Bitwarden ships an official MCP server (40+ tools) that lets an AI client manage your vault — list, retrieve, create and edit logins, notes, cards and identities — with a clever safety design: unlocking happens through a native OS dialog, so your master password never travels through MCP or reaches the LLM. Here's the setup.
Prerequisites
Install the Bitwarden CLI (bw) and log in once (bw login). The MCP server drives the CLI; the AI never sees your master password.
Setup
{
"mcpServers": {
"bitwarden": {
"command": "npx",
"args": ["-y", "@bitwarden/mcp-server"]
}
}
}
Restart the client; see MCP config file location. On first use, ask the AI to run the unlock tool — Bitwarden pops a native OS password dialog, and the resulting session stays out of the model's context.
What it can do
Session management (unlock, lock, sync), and full item operations across logins, secure notes, cards and identities, plus organization/collection management. Self-hosting Vaultwarden? Point the CLI at your server first.
Verify
Unlock, then ask: "List the logins in my 'Work' folder" (don't ask it to reveal passwords in chat). Item metadata back confirms it's connected.
Read this — it's a password vault
Even with the native-unlock design, this gives an AI access to vault contents:
- Any secret the AI actually reads goes to your LLM provider in plaintext within the conversation. Don't have it print passwords; use it for organisation/lookups, not for piping live credentials into chat.
- Prefer a dedicated folder/collection and least-privilege access.
- For injecting secrets into other tools' configs (the safer pattern), see 1Password + MCP — the same idea applies.
See MCP security best practices and how to vet an MCP server.
Going further
Compare approaches in 1Password vs Bitwarden for MCP and the roundup best MCP for secrets management. Browse the security category or curated loadouts.