bitwarden/server
Secrets Manager
Active contributors: tools / secrets manager team.
Purpose
Bitwarden Secrets Manager is a developer-secrets product: encrypted secrets organised into projects, accessed via short-lived tokens minted from service accounts, with a CLI / SDK clients can use during build pipelines. The feature shipped in 2023 (PR #2164 on 2023-01-13) and continues to grow.
The OSS distribution does not include Secrets Manager — it is part of the commercial license. The shared interfaces and core domain types live under src/Core/SecretsManager/ so the OSS build still compiles the surrounding code; the actual implementations live under bitwarden_license/src/Commercial.Core/SecretsManager/ and bitwarden_license/src/Commercial.Infrastructure.EntityFramework/SecretsManager/.
Where the code lives
| Concern | Path |
|---|---|
| Domain interfaces & entities | src/Core/SecretsManager/ |
| Commercial implementations | bitwarden_license/src/Commercial.Core/SecretsManager/ |
| Commercial EF mappings | bitwarden_license/src/Commercial.Infrastructure.EntityFramework/SecretsManager/ |
| API surface | src/Api/SecretsManager/Controllers/ |
| Schema | src/Sql/dbo/Tables/Project*.sql, Secret*.sql, ServiceAccount*.sql, AccessPolicy*.sql |
Key abstractions
| Type | Path | Description |
|---|---|---|
Project |
src/Core/SecretsManager/Entities/Project.cs |
A bucket of secrets, scoped to an organization. |
Secret |
src/Core/SecretsManager/Entities/Secret.cs |
Encrypted secret with name + value + note (all client-encrypted). |
ServiceAccount |
src/Core/SecretsManager/Entities/ServiceAccount.cs |
Non-human identity that obtains short-lived API tokens to read secrets at build/runtime. |
AccessPolicy (and its concrete subclasses) |
src/Core/SecretsManager/Entities/ |
Per-project / per-secret / per-service-account access grants. |
IAccessPolicyAuthorizationHandler |
src/Core/SecretsManager/AuthorizationRequirements/ |
Resource-based authz that checks the caller's access via the policy graph. |
| Commands & Queries | src/Core/SecretsManager/Commands/, Queries/ |
Narrow interfaces (e.g. ICreateSecretCommand, IRevokeAccessTokenCommand); commercial implementations in bitwarden_license/src/Commercial.Core/SecretsManager/. |
Trash (soft-deleted secrets) |
Implemented in PR SM-281 on 2023-02-20 |
Restorable for 30 days. |
API surface
src/Api/SecretsManager/Controllers/:
ProjectsController— CRUD on projects.SecretsController— CRUD + bulk on secrets.ServiceAccountsController— CRUD service accounts and rotate API tokens.AccessPoliciesController— manage who can read / write / manage what.TrashController— list / restore / permanently delete.
Authentication uses the Policies.Secrets JWT scope (which accepts either the standard api scope or the bespoke api.secrets scope minted for service accounts).
How it works
graph TD
User[Web Vault user] --> ApiSec["Api / SecretsManager controllers"]
ApiSec --> Authz[IAccessPolicyAuthorizationHandler]
ApiSec --> CmdQ[Commands / Queries]
CmdQ --> Repo[(Repositories)]
SA[Service Account] --> Identity[(Identity host)]
Identity --> Token[api.secrets JWT]
Token --> ApiSecThe web vault speaks the same API as service accounts; only the JWT scope differs. Service-account tokens are short-lived (default ~30 minutes) and rotate via IRotateAccessTokenCommand.
Integration points
- Identity — service-account tokens are minted by the same Identity host. The token issuance flow lives in
src/Core/Auth/IdentityServer/RequestValidators/andsrc/Core/SecretsManager/AccessTokens/. - Database — the SecretsManager EF repositories are commercial-only; OSS uses
Noopimplementations (e.g.NoopServiceAccountRepository) so the DI graph still resolves. - Audit events — secret reads are logged via
IEventServicefor compliance.
OSS-vs-licensed split
src/Api/Startup.cs registers Secrets Manager only on non-OSS builds:
#if !OSS
services.AddCommercialSecretsManagerServices();
services.AddSecretsManagerEfRepositories();
Jobs.JobsHostedService.AddCommercialSecretsManagerJobServices(services);
#endifOSS builds register NoopServiceAccountRepository etc. (src/Identity/Startup.cs registers it explicitly to satisfy DI even for non-OSS builds during a transition window).
Entry points for modification
- New API endpoint → controller in
src/Api/SecretsManager/Controllers/+ command/query interface insrc/Core/SecretsManager/+ commercial implementation inbitwarden_license/src/Commercial.Core/SecretsManager/. - New access-policy type → entity + EF mapping + a handler in
IAccessPolicyAuthorizationHandler. - New service-account scope → extend
ApiScopes(src/Core/Auth/IdentityServer/Constants/) + the matching grant validator.
The Secrets Manager team also owns the corresponding clients in the bitwarden/sdk-secrets repo and the bws CLI; this server-side code is the source of truth for the API contract.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.