Open-Source Wikis

/

Bitwarden Server

/

API

/

Authentication endpoints

bitwarden/server

Authentication endpoints

The Identity host (src/Identity/) exposes a set of OAuth 2.0 / OpenID Connect endpoints that every other API depends on. The route prefixes are:

  • POST /connect/token — token endpoint.
  • GET /connect/authorize — authorization endpoint (used for OIDC code flow).
  • POST /connect/revocation — refresh-token revocation.
  • GET /.well-known/openid-configuration — OIDC discovery (when enabled).
  • GET /.well-known/jwks — JSON Web Key Set.
  • GET /sso/start and GET /sso/end — SSO bridge endpoints.
  • POST /accounts/prelogin — returns the user's KDF settings (so the client can derive the master-password hash before sending it).
  • POST /accounts/register-anonymous and /accounts/register-finalize — registration flow that includes captcha + email verification.
  • POST /sends/access/... — one-shot Send-access tokens (scope api.send.access).

The supported OAuth grants are documented in systems/identity-server. Summary:

grant_type Used by Flow
password Web vault, browser ext, mobile, desktop, CLI (master-password login) Email + master-password hash, optionally with 2FA.
webauthn Login With Passkey Uses the FIDO2 authenticator's PRF blob.
auth_request Login with Device A logged-in device approves a pending request.
sso SSO redirect callback One-shot SsoTokenable issued by Sso.
client_credentials Public org API, installations, SCIM tokens, service-account tokens Long-lived API key + secret.
refresh_token Every client after first login Rotates the refresh token on each use.

Token shape

Bitwarden access tokens are JWTs signed with the data-protection-managed key. Common claims:

  • sub — user id (or org id for org-bearer tokens).
  • email, name — display info.
  • premium — boolean (personal premium).
  • scope — space-delimited scopes (api, api.organization, api.installation, api.send.access, api.licensing, api.secrets, api.push).
  • device — device identifier (so server-side device-trust checks can scope to it).
  • orgowner, orgadmin, orgmanager, orguser, orgcustom — claim arrays of org ids per role.
  • securityStamp — invalidates the token when bumped.
  • userDecryptionOptions (in the response, not the JWT) — tells the client how to derive the user key for this session.

CORS

Identity.Startup.Configure allows requests from the cloud domains and from the dev API origin so the Swagger UI on the API host can authorize against Identity. See CoreHelpers.IsCorsOriginAllowed.

Self-host path-base

Self-hosted Identity runs at /identity/* (see app.UsePathBase("/identity")); the bundled nginx config maps that prefix.

Entry points for modification

  • New grant type → see systems/identity-server.
  • New userDecryptionOptions shape → UserDecryptionOptionsBuilder in src/Core/Auth/IdentityServer/.
  • New scope → ApiScopes.cs, plus the matching policy in src/Api/Startup.cs.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Authentication endpoints – Bitwarden Server wiki | Factory