bitwarden/server
Authentication endpoints
The Identity host (src/Identity/) exposes a set of OAuth 2.0 / OpenID Connect endpoints that every other API depends on. The route prefixes are:
POST /connect/token— token endpoint.GET /connect/authorize— authorization endpoint (used for OIDC code flow).POST /connect/revocation— refresh-token revocation.GET /.well-known/openid-configuration— OIDC discovery (when enabled).GET /.well-known/jwks— JSON Web Key Set.GET /sso/startandGET /sso/end— SSO bridge endpoints.POST /accounts/prelogin— returns the user's KDF settings (so the client can derive the master-password hash before sending it).POST /accounts/register-anonymousand/accounts/register-finalize— registration flow that includes captcha + email verification.POST /sends/access/...— one-shot Send-access tokens (scopeapi.send.access).
The supported OAuth grants are documented in systems/identity-server. Summary:
grant_type |
Used by | Flow |
|---|---|---|
password |
Web vault, browser ext, mobile, desktop, CLI (master-password login) | Email + master-password hash, optionally with 2FA. |
webauthn |
Login With Passkey | Uses the FIDO2 authenticator's PRF blob. |
auth_request |
Login with Device | A logged-in device approves a pending request. |
sso |
SSO redirect callback | One-shot SsoTokenable issued by Sso. |
client_credentials |
Public org API, installations, SCIM tokens, service-account tokens | Long-lived API key + secret. |
refresh_token |
Every client after first login | Rotates the refresh token on each use. |
Token shape
Bitwarden access tokens are JWTs signed with the data-protection-managed key. Common claims:
sub— user id (or org id for org-bearer tokens).email,name— display info.premium— boolean (personal premium).scope— space-delimited scopes (api,api.organization,api.installation,api.send.access,api.licensing,api.secrets,api.push).device— device identifier (so server-side device-trust checks can scope to it).orgowner,orgadmin,orgmanager,orguser,orgcustom— claim arrays of org ids per role.securityStamp— invalidates the token when bumped.userDecryptionOptions(in the response, not the JWT) — tells the client how to derive the user key for this session.
CORS
Identity.Startup.Configure allows requests from the cloud domains and from the dev API origin so the Swagger UI on the API host can authorize against Identity. See CoreHelpers.IsCorsOriginAllowed.
Self-host path-base
Self-hosted Identity runs at /identity/* (see app.UsePathBase("/identity")); the bundled nginx config maps that prefix.
Entry points for modification
- New grant type → see systems/identity-server.
- New
userDecryptionOptionsshape →UserDecryptionOptionsBuilderinsrc/Core/Auth/IdentityServer/. - New scope →
ApiScopes.cs, plus the matching policy insrc/Api/Startup.cs.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.