Bitwarden CLI

Retrieve secrets when environment variables are missing.

CRITICAL: Source .env Before EVERY bw Command

EVERY bw command MUST be prefixed with sourcing .env to load BW_SESSION:

# Standard prefix for ALL bw commands - copy this pattern exactly:
source .env 2>/dev/null; bw <command>

Example commands:

source .env 2>/dev/null; bw status
source .env 2>/dev/null; bw list items --search "telegram"
source .env 2>/dev/null; bw get password "item-name"
source .env 2>/dev/null; bw get notes "item-name"

If .env is in a parent directory, search up:

for dir in . .. ../.. ../../..; do [[ -f "$dir/.env" ]] && source "$dir/.env" && break; done; bw status

Session Management

Check status (should show "unlocked" if BW_SESSION is valid):

source .env 2>/dev/null; bw status

If locked and BW_SESSION not in .env, unlock and save to .env:

echo "BW_SESSION=$(bw unlock --raw)" >> .env

Finding API Keys

API keys are often stored in notes - either in a login item's notes field or as a standalone secure note.

1. Search first to find the right item:

   bw list items --search "openai"

2. Check notes - API keys are commonly here:

   bw get notes "item-name"

3. Check custom fields if not in notes:

   bw get item "item-name" | jq -r '.fields[] | select(.name=="API_KEY") | .value'

Common Patterns

CLI Help

bw [options] [command]

Commands:
  login [email] [password]    Log into account
  unlock [password]           Unlock vault, returns session key
  lock                        Lock vault
  status                      Show vault status
  list <object>               List objects (items, folders, collections)
  get <object> <id>           Get object (item, username, password, totp, notes)
  sync                        Pull latest vault data