Returns Bitwarden CLI status (locked/unlocked, server, user). This is a lazy check: not-ready status does not mean later keychain tool calls cannot unlock or recover on demand.

Pull the latest vault data from the server (bw sync). Returns the last sync timestamp.

Return the Bitwarden SDK version reported by the bundled bw CLI. Use this read-only check when diagnosing CLI/runtime compatibility without touching vault data.

Base64-encode a string with bw encode. This never mutates the vault; it only returns encoded text.

Generate a password or passphrase with bw generate. This never mutates the vault; pass reveal=true to return the value, and NOREVEAL or KEYCHAIN_NOREVEAL force redaction.

Generate a username like the Bitwarden generator (random word, plus-addressed email, catch-all, forwarded alias). This never mutates the vault; pass reveal=true to return the value, and NOREVEAL or KEYCHAIN_NOREVEAL force redaction.

List personal Bitwarden folders visible to the current user. Use this to discover folder ids for item organization; returns safe folder id/name summaries only.

Create a personal Bitwarden folder. Use this to organize items outside organization collections.

Rename an existing personal Bitwarden folder by id. This mutates only folder metadata, not the items inside it, and returns the updated folder id/name summary.

Delete a personal Bitwarden folder. Destructive: there is no restore helper in this server.

List organization-scoped collections for the required organizationId. Use this after discovering an organization to find collection ids; returns safe id/name summaries.

Create a new organization-scoped collection inside the required organizationId. Use this for shared vault grouping; returns the created collection summary.

Rename an existing organization-scoped collection inside the required organizationId. This mutates collection metadata only and returns the updated collection summary.

Delete an organization collection. Destructive: there is no restore helper in this server.

Move an existing vault item into the required organizationId. Optionally pass collectionIds to assign organization collections during the move; collection ids are organization collections, not personal folders. Returns the moved item summary with normal redaction rules.

List organizations available to the current Bitwarden user so you can discover the organizationId required for org-scoped tools.

List collections in the current vault, optionally filtered by organizationId. Use list_org_collections when you already know the organization and only want organization-scoped collections.

Search vault items by text and filters (org/folder/collection/url). This wraps bw list items --search, which does not reliably search custom field values.

Get the full vault item by stable item id. Secret fields and signed attachment URLs are redacted by default; pass reveal=true only when the caller is allowed to receive secrets.

Get the first login URI matched by bw get uri for a search term. Terms can be names, ids, or other bw-supported selectors and may be ambiguous, so use an exact item id when possible. URI values are returned as non-secret scalar results.

Get item notes matched by bw get notes for a search term. Notes are treated as secret output here: value is null unless reveal=true and NOREVEAL is not active. Terms can be ambiguous, so prefer an exact item id when possible.

Check the exposed-password count returned by bw get exposed for a search term. Terms follow bw lookup behavior and may be ambiguous; use an exact item id or precise selector when possible. Not-found results return a null scalar value instead of a thrown not-found error.

Get one personal Bitwarden folder by stable folder id via bw get folder. Use this to verify a folder id before item updates; returns safe folder metadata only.

Get a collection by id (bw get collection). Use organizationId when you need to disambiguate an organization-scoped lookup.

Get one Bitwarden organization by stable organization id via bw get organization. Use list_organizations first when the id is unknown; returns organization metadata only.

Get an organization collection by id (bw get org-collection). organizationId is optional and narrows the org-scoped lookup when provided.

Delete a vault item by id. By default this is a soft delete to trash and can be restored with restore_item; set permanent=true to hard delete through bw. Returns only the requested id, not the deleted item contents.

Delete multiple vault items by id in one session. Soft-deletes to trash by default; set permanent=true to hard delete every id. Returns per-id ok/error results so partial failures are visible.

Restore a soft-deleted vault item from trash by id. Use this after delete_item or delete_items when permanent was omitted or false; hard-deleted items cannot be restored. Returns the restored item summary with normal redaction rules.

Attach base64-encoded file bytes to an existing item. Returns the updated item summary with normal redaction rules, so secrets stay hidden unless reveal is allowed.

Delete an attachment from its parent item using itemId plus attachmentId. The attachment id comes from item attachment metadata; this is destructive for that attachment and then refetches the parent item. Returns the updated item summary with normal redaction rules.

Download an attachment from a parent item and return raw bytes as contentBase64. Pass itemId plus an attachment id, or an unambiguous filename selector resolved from the item metadata before calling bw get attachment. The response includes filename, byte count, and base64 content for local decoding.

List all the Sends owned by you (bw send list). This is read-only and does not mutate the vault.

Get a Bitwarden Send JSON template from bw send template. Choose a text or file template with object values send.text/text or send.file/file before using encoded create/edit flows. This is read-only and does not create a Send.

Get Sends owned by you. Use text=true to return text content; downloadFile=true to download a file send (bw send get).

Quick-create a Bitwarden Send through bw send. Use type=text with text, or type=file with filename plus contentBase64; deleteInDays controls expiration deletion, maxAccessCount limits accesses, and password protects the Send. For advanced JSON templates or edits, use send_create_encoded and send_edit instead.

Create a Send with the advanced bw send create flow. Provide an encodedJson template or raw json to encode, or create directly from text/file fields; file uses filename plus contentBase64 and hidden only affects text Sends. Use this when you need template-level fields beyond the quick send_create options.

Edit an existing Send with the advanced bw send edit flow. Provide encodedJson or raw json containing the Send edit payload; raw json is encoded before invoking bw. Optional itemId maps to --itemid for item-linked Send edits.

Remove a Send's saved password so recipients no longer need that password. This is destructive for the Send password only; it does not delete the Send content. Use send_delete when the entire Send should be removed.

Delete a Bitwarden Send by id through bw send delete. This is destructive for the Send and its shared content; it does not delete any vault item that may have been used to create it. Returns the bw result payload when available.

Receive a Bitwarden Send from an HTTPS url. Provide password when the Send is protected; obj=true returns the parsed JSON object, downloadFile=true downloads file bytes as base64, and the default returns received text. This reads a shared Send and does not create or modify vault items.

Get a login username matched by bw get username for a search term. Usernames are treated as non-secret scalar output, but exact item ids are safest for ambiguous names.

Get a login password by search term (bw get password). The value is null unless reveal=true, and NOREVEAL or KEYCHAIN_NOREVEAL can still force redaction.

Get the current TOTP code by search term (bw get totp). The value is null unless reveal=true, and NOREVEAL or KEYCHAIN_NOREVEAL can still force redaction.

Get an item password history (if any). Returning passwords requires reveal=true.

Create a login item with username/password/TOTP/URI data. Use this for website or app credentials instead of a secure note, card, or identity. Accepts custom fields and attachments, supports folder/organization/collection scoping, and returns a redacted item summary by default.

Create multiple login items in one call. Use this when you need several independent credentials at once, with the same login-item behavior as create_login. Set continueOnError to keep going after a failure and receive per-item ok/error results; returned items are redacted by default.

Set or update the URI list on a login item. mode=replace overwrites the full list; mode=merge updates existing URIs and adds new ones by URI. Match values can be domain, host, startsWith, exact, regex, or never.

Create a secure note item. Use this for free-form text or secrets that do not belong in a login, card, identity, or SSH key item. Accepts custom fields plus folder/organization/collection scoping, and returns a redacted item summary by default.

Create an SSH key object stored as a secure note with standard fields. Use this when you need a public/private key pair plus optional fingerprint or comment, not a login or payment card. The private key is stored in a hidden field and redacted in returned summaries; folder, organization, and collection scoping is supported.

Create a payment card item. Use this for cardholder name, brand, number, expiry, and code, not for login credentials or notes. Accepts custom fields plus folder/organization/collection scoping, and returned summaries redact the card number, code, and hidden fields.

Create an identity item. Use this for personal, contact, and address data instead of a login or card. Accepts structured identity fields plus custom fields and scoping, and returned summaries redact sensitive identity fields and hidden custom fields.

Update selected fields of an item by id. The patch is applied to the current item, so omitted fields stay unchanged while explicit nulls and empty arrays overwrite the stored folder, collection, login URI, or custom-field values. Use this for partial edits instead of reconstructing the full item.