Open-Source Wikis

/

Bitwarden Server

/

Reference

/

Data models

bitwarden/server

Data models

The canonical schema for Bitwarden Server lives in src/Sql/dbo/Tables/. Equivalent EF mappings (for MySQL, Postgres, SQLite) live in src/Infrastructure.EntityFramework/<Domain>/Configurations/. This page summarises the most relevant tables and how they connect.

erDiagram
    User ||--o{ Cipher : owns
    User ||--o{ Folder : has
    User ||--o{ Send : has
    User ||--o{ Device : registers
    User ||--o{ EmergencyAccess : grantor_of
    User ||--o{ AuthRequest : initiates
    Organization ||--o{ Cipher : holds
    Organization ||--o{ OrganizationUser : has_member
    Organization ||--o{ Group : has
    Organization ||--o{ Collection : owns
    Organization ||--o{ Policy : enforces
    Organization ||--o{ SsoConfig : configures
    Organization ||--o{ OrganizationApiKey : issues
    Organization ||--o{ OrganizationDomain : verifies
    Organization ||--o{ OrganizationConnection : integrates
    OrganizationUser }o--|| User : is
    OrganizationUser }o--o{ Group : through_GroupUser
    OrganizationUser }o--o{ Collection : through_CollectionUser
    Group }o--o{ Collection : through_CollectionGroup
    Cipher }o--o{ Collection : through_CollectionCipher
    Provider ||--o{ ProviderUser : has_member
    Provider ||--o{ ProviderOrganization : manages

Core tables

User-side

Table Purpose
User Identity, auth, KDF, keys, billing, premium.
Device Registered client device (push token, TDE keys).
Cipher Encrypted vault entry (login / card / identity / note / sshKey).
Folder Personal folder (per-user).
Send Encrypted ephemeral share.
EmergencyAccess Grantee → grantor relationship for break-glass access.
AuthRequest Outstanding login-with-device request.
Grant IdentityServer persisted-grant store.

Organization-side (AdminConsole)

Table Purpose
Organization The org.
OrganizationUser Per-org membership: Status (Invited / Accepted / Confirmed / Revoked) + Type (Owner / Admin / Manager / User / Custom) + permissions JSON.
Group / GroupUser Permission groups.
Collection / CollectionUser / CollectionGroup / CollectionCipher Collection access graph.
Policy Org-wide policies (Two-Factor Required, Single Org, Master Password, Personal Ownership, Disable Send, Reset Password, Require SSO, Disable Personal Vault Export, …).
OrganizationApiKey Org bearer keys (multiple, scoped).
OrganizationDomain Verified email domains (auto-claim members).
OrganizationConnection Integration configs (HEC, Datadog, …).
OrganizationSponsorship Families-for-Enterprise sponsorships.
OrganizationInstallation Self-host installation linked to a cloud org.
Installation Self-host installation row.

Provider (MSP)

Table Purpose
Provider An MSP that manages other orgs.
ProviderUser Membership in a Provider.
ProviderOrganization Org under a Provider's management.
ProviderInvoiceItem Per-org billing line items rolled up to the provider.

Vault helpers

Table Purpose
Cache Generic key-value cache (used by some legacy flows).
Attachment* Attachment metadata. (Blobs are external.)
OrganizationIntegrationConfiguration Newer integration-config storage.

SSO / SCIM

Table Purpose
SsoConfig Per-org SSO configuration (encrypted).
SsoUser (User × Org × ExternalId) mapping to claim identity.

Auth helpers

Table Purpose
TwoFactorEmail Email-based 2FA token cache.
Cache DistributedCache backing in some self-host setups.
WebAuthnCredential FIDO2 / passkey credentials.

Audit / events

Table Purpose
Event Audit-log row (user / org / action). Cloud uses Azure Storage / Cosmos by default; SQL holds events for self-host.

Secrets Manager (commercial only)

Table Purpose
Project Secrets-Manager project (group of secrets).
Secret Encrypted secret value.
ServiceAccount Non-human identity that obtains short-lived API tokens.
AccessPolicy Per-project / per-secret / per-service-account grants.
ApiKey (SM-flavoured) Service-account API tokens.

Reference / look-up

Table Purpose
Installation Self-host installation registry.
Reference Marketing-attribution cache.
OrganizationApiKey Long-lived org bearer keys.
Provider* MSP relationship tables.

Key invariants

  • A Cipher has exactly one of UserId or OrganizationId non-null.
  • An OrganizationUser is unique per (OrganizationId, UserId).
  • A SsoUser is unique per (OrganizationId, ExternalId).
  • A Folder is strictly personal — no OrganizationId column.
  • Send rows always have a UserId (currently no org Sends).
  • Organization.Identifier is unique when set (used as the URL slug for SSO + public API redirects).

Stored procedures

src/Sql/dbo/Stored Procedures/ defines the canonical sprocs (e.g. User_Create, Cipher_Update, OrganizationUser_ReadByMinimumRole). EF implementations replicate the queries imperatively. New methods need to be added to both sides — the integration test suite will catch parity bugs.

Why the dual approach?

See systems/data-infrastructure. T-SQL is the canonical schema (Azure SQL in cloud); EF + migrations exist so self-host operators can run on MySQL / Postgres / SQLite.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Data models – Bitwarden Server wiki | Factory