Bitwarden Server is the open-source backend infrastructure powering the Bitwarden password manager, designed for organizations and individuals who need full control over their sensitive data. It provides the API, identity, billing, SCIM, SSO, and event processing services required to run a self-hosted password manager with enterprise-grade security. Built with C#, .NET Core, and ASP.NET Core, and backed by SQL Server, it supports cross-platform deployment via Docker on Windows, macOS, and Linux.
The system is architected as a suite of containerized microservices—including API, Identity, Admin, SCIM, and SSO—enabling scalable, secure, and auditable password management. It integrates with existing enterprise systems via SAML SSO, SCIM user provisioning, and SIEM logging, and is deployed using Docker Compose with official images hosted on GitHub Container Registry.
What You Get
- Zero-Knowledge Encryption Backend - All password data is encrypted client-side before being sent to the server; the server never sees plaintext credentials, ensuring true data sovereignty.
- Self-Hosted Docker Deployment - Deploy the full Bitwarden stack using pre-built Docker containers via simple bash or PowerShell scripts, with full control over data residency and infrastructure.
- SCIM User Provisioning - Automate user and group management via SCIM 2.0 integration with identity providers like Azure AD, Okta, and Google Workspace.
- SAML SSO Integration - Enable single sign-on for enterprise users using SAML 2.0, allowing centralized authentication and policy enforcement.
- API for Custom Integrations - Expose a RESTful API to build custom automation, integrate with internal tools, or extend functionality beyond the default clients.
- Event Logging & Monitoring - Capture user activity and security events via the Events and EventsProcessor services for audit trails and SIEM integration.
- Admin Dashboard - Centralized web interface to manage users, organizations, policies, and security reports without accessing encrypted vault data.
- Multi-Region Support (US/EU) - Deploy isolated clusters in US or EU regions with separate container image hashes for compliance with data localization laws.
Common Use Cases
- Enterprise password management - A CIO deploys Bitwarden Server on-premises to enforce strong password policies, integrate with Active Directory via SCIM, and monitor credential risks across 5,000+ employees.
- Compliance-driven organizations - A healthcare provider runs Bitwarden in a private cloud to meet HIPAA requirements, ensuring encrypted credentials never leave their infrastructure.
- Developers building custom auth workflows - A DevOps team uses the Bitwarden API to auto-populate credentials into CI/CD pipelines and internal tools while maintaining encryption standards.
- Privacy-focused individuals - A journalist self-hosts Bitwarden to eliminate third-party cloud risks, using Docker to run the full stack on a local server with full audit control.
Under The Hood
Architecture
- Clear separation of concerns through layered design, with API controllers depending on abstractions rather than concrete implementations
- Modular project structure isolating domain logic, HTTP endpoints, and identity concerns into distinct assemblies
- CQRS-inspired patterns separate commands and queries from controllers, enhancing testability and scalability
- Policy-based authorization with dynamic requirement factories enables fine-grained, data-driven access control
- Centralized dependency injection via SDK extensions ensures consistent service registration across distributed components
- Pragmatic integration of Handlebars templates and SQL stored procedures balances modern patterns with legacy data layer constraints
Tech Stack
- .NET 8.0 with custom MSBuild extensions for multi-project orchestration and SQL asset management
- Custom SDK enforces domain-specific build logic and asset handling, extending standard tooling
- Strict code style enforced via editorconfig with diagnostics for internationalization, async naming, and field conventions
- Handlebars templating powers server-side email and view rendering, supporting a backend-centric UI approach
- Minimal frontend assets with no modern JavaScript frameworks, emphasizing server-side rendering
- Lightweight data access via SQL build tasks instead of traditional ORMs
Code Quality
- Extensive test coverage across unit, integration, and end-to-end scenarios with robust mocking and test data generation
- Strong type safety and validation at the model layer prevent critical security issues like plaintext data exposure
- Consistent use of custom exceptions and structured error handling with clear retryability distinctions
- Clean modular organization with domain-aligned naming and test structure improves maintainability
- Build-time linting and validation ensure code quality is enforced before deployment
What Makes It Unique
- Custom MjML-based email components with dynamic, responsive layouts that render consistently across platforms without external dependencies
- Extensible email UI logic implemented in JavaScript, enabling reusable, testable transactional email components uncommon in enterprise tools
- Unified billing and subscription state machine tightly integrated with multi-tenant organization lifecycle flows
- OSS and commercial code cleanly separated via SDK references, avoiding duplication while maintaining licensing boundaries
- Admin email templates with adaptive icon-row layouts that optimize for mobile accessibility and brand consistency
- Centralized mail enqueuing with intelligent fallback execution to guarantee delivery reliability during transient failures