Skip to main content
Connect your Bitwarden vault to OneCLI so the gateway can fetch credentials at request time, without storing them on the server. Uses the Bitwarden Agent Access SDK for encrypted communication.

Prerequisites

  • OneCLI running locally or via Docker
  • Bitwarden Agent Access CLI (aac) installed
  • A Bitwarden account with credentials stored as login items

Setup

1

Start the Bitwarden listener

Run the aac CLI to generate a pairing code:
aac listen --psk
This prints a pairing code (two 64-character hex strings joined by _). Keep this terminal open.
2

Pair in the dashboard

Open the OneCLI dashboard > Secrets page > Bitwarden Vault card. Paste the pairing code and click Connect Vault.The gateway establishes an encrypted Noise protocol session with your Bitwarden app through a WebSocket relay.
3

Test it

Make a request through the gateway with your agent’s access token:
curl -x http://x:YOUR_AGENT_TOKEN@localhost:10255 https://api.anthropic.com/v1/messages
If your Bitwarden vault has a login item with api.anthropic.com as the URI, the API key (stored in the password field) will be injected automatically.

How credentials are matched

The gateway asks Bitwarden for credentials by domain. Bitwarden matches against the URI field of your vault items and returns the password field. The injection rule depends on the target host:
HostHeaderFormat
api.anthropic.comx-api-keyRaw value
All other hostsAuthorizationBearer <value>
Store your API keys in the password field of Bitwarden login items. Set the URI to the API hostname (e.g. api.anthropic.com, api.openai.com).

Session behavior

Sessions are restored automatically after a gateway restart. The first credential request triggers a reconnection using the stored session state from the database. There is no startup delay. Sessions unused for 30 minutes are evicted from memory. The next request restores them automatically. If a session can’t be restored (e.g. the Bitwarden app was reinstalled), disconnect in the dashboard and pair again with a new code.

Configuration

VariableDefaultDescription
BITWARDEN_PROXY_URLwss://rat1.lesspassword.devWebSocket relay for the Bitwarden Remote Access protocol

Troubleshooting

Make sure the aac listen --psk terminal is still running and the pairing code hasn’t expired. Generate a fresh code and try again.
The first request after restart triggers a lazy session restore. If it fails, the session state may be stale. Disconnect in the dashboard and re-pair.
The aac CLI may prompt you to approve credential requests from the gateway. Press y to allow. This is a security feature of the Bitwarden Agent Access protocol.