CLI: Node.js module package and CLI package @bitwarden/cli Seems there is no practicaly way to access API directly from node JavaScript. Module bitwarden-cli-utils (even with awful limitations) blocks on first attempted action after a login. To install at FM, must do a per-user npm upgrade with "npm i -g npm". You will get warnings about node version, but it will install. FRIGGIN IDIOSYNCTRATIC Fetch types: [some are item types, some are attrs] item, username, password, uri, totp, notes, exposed, attachment, folder, collection, org-collection, organization, template, fingerprint, send The real key item subtypes are distinguished by att .type 1=login, 2=secure note, 3=card, 4=identity For some commands this defaults to 1/login. Special type of template seems to be a create/update template which excludes object and id fields (since these must always be specified in update commands) can request subitemtype-specific templaes like: template item.login INSTALL On Windows for install -g must add %APPDATA%/Roaming/npm/ to search path because node's prefix is under %APPDATAT: One way from CMD is: PATH=%PATH%;%APPDATA%\npm On UNIX a install -g installs to /usr/bin/ with node's prefix is /usr. You typically don't need to enter passwords, even for interactive use, as long as you somehow store your session ID (base 64 string) across logins. Even if you reboot. Just specific it with --session sessionId or env var BW_SESSION Get session key ("lock") in one of two ways: bw login: requires email addr, master password + MFA val (if enabled for account) + sometimes apikey client_secret This both logs you in and generates a session/lock. bw login --apikey: requires apikey client_id client_secret (just logs in) + bw unlock: requires master password (generates a session/lock) Diagnostics: "You are not logged in." means you need to login. [Force with 'logout'] "Master password" prompt means you are logged in but have no session/lock. [Force with 'unlock'] Most commands (those that access vaule) will always prompt for 'Master password'. To prevent prompting you must open the value and tell client the opening SESSION to use. bw_unlock will tell you a session ID to use with CLI "-session" switch; and an env var value. You can use either of these as opening user on opening computer. TODO: VERIFY other computer and other user don't work. Indicate to the call to use the open-vault SESSION, in one of these ways: Set env var. BW_SESSION according to output of the open-vault command. Give -session sessionId (base64) Can't do any wildcard or multi-item searching. Get/search commands: I believe no way to list just a subset of attrs. Even with 'bw list... commands' You always get full item list (either --pretty or all-on-one-line) The only searches are case-insensitive substring on specific attrs. E.g. can't ever search in Notes. "Full-text Search" >attr:v capability does not have these limitations, but it isn't working for me from node.js CLI nor web interface. The specific attrs are sub-item-type-specific (.type): Name always +: Username,first-URI for logins; Brand, last4-of-Number for cards; Name for Identities So most importantly, searches for items search: name + username + uri1 'bw search' and 'bw get' with search word. 'bw get searchword-or-key' searchword needs to resolve to just one record. Special case of 'template', searchword-or-key itself is item-type or item-type.attr> WHATTOGET is 'item' to get whole thing, or a LC-camel attr name or 'template'. E.g. bw --pretty get item sitenameval bw get uri usernameval bw get template item.username A workaround is to use folders. May be possible to use collections, but I don't know how to use them yet. See ref https://bitwarden.com/help/cli/ for constants for item types, login URI matching, etc. Reproducing uri matches here: 0: dom, 1: host, 2: startwith, 3: exact, 4: REGEXP, 5: never domain means just the last 2 segments of domain. If you need any other substring, use regex. Partial matching / JS style, so start with ^ anchor to be safe. EDIT: Only full rewrites possible. Can't specify only the changes. Remove attributes id, revisionDate, passwordHistory, login/passwordRevisionDate because they are automatic. Otherwise you must specify all or they will be cleared. Line delimiters in notes, etc. encoded like \n. See edit examples below. Use from JavaScript: Use --nointeraction switch. Seems to not be feasible to call directly from JavaScript, since 'bw' is ultimately designed to write its output to stdout. There is bitwarden-cli-utils but this requires you to give it the friggin' master password. WTF! Consider invoking with child_process.fork with --nointeraction switch, but looking doubtful as probably will not honor the @bitwarden/cli as a module without the index.js file. Fall back to child_process.execFileSync. Use non-interactively Get a personal API Key, one-time My Account > API Key. Only meaningful attributes are constant client_id + client_secret. [rotating changes the client_secret that will work] bw login --apikey Item update stamps revisionDate is reliable for actual item updates. lastUsedData pretty friggin useless. does not update for copy-password-to-clipboard, not for when plugin pastes into a page. See file "tech/linux.txt" about most useful jq transforms. See "secure.txt" Gotcha: remember when doing 'bw create...' or 'bw edit...' to remove id, revisionDate, passwordHistory, login/passwordRevisionDate Search by folder: bw get --pretty folder distinctive-substr-in-folder-name bw list --pretty items --folderid | grep -E '"(id|name)"' Edit an item: bw get item 7ac9cae8-5067-4faf-b6ab-acfd00e2c328 | jq '.login.password="newp@ssw0rd"' | bw encode | bw edit item 7ac9cae8-5067-4faf-b6ab-acfd00e2c328 Edit a collection: bw get collection ee9f9dc2-ec29-4b7f-9afb-aac8010631a1 | jq '.name="My Collection"' | bw encode | bw edit item-collections ee9f9dc2-ec29-4b7f-9afb-aac8010631a1 Create item from template: bw get template item | jq ".name=\"My Login Item\" | .login=$(bw get template item.login | jq '.username="jdoe" | .password="myp@ssword123"')" | bw encode | bw create item WEB VAULT Must use this to add custom fields. No resync option. If don't want to wait a few minutes for updates, you must log out and back in from site. WTF! BROWSER PLUGINS Before install the plugin, disable Password entry Payment methods Save and fill addresses Glitch: Add-custom-field seems to be broken. Use web UI. My preferred settings: Under Extensions > Bitwarden > hamburger > Manage ext. Allow in Private → true Allow access to file → true Under regular UI.. Settings > Options Default URI Match → Host Don't Show Cards → false AUTOFILL Enable → true Default → true For some damned ready you must drill down into Edit screen to see URI resolution details. "Save" on the View Item screen means to save an additional URI to the record (with default default resolution setting).