Vaultwarden is an open-source, self-hosted server that implements the official Bitwarden API, allowing users to run a fully compatible password manager on their own infrastructure. It’s designed for individuals, families, and small organizations seeking privacy and control over their sensitive data, avoiding the resource demands of the official Bitwarden server. Built in Rust for performance and security, it supports Docker, Podman, and reverse proxy setups with minimal system requirements.
The project uses the Rocket web framework and provides a modified Web Vault client bundled in its containers. It integrates with popular container registries (Docker Hub, GHCR, Quay.io) and supports advanced features like organizations, multi-factor authentication, and admin panels—all while maintaining compatibility with official Bitwarden desktop, mobile, and browser extensions.
What You Get
- Bitwarden API Compatibility - Fully implements the official Bitwarden Client API, enabling seamless use with official Bitwarden clients (desktop, mobile, browser extensions) without modification.
- Organizations & Team Management - Supports collections, password sharing, member roles, groups, event logs, admin password reset, and directory sync for team-based password management.
- Multi-Factor Authentication (MFA) - Supports authenticator apps, email-based 2FA, FIDO2/WebAuthn, YubiKey, and Duo for secure login enforcement.
- Attachments & Website Icons - Allows users to store file attachments with credentials and automatically fetches and stores website favicons for easy identification.
- Personal API Key Support - Enables programmatic access to the vault via personal API keys for automation and integration with other tools.
- Vaultwarden Admin Panel - Provides a web-based administrative interface to manage users, organizations, and system settings directly from the browser.
- Send Feature - Allows secure, encrypted file and text sharing with expiration dates and view limits, fully compatible with Bitwarden’s Send functionality.
- Emergency Access - Enables trusted contacts to request access to a user’s vault under predefined conditions, with approval workflows and audit trails.
Common Use Cases
- Running a family password vault - A parent uses Vaultwarden to securely store and share login credentials with family members across devices, using MFA and emergency access for peace of mind.
- Self-hosting for small businesses - A startup deploys Vaultwarden on a low-cost VPS to manage employee logins with organization roles and collections, avoiding cloud subscription fees.
- Privacy-focused individuals - A tech-savvy user runs Vaultwarden on a home server to eliminate third-party data collection while retaining full Bitwarden client functionality.
- IT teams managing internal tools - An sysadmin uses Vaultwarden’s admin panel and directory sync to onboard employees and enforce password policies across internal SaaS applications.
Under The Hood
Architecture
- Clean, layered design with Rocket routing decoupled from data access via service layers and dependency injection
- Centralized authentication and authorization enforced through middleware and JWT claims with RSA key management
- Event-driven models for user actions with fine-grained access control tied to request headers
- Modular feature flags enable optional components like S3, OIDC, and database backends without code duplication
Tech Stack
- Rust backend powered by Rocket and Diesel with async runtime via Tokio for high-concurrency operations
- Embedded SQLite support with optional PostgreSQL/MySQL integration through feature flags and diesel_migrations
- Cryptographic operations secured with ring and subtle, with OpenSSL vendoring for containerized deployments
- Comprehensive tooling including rust-toolchain, cargo fmt, clippy, and pre-commit hooks for code consistency
- CI/CD pipelines with Docker, hadolint, and typos for image hygiene and documentation validation
Code Quality
- Extensive end-to-end testing with Playwright covering SSO, 2FA, and organizational workflows using reusable utilities
- Robust error handling with custom error types, structured logging, and explicit Result/Option usage
- Strong type safety enforced via serde serialization and Rust’s static typing system
- Consistent, intent-driven naming across backend and frontend test code
- Secure resource lifecycle management with lazy-initialized cryptographic keys and configuration
What Makes It Unique
- Native Duo OIDC integration for enterprise SSO within a self-hosted environment
- Dynamic SCSS compilation with runtime theming that eliminates static asset dependencies
- Automatic domain equivalence mapping to improve password manager accuracy across related sites
- On-demand RSA key generation and persistent storage via OpenDAL for seamless cloud/container deployments
- Embedded admin panel with real-time diagnostics and SQLite backup functionality built into the binary
- Handlebars-based email templates with dynamic context injection for complex user communication scenarios