MCPcopy Index your code
hub / github.com/bitwarden/agent-access

github.com/bitwarden/agent-access @v0.11.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.11.0 ↗ · + Follow
657 symbols 1,606 edges 69 files 247 documented · 38%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README
<img alt="Bitwarden Agent Access" src="https://github.com/bitwarden/agent-access/raw/v0.11.0/assets/logo-light.png" height="120">

Agent Access

Agent Access allows users to provide credentials from their password manager to remote systems, without exposing their entire vault. Agent Access creates an end-to-end encrypted tunnel between a remote system and a credential provider.

Agent Access is an open protocol, CLI tool, and SDK that can be implemented directly into agents or custom software. While Agent Access has been built and developed by the team at Bitwarden, it is open for any credential provider to further support agentic or automation use cases.

[!IMPORTANT] This project is in an early preview stage. APIs and protocols are subject to change. We do not recommend inputting sensitive credentials directly into LLMs or AI agents (any unknown software, really).

For LLM's specifically, where possible use environment injection (e.g. aac run) to pass secrets to processes without exposing them in recorded context.

<img alt="Agent Access overview" src="https://github.com/bitwarden/agent-access/raw/v0.11.0/assets/overview-light.webp" width="960">

Installation

macOS (Apple Silicon)

curl -L https://github.com/bitwarden/agent-access/releases/latest/download/aac-macos-aarch64.tar.gz | tar xz
sudo mv aac /usr/local/bin/ # Makes it available on PATH

macOS (Intel)

curl -L https://github.com/bitwarden/agent-access/releases/latest/download/aac-macos-x86_64.tar.gz | tar xz
sudo mv aac /usr/local/bin/ # Makes it available on PATH

Linux (x86_64)

curl -L https://github.com/bitwarden/agent-access/releases/latest/download/aac-linux-x86_64.tar.gz | tar xz
sudo mv aac /usr/local/bin/ # Makes it available on PATH

Windows (x86_64)

Download aac-windows-x86_64.zip from the latest release and extract it to a directory on your PATH.

OpenClaw skill

curl -fsSL "https://raw.githubusercontent.com/bitwarden/agent-access/main/examples/skills/agent-access/SKILL.md" -o ~/.openclaw/skills/agent-access/SKILL.md --create-dirs

Examples

Use from your code

Use Agent Access directly from your code by referencing the Rust SDK. See the full examples:

Here's a quick Python example:

from agent_access import RemoteClient

client = RemoteClient("python-remote")
client.connect(token="ABC-DEF-GHI")
cred = client.request_credential("example.com")
print(cred.username, cred.password)
client.close()

Getting started (Bitwarden CLI)

In this short guide we'll walk you through setting up Agent Access on your local machine and connect it to the Bitwarden CLI.

Prerequisites

Enabling Agent Access for Bitwarden

The aac CLI tool has built-in support for connecting to the Bitwarden CLI. The interactive CLI can be used to unlock your vault (/unlock) and create a pairing token that the remote side can use to connect.

aac listen

If you don't have the bw CLI installed, you can use the built-in example credential provider (has credentials for example.com):

aac listen --provider example

The interactive CLI will create a pairing token that you can use to establish a connection on the remote side.

Setting up the remote side

You can run the remote side interactively (Useful for testing/demonstration) or without interactivity which is useful for agents and automation.

# interactive mode
aac connect
# Pairing (without interactivity)
aac connect --token <pairing-token> --output json

# Fetching credentials (without interactivity)
aac connect --domain example.com --output json
aac connect --domain github.com --provider bitwarden --output json

# Pair + Fetch in one command (without interactivity)
aac connect --token <pairing-token> --domain example.com --output json

# Fetch by vault item ID instead of domain
aac connect --id <vault-item-id> --output json

# Output:
{"credential":{"notes":null,"password":"alligator5","totp":null,"uri":"https://github.com","username":"example"},"domain":"github.com","success":true}

Fetching by ID

You can use --id instead of --domain to fetch a specific vault item by its unique identifier. This is useful when multiple items share the same domain, or when you know the exact item you need.

aac connect --id <vault-item-id> --output json

The --id and --domain flags are mutually exclusive — use one or the other.

Running commands with credentials

The run subcommand fetches a credential and injects it as environment variables into a child process. Secrets never touch stdout or disk — they're passed exclusively through the child process's environment.

# Map specific credential fields to env vars
aac run --domain example.com --env DB_PASSWORD=password --env DB_USER=username -- psql

# Inject all fields with AAC_ prefix (AAC_USERNAME, AAC_PASSWORD, etc.)
aac run --domain example.com --env-all -- deploy.sh

# Combine defaults with custom overrides
aac run --domain example.com --env-all --env CUSTOM_PW=password -- deploy.sh

# Use --id instead of --domain
aac run --id <vault-item-id> --env-all -- deploy.sh

Available credential fields: username, password, totp, uri, notes, domain, credential_id

When using --env-all, each field is injected with an AAC_ prefix (e.g., AAC_USERNAME, AAC_PASSWORD). Explicit --env mappings override --env-all defaults. At least one of --env or --env-all is required.

Contributing

This repo contains multiple building blocks that power Agent Access.

It contains:

  • An end-to-end encrypted tunnel, using Noise
  • A Rust SDK for establishing a tunnel, sending requests, and responding to them
  • A CLI tool for requesting / releasing credentials
  • A proxy server for demo/development purposes

    Agent Access architecture

See CONTRIBUTING.md for development setup, crate structure, and how to run the project.

Extension points exported contracts — how you extend this code

CredentialProvider (Interface)
A pluggable credential provider. Implementations back different password managers (Bitwarden CLI, 1Password, etc.) behi [3 …
crates/ap-cli/src/providers/mod.rs
ConnectionStore (Interface)
(no doc) [4 implementers]
crates/ap-client/src/traits.rs
FlatError (Interface)
FlatError trait for error variant identification. Trait for errors that can report their variant name.
crates/ap-error/src/flat_error.rs
IdentityProvider (Interface)
(no doc) [3 implementers]
crates/ap-client/src/traits.rs
ProxyClient (Interface)
(no doc) [3 implementers]
crates/ap-client/src/proxy.rs
PskStore (Interface)
(no doc) [2 implementers]
crates/ap-client/src/traits.rs
AuditLog (Interface)
(no doc) [1 implementers]
crates/ap-client/src/traits.rs

Core symbols most depended-on inside this repo

timeout
called by 63
crates/ap-client/src/compat.rs
encrypt
called by 32
crates/ap-noise/src/transport.rs
decrypt
called by 30
crates/ap-noise/src/transport.rs
fingerprint
called by 27
crates/ap-client/src/types.rs
to_vec
called by 19
crates/ap-noise/src/transport.rs
disconnect
called by 17
crates/ap-proxy-client/src/protocol_client.rs
finalize
called by 16
crates/ap-noise/src/handshake.rs
pair_with_psk
called by 16
crates/ap-client/src/clients/remote_client.rs

Shape

Method 296
Function 228
Class 86
Enum 40
Interface 7

Languages

Rust100%
Python1%

Modules by API surface

crates/ap-cli/src/command/connect.rs47 symbols
crates/ap-noise/src/transport.rs43 symbols
crates/ap-proxy-protocol/src/auth.rs35 symbols
crates/ap-client/src/clients/user_client.rs35 symbols
crates/ap-cli/src/command/tui.rs29 symbols
crates/ap-cli/src/providers/bitwarden.rs27 symbols
crates/ap-client/src/clients/remote_client.rs26 symbols
crates/ap-client/tests/pairing.rs24 symbols
crates/ap-noise/src/handshake.rs23 symbols
crates/ap-cli/src/providers/mod.rs22 symbols
examples/python-pyo3/src/storage.rs20 symbols
crates/ap-client/src/types.rs20 symbols

For agents

$ claude mcp add agent-access \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact