bitwarden/server
API
Bitwarden exposes three distinct HTTP surfaces:
- Internal client API — the endpoints under
src/Api/that first-party Bitwarden clients call (web vault, browser extension, mobile, desktop, CLI, directory connector). Hundreds of routes; not formally versioned. - Public org API — the documented, versioned
/public/*API for org administrators and integrators, backed bysrc/Api/AdminConsole/Public/Controllers/. - Identity (OAuth/OIDC) endpoints —
/connect/token,/connect/authorize,/.well-known/openid-configuration, etc., served by the Identity host using Duende IdentityServer.
In addition, several services expose narrower public-ish APIs:
- The SCIM host at
bitwarden_license/src/Scim/implements SCIM 2.0 on/v2/{orgId}/{Users,Groups,…}. - The Events host accepts batched audit-event posts at
/collect. - The Notifications host hosts the
/hubSignalR endpoint and a small internal HTTPSendendpoint. - The Billing host exposes the third-party-provider webhooks (
/stripe/webhook,/paypal/ipn,/bitpay/ipn,/apple/iap-webhook). - The Sso host serves SAML/OIDC bridge endpoints (
/Account/Login,/saml2/Acs, etc.). - The Icons host serves a public unauthenticated favicon proxy at
/{domain}/icon.png. - The Admin host hosts the internal Razor-Pages admin UI.
Each app's page covers its routing in detail; this section focuses on the cross-cutting API contract.
Conventions
- All Bitwarden APIs use JSON request/response with snake-cased ids occasionally (mostly camelCase).
- Errors are shaped as
{ message, errorMessage, exceptionMessage, exceptionStackTrace, validationErrors }— produced byApiExceptionFilterAttribute(src/Api/Utilities/ApiExceptionFilterAttribute.cs) fromBit.Core.Exceptions.*exceptions. - Authentication is JWT Bearer via the
Identityhost; the policies are declared in systems/identity-server. - Cross-origin requests are gated by
CoreHelpers.IsCorsOriginAllowed(cloud allowsbitwarden.com,bitwarden.eu,bitwarden.pw; dev allowslocalhost).
Swagger / OpenAPI
The Internal API exposes Swagger at /specs/internal/swagger.json (development + self-host); the Public API at /specs/public/swagger.json. Both can be regenerated via ./dev/generate_openapi_files.ps1 and committed alongside.
The Public API is the source of truth for Bitwarden's published documentation at https://bitwarden.com/help/api/.
Versioning
- Public API: v1, with breaking changes deprecated through the
Bitwarden.Migratedeprecation header. - Internal API: not versioned. Changes are coordinated with client releases via feature flags and minimum-version constants in
src/Core/Constants.cs.
Rate limits
AspNetCoreRateLimit is enabled in cloud only. Defaults live in src/Api/appsettings.Production.json under IpRateLimitOptions / IpRateLimitPolicies. Self-host runs without rate limiting.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.