bitwarden/server
User
User is the central identity record. Defined at src/Core/Entities/User.cs (330 lines) and persisted to dbo.User in src/Sql/dbo/Tables/User.sql. Every personal action in Bitwarden links back to a User.Id (Guid).
Important columns
| Column | Notes |
|---|---|
Id (Guid) |
Primary key. |
Name |
Display name (≤ 50 chars). |
Email |
Unique login identifier (≤ 256 chars), lower-invariant. |
EmailVerified |
Boolean — set after the email-confirmation link click. |
MasterPassword |
Server-side hash (PBKDF2 over the client-derived master-password hash). May be null for SSO-only / TDE accounts. |
MasterPasswordHint |
Optional plain-text hint. |
Culture |
Locale, default en-US. |
SecurityStamp |
Bumped to invalidate every outstanding token (used by ASP.NET Core Identity). |
TwoFactorProviders |
JSON blob of enrolled providers + their per-user settings. |
TwoFactorRecoveryCode |
Single-use recovery code. |
Key, PublicKey, PrivateKey, SignedPublicKey |
The user-key material. Key is the master-password-sealed user key; PrivateKey is wrapped under the user key. |
Kdf, KdfIterations, KdfMemory, KdfParallelism |
Key Derivation Function parameters (Argon2id by default; PBKDF2 legacy). |
Premium, PremiumExpirationDate |
Personal premium subscription state. |
MaxStorageGb, Storage |
Personal storage quota and current usage. |
Gateway, GatewayCustomerId, GatewaySubscriptionId |
Stripe / Braintree pointers for personal subscriptions. |
LicenseKey |
Self-host premium license. |
AccountRevisionDate |
Bumped whenever a client should re-sync; clients compare against the cached value to short-circuit syncs. |
RevisionDate, CreationDate |
Standard audit timestamps. |
EquivalentDomains, ExcludedGlobalEquivalentDomains |
User-level autofill domain mappings. |
ApiKey |
Personal client-credentials API key for the public CLI / SDK. |
ForcePasswordReset |
True after admin-driven recovery; user must change their password on next login. |
UsesKeyConnector |
True when the user belongs to a Key Connector org. |
FailedLoginCount, LastFailedLoginDate |
Lockout helpers. |
The full surface is documented inline in src/Core/Entities/User.cs.
Interfaces
User implements:
ITableObject<Guid>— convention for repository methods.IStorableSubscriber— has storage and a billing subscriber pointer.IRevisable— hasRevisionDate(clients use it for caching).ITwoFactorProvidersUser— used by the 2FA provider implementations.
Repositories
- Interface:
src/Core/Repositories/IUserRepository.cs. - Dapper:
src/Infrastructure.Dapper/Repositories/UserRepository.cs. - EF:
src/Infrastructure.EntityFramework/Repositories/UserRepository.cs.
The repo layer also exposes a UserStore adapter for ASP.NET Core Identity (src/Core/Auth/Identity/UserStore.cs).
Where it shows up
- Authentication (auth) — every grant validator loads the User.
- Vault ciphers (vault-and-ciphers) —
Cipher.UserIdfor personal items. - Organization membership —
OrganizationUser.UserId. - Devices, Sends, Notifications, Audit Events — all carry
UserId.
Lifecycle
- Register → email verification token → confirm → User row inserted.
- Login → cred check + 2FA → JWT issued.
- Update profile / KDF migrate → bump
RevisionDateandAccountRevisionDate. - Master password change → key rotation (see key-management) and bump
SecurityStamp. - Delete → cascade-deletes through every dependent table (orchestrated by
IUserService.DeleteAsync/ Quartz cleanup).
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.