Skip to main content

The #1 agentic semantic tool search: 91.6% first-try accuracy on S1 Search Bench Explore Tool Discovery

Live 24 Actions

Bitwarden MCP Server
for AI Agents

Connect your AI agent to StackOne's Bitwarden MCP server and give it 24 MCP tools out of the box. Auth, tool execution, and security all managed.

Start Free Book Demo Read Docs →
Bitwarden logo
Bitwarden MCP Server
Built by StackOne StackOne
DrataGPLocalyzeFlipMindtoolsScreenloop

Coverage

24 Agent Actions

Create, read, update, and delete across Bitwarden — and extend your agent's capabilities with custom actions.

MCP Actions → Build Actions →

Authentication

Agent Tool Authentication

Per-user OAuth in one call. Your Bitwarden MCP server gets session-scoped tokens with zero credentials stored on your infra.

Agent Auth →

Security

Agent Protection

Every Bitwarden tool response scanned for prompt injection in milliseconds — 88.7% accuracy, all running on CPU.

Prompt Injection Defense →

Performance

Max Agent Context. Min Cost.

Free up to 96% of your agent's context window to enhance reasoning and reduce cost, on every Bitwarden call.

Tools Discovery →

What is the Bitwarden MCP Server?

A Bitwarden MCP server lets AI agents read and write Bitwarden data through the Model Context Protocol — Anthropic's open standard for connecting LLMs to external tools. StackOne's Bitwarden MCP server ships with 24 pre-built actions, fully extensible via the Connector Builder — plus managed authentication, prompt injection defense, observability, and agent execution runtime. Connect it from MCP clients like Claude Desktop, Claude Code, Cursor, Goose, and VS Code, or from agent frameworks like OpenAI Agents SDK, LangChain, and Vercel AI SDK.

All Bitwarden MCP Tools

Every action from Bitwarden's API, ready for your agent. Create, read, update, and delete — scoped to exactly what you need.

Members

  • List Members

    List all members of the Bitwarden organization.

  • Get Member

    Retrieve a single member by id.

  • Update Member

    Update a member's role, collection access, and external identifier (full replacement).

  • Delete Member

    Remove a member from the organization.

Invite Members

  • Invite Member

    Invite a new member to the organization.

Member Group IDs

  • Get Member Group IDs

    List the group UUIDs a member belongs to.

  • Update Member Group IDs

    Replace the set of groups a member belongs to.

Reinvite Members

  • Reinvite Member

    Re-send the invitation email to an invited (not yet accepted) member.

Groups

  • Create Group

    Create a new group in the organization.

  • List Groups

    List all groups in the organization.

  • Get Group

    Retrieve a single group by id.

  • Update Group

    Update an existing group (full replacement of provided fields).

  • Delete Group

    Delete a group.

Group Member IDs

  • Get Group Member IDs

    List the member UUIDs assigned to a group.

  • Update Group Member IDs

    Replace the set of members assigned to a group.

Policies

  • List Policies

    List all organization policies.

Policys

  • Get Policy

    Retrieve a single policy by its PolicyType integer.

  • Update Policy

    Enable, disable, or reconfigure a policy.

Collections

  • List Collections

    List all collections in the organization.

  • Get Collection

    Retrieve a single collection by id.

  • Update Collection

    Update the group access associations and external identifier of a collection.

  • Delete Collection

    Delete a collection.

Events

  • List Events

    List organization activity (audit log) events with optional filters and pagination.

Organization (Directory Sync)s

  • Import Organization (Directory Sync)

    Bulk import / synchronize groups and members from an external identity system.

Set Up Your Bitwarden MCP Server in Minutes

One endpoint. Any framework. Your agent is talking to Bitwarden in under 10 lines of code.

MCP Clients

Claude Desktop setup guide
Claude Code setup guide
Cursor setup guide
Goose setup guide

Agent Frameworks

Claude Desktop
{
  "mcpServers": {
    "stackone": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote@latest",
        "https://api.stackone.com/mcp?x-account-id=<account_id>",
        "--header",
        "Authorization: Basic <YOUR_BASE64_TOKEN>"
      ]
    }
  }
}

Check More Security MCP Servers

Cloudflare

141+ actions

OneLogin

110+ actions

Auth0

78+ actions

Sentinel XS

69+ actions

Microsoft Entra ID

67+ actions

JumpCloud

65+ actions

Drata

57+ actions

All Security MCP Servers →

Platform Resources

MCP Code Mode: Keeping Tool Responses Out of Agent Context

Anthropic's code_execution processes data already in context. Custom MCP code mode keeps raw tool responses in a sandbox. 14K tokens vs 500.

11 min

Comparing BM25, TF-IDF, and Hybrid Search for MCP Tool Discovery

Benchmarking BM25, TF-IDF, and hybrid search for MCP tool discovery across 916 tools. The 80/20 TF-IDF/BM25 hybrid hits 21% Top-1 accuracy in under 1ms.

10 min

Indirect Prompt Injection Defense for MCP Tools: A Technical Guide

MCP tools that read emails, CRM records, and tickets are indirect prompt injection vectors. Here's how we built a two-tier defense that scans tool results in ~11ms.

12 min

MCP vs A2A: Architecture, Security, and When to Use Each

MCP vs A2A: what each protocol standardizes, how they differ, their shared security risks including indirect prompt injection, and when to use one, both, or a hybrid architecture.

12 min

MCP vs API: What 200+ Connector Builds Taught Us

MCP wraps APIs, it doesn't replace them. After building 200+ connectors that serve both, here's when each approach wins.

14 min read

Bitwarden MCP Server FAQ

Does StackOne have a Bitwarden MCP server?
Yes. StackOne offers a hosted Bitwarden MCP server with 24 pre-built actions, and every action is tested and QA'd by StackOne. Connect it to Claude, Cursor, and any other MCP client, or to any agent framework through the AI Action SDK. It ships with managed agent authentication, prompt injection defense, and tool discovery with server-side execution that preserve your agent's context window and keep reasoning performance.
Bitwarden MCP server vs direct API integration — what's the difference?
A Bitwarden MCP server and direct API integration serve different use cases. Direct API integration is for software-to-software — backend code calling Bitwarden. A Bitwarden MCP server is for AI agents — MCP clients like Claude and Cursor, plus framework agents built with OpenAI, LangChain, or Vercel AI — discovering and calling Bitwarden at runtime. StackOne provides both.
How does Bitwarden authentication work for AI agents?
Bitwarden authentication for AI agents works through a StackOne Connect Session. Create one via the dashboard or the SDK — you get an auth link and ready-to-paste config for Claude Desktop, Cursor, and other MCP clients. Your user authenticates their own Bitwarden account; StackOne handles token exchange, storage, and refresh. Credentials never reach the LLM, and each user is isolated via origin_owner_id.
Are Bitwarden MCP tools vulnerable to prompt injection?
Yes — Bitwarden MCP tools can be vulnerable to indirect prompt injection. Any tool that reads user-written content — documents, messages, tickets, records, or free-text fields — is a potential vector. StackOne Defender scans every tool response before it enters the agent's context — regex patterns in ~1ms, then a MiniLM classifier in ~4ms. 88.7% accuracy, CPU-only.
What is the context bloat of a Bitwarden agent and how do I avoid it?
Context bloat happens when Bitwarden tool schemas and API responses eat your Bitwarden agent's memory, preventing it from reasoning effectively. A single Bitwarden query can return a massive JSON response, and connecting multiple tools compounds the problem. Tools Discovery and Code Mode reduce context bloat — loading only relevant tools per query and keeping raw responses out of the agent's context.
Can I limit which actions my Bitwarden agent can access?
Yes — you can limit which actions your Bitwarden agent can access directly from the StackOne dashboard. Toggle actions on or off, or restrict them to specific accounts, with no code changes to your agent. Session tokens can be scoped to exact actions so if one leaks, exposure stays contained.
Can I create custom agent actions for my Bitwarden MCP server?
Yes — you can create custom agent actions for your Bitwarden MCP server using Connector Builder. It's an integration agent your coding assistant (Claude Code, Cursor, or Copilot) can invoke to research Bitwarden's API, generate production-ready connector YAML, test against the live API, and validate before you ship.
When should I NOT use a Bitwarden MCP server?
Skip a Bitwarden MCP server if your integration is purely software-to-software — direct Bitwarden API integration is simpler when no AI agent is involved. For deterministic, compliance-critical operations (financial transactions, regulatory reporting), direct API gives you predictable behavior without agent-driven decision-making. MCP shines when AI agents need to dynamically discover and call Bitwarden actions at runtime.
What AI frameworks and AI clients does the StackOne Bitwarden MCP server support?
The StackOne Bitwarden MCP server supports both. MCP clients (paste-and-go apps): Claude Desktop, Claude Code, Cursor, VS Code, Goose. Agent frameworks (code SDKs you build with): OpenAI Agents SDK, Anthropic, Vercel AI, Google ADK, CrewAI, Pydantic AI, LangChain, LangGraph, Azure AI Foundry.

Put your AI agents to work

All the tools you need to build and scale AI agent integrations, with best-in-class connectivity, execution, and security.

Start Free Book Demo