bitwarden/server
Data models
The canonical schema for Bitwarden Server lives in src/Sql/dbo/Tables/. Equivalent EF mappings (for MySQL, Postgres, SQLite) live in src/Infrastructure.EntityFramework/<Domain>/Configurations/. This page summarises the most relevant tables and how they connect.
erDiagram
User ||--o{ Cipher : owns
User ||--o{ Folder : has
User ||--o{ Send : has
User ||--o{ Device : registers
User ||--o{ EmergencyAccess : grantor_of
User ||--o{ AuthRequest : initiates
Organization ||--o{ Cipher : holds
Organization ||--o{ OrganizationUser : has_member
Organization ||--o{ Group : has
Organization ||--o{ Collection : owns
Organization ||--o{ Policy : enforces
Organization ||--o{ SsoConfig : configures
Organization ||--o{ OrganizationApiKey : issues
Organization ||--o{ OrganizationDomain : verifies
Organization ||--o{ OrganizationConnection : integrates
OrganizationUser }o--|| User : is
OrganizationUser }o--o{ Group : through_GroupUser
OrganizationUser }o--o{ Collection : through_CollectionUser
Group }o--o{ Collection : through_CollectionGroup
Cipher }o--o{ Collection : through_CollectionCipher
Provider ||--o{ ProviderUser : has_member
Provider ||--o{ ProviderOrganization : managesCore tables
User-side
| Table | Purpose |
|---|---|
User |
Identity, auth, KDF, keys, billing, premium. |
Device |
Registered client device (push token, TDE keys). |
Cipher |
Encrypted vault entry (login / card / identity / note / sshKey). |
Folder |
Personal folder (per-user). |
Send |
Encrypted ephemeral share. |
EmergencyAccess |
Grantee → grantor relationship for break-glass access. |
AuthRequest |
Outstanding login-with-device request. |
Grant |
IdentityServer persisted-grant store. |
Organization-side (AdminConsole)
| Table | Purpose |
|---|---|
Organization |
The org. |
OrganizationUser |
Per-org membership: Status (Invited / Accepted / Confirmed / Revoked) + Type (Owner / Admin / Manager / User / Custom) + permissions JSON. |
Group / GroupUser |
Permission groups. |
Collection / CollectionUser / CollectionGroup / CollectionCipher |
Collection access graph. |
Policy |
Org-wide policies (Two-Factor Required, Single Org, Master Password, Personal Ownership, Disable Send, Reset Password, Require SSO, Disable Personal Vault Export, …). |
OrganizationApiKey |
Org bearer keys (multiple, scoped). |
OrganizationDomain |
Verified email domains (auto-claim members). |
OrganizationConnection |
Integration configs (HEC, Datadog, …). |
OrganizationSponsorship |
Families-for-Enterprise sponsorships. |
OrganizationInstallation |
Self-host installation linked to a cloud org. |
Installation |
Self-host installation row. |
Provider (MSP)
| Table | Purpose |
|---|---|
Provider |
An MSP that manages other orgs. |
ProviderUser |
Membership in a Provider. |
ProviderOrganization |
Org under a Provider's management. |
ProviderInvoiceItem |
Per-org billing line items rolled up to the provider. |
Vault helpers
| Table | Purpose |
|---|---|
Cache |
Generic key-value cache (used by some legacy flows). |
Attachment* |
Attachment metadata. (Blobs are external.) |
OrganizationIntegrationConfiguration |
Newer integration-config storage. |
SSO / SCIM
| Table | Purpose |
|---|---|
SsoConfig |
Per-org SSO configuration (encrypted). |
SsoUser |
(User × Org × ExternalId) mapping to claim identity. |
Auth helpers
| Table | Purpose |
|---|---|
TwoFactorEmail |
Email-based 2FA token cache. |
Cache |
DistributedCache backing in some self-host setups. |
WebAuthnCredential |
FIDO2 / passkey credentials. |
Audit / events
| Table | Purpose |
|---|---|
Event |
Audit-log row (user / org / action). Cloud uses Azure Storage / Cosmos by default; SQL holds events for self-host. |
Secrets Manager (commercial only)
| Table | Purpose |
|---|---|
Project |
Secrets-Manager project (group of secrets). |
Secret |
Encrypted secret value. |
ServiceAccount |
Non-human identity that obtains short-lived API tokens. |
AccessPolicy |
Per-project / per-secret / per-service-account grants. |
ApiKey (SM-flavoured) |
Service-account API tokens. |
Reference / look-up
| Table | Purpose |
|---|---|
Installation |
Self-host installation registry. |
Reference |
Marketing-attribution cache. |
OrganizationApiKey |
Long-lived org bearer keys. |
Provider* |
MSP relationship tables. |
Key invariants
- A
Cipherhas exactly one ofUserIdorOrganizationIdnon-null. - An
OrganizationUseris unique per(OrganizationId, UserId). - A
SsoUseris unique per(OrganizationId, ExternalId). - A
Folderis strictly personal — noOrganizationIdcolumn. Sendrows always have aUserId(currently no org Sends).Organization.Identifieris unique when set (used as the URL slug for SSO + public API redirects).
Stored procedures
src/Sql/dbo/Stored Procedures/ defines the canonical sprocs (e.g. User_Create, Cipher_Update, OrganizationUser_ReadByMinimumRole). EF implementations replicate the queries imperatively. New methods need to be added to both sides — the integration test suite will catch parity bugs.
Why the dual approach?
See systems/data-infrastructure. T-SQL is the canonical schema (Azure SQL in cloud); EF + migrations exist so self-host operators can run on MySQL / Postgres / SQLite.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.