN_BW_HOME_ROOT | No | Root directory where Bitwarden CLI state is stored to avoid session/config clashes. | |
| KEYCHAIN_SESSION_TTL_MS | No | Session Time-To-Live in milliseconds. | 900000 |
| KEYCHAIN_MAX_HEAP_USED_MB | No | Maximum heap memory usage in MB before triggering fuse (set '0' to disable). | 1536 |
| KEYCHAIN_SESSION_MAX_COUNT | No | Maximum number of active sessions. | 32 |
| KEYCHAIN_METRICS_LOG_INTERVAL_MS | No | Interval for logging metrics in milliseconds (0 to disable). | 0 |
| KEYCHAIN_SESSION_SWEEP_INTERVAL_MS | No | Interval for sweeping expired sessions in milliseconds. | 60000 |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": true
} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| keychain_status | Returns Bitwarden CLI status (locked/unlocked, server, user). |
| keychain_encode | Base64-encode a string (bw encode). |
| keychain_generate | Generate a password/passphrase (bw generate). Returning the value requires reveal=true. |
| keychain_generate_username | Generate a username like the Bitwarden generator (random word, plus-addressed email, catch-all). Returning the value requires reveal=true. |
| keychain_list_folders | List Bitwarden folders (personal). |
| keychain_create_folder | Create a Bitwarden folder (personal). |
| keychain_edit_folder | Rename a Bitwarden folder (personal). |
| keychain_delete_folder | Delete a Bitwarden folder (personal). |
| keychain_list_org_collections | List organization collections. |
| keychain_create_org_collection | Create an organization collection. |
| keychain_edit_org_collection | Rename an organization collection. |
| keychain_delete_org_collection | Delete an organization collection. |
| keychain_move_item_to_organization | Move an item to an organization (optionally assigning collection ids). |
| keychain_list_organizations | List organizations available to the current Bitwarden user. |
| keychain_list_collections | List collections (optionally filtered by organization). |
| keychain_search_items | Search vault items by text and filters (org/folder/collection/url). |
| keychain_get_item | Get a vault item by id. |
| keychain_get_uri | Get a login URI by search term (bw get uri). |
| keychain_get_notes | Get item notes by search term (bw get notes). |
| keychain_get_exposed | Check exposed status by search term (bw get exposed). |
| keychain_get_folder | Get a folder by id (bw get folder). |
| keychain_get_collection | Get a collection by id (bw get collection). |
| keychain_get_organization | Get an organization by id (bw get organization). |
| keychain_get_org_collection | Get an org collection by id (bw get org-collection). |
| keychain_delete_item | Delete an item by id (soft-delete by default; set permanent=true to hard delete). |
| keychain_delete_items | Delete multiple items by id. Returns per-id results (soft-delete by default; set permanent=true to hard delete). |
| keychain_restore_item | Restore an item from trash by id. |
| keychain_create_attachment | Attach a file (base64) to an existing item. Returns the updated (redacted) item. |
| keychain_delete_attachment | Delete an attachment from an item. Returns the updated (redacted) item. |
| keychain_get_attachment | Download an attachment from an item and return it as base64 (bw get attachment). |
| keychain_send_list | List all the Sends owned by you (bw send list). |
| keychain_send_template | Get json templates for send objects (bw send template). |
| keychain_send_get | Get Sends owned by you. Use text=true to return text content; downloadFile=true to download a file send (bw send get). |
| keychain_send_create | Create a Bitwarden Send. For file sends, pass filename+contentBase64. (bw send). |
| keychain_send_create_encoded | Create a Send via |
| keychain_send_edit | Edit a Send via |
| keychain_send_remove_password | Remove a Send's saved password (bw send remove-password). |
| keychain_send_delete | Delete a Send (bw send delete). |
| keychain_receive | Access a Bitwarden Send from a url. Use obj=true for JSON object; downloadFile=true for file content. (bw receive) |
| keychain_get_username | Get a login username by search term (bw get username). |
| keychain_get_password | Get a login password by search term (bw get password). Returning a password requires reveal=true. |
| keychain_get_totp | Get a TOTP code/seed by search term (bw get totp). Returning a TOTP requires reveal=true. |
| keychain_get_password_history | Get an item password history (if any). Returning passwords requires reveal=true. |
| keychain_create_login | Create a login item. |
| keychain_create_logins | Create multiple login items in a single call. |
| keychain_set_login_uris | Set or update the URIs (and per-URI match types) for a login item. mode=replace overwrites; mode=merge updates/adds by uri. |
| keychain_create_note | Create a secure note item. |
| keychain_create_ssh_key | Create an SSH key object (stored as secure note with fields). |
| keychain_create_card | Create a payment card item. |
| keychain_create_identity | Create an identity item. |
| keychain_update_item | Update selected fields of an item by id. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |