Open-Source Wikis

/

Bitwarden Server

/

API

bitwarden/server

API

Bitwarden exposes three distinct HTTP surfaces:

  • Internal client API — the endpoints under src/Api/ that first-party Bitwarden clients call (web vault, browser extension, mobile, desktop, CLI, directory connector). Hundreds of routes; not formally versioned.
  • Public org API — the documented, versioned /public/* API for org administrators and integrators, backed by src/Api/AdminConsole/Public/Controllers/.
  • Identity (OAuth/OIDC) endpoints/connect/token, /connect/authorize, /.well-known/openid-configuration, etc., served by the Identity host using Duende IdentityServer.

In addition, several services expose narrower public-ish APIs:

  • The SCIM host at bitwarden_license/src/Scim/ implements SCIM 2.0 on /v2/{orgId}/{Users,Groups,…}.
  • The Events host accepts batched audit-event posts at /collect.
  • The Notifications host hosts the /hub SignalR endpoint and a small internal HTTP Send endpoint.
  • The Billing host exposes the third-party-provider webhooks (/stripe/webhook, /paypal/ipn, /bitpay/ipn, /apple/iap-webhook).
  • The Sso host serves SAML/OIDC bridge endpoints (/Account/Login, /saml2/Acs, etc.).
  • The Icons host serves a public unauthenticated favicon proxy at /{domain}/icon.png.
  • The Admin host hosts the internal Razor-Pages admin UI.

Each app's page covers its routing in detail; this section focuses on the cross-cutting API contract.

Conventions

  • All Bitwarden APIs use JSON request/response with snake-cased ids occasionally (mostly camelCase).
  • Errors are shaped as { message, errorMessage, exceptionMessage, exceptionStackTrace, validationErrors } — produced by ApiExceptionFilterAttribute (src/Api/Utilities/ApiExceptionFilterAttribute.cs) from Bit.Core.Exceptions.* exceptions.
  • Authentication is JWT Bearer via the Identity host; the policies are declared in systems/identity-server.
  • Cross-origin requests are gated by CoreHelpers.IsCorsOriginAllowed (cloud allows bitwarden.com, bitwarden.eu, bitwarden.pw; dev allows localhost).

Swagger / OpenAPI

The Internal API exposes Swagger at /specs/internal/swagger.json (development + self-host); the Public API at /specs/public/swagger.json. Both can be regenerated via ./dev/generate_openapi_files.ps1 and committed alongside.

The Public API is the source of truth for Bitwarden's published documentation at https://bitwarden.com/help/api/.

Versioning

  • Public API: v1, with breaking changes deprecated through the Bitwarden.Migrate deprecation header.
  • Internal API: not versioned. Changes are coordinated with client releases via feature flags and minimum-version constants in src/Core/Constants.cs.

Rate limits

AspNetCoreRateLimit is enabled in cloud only. Defaults live in src/Api/appsettings.Production.json under IpRateLimitOptions / IpRateLimitPolicies. Self-host runs without rate limiting.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

API – Bitwarden Server wiki | Factory