Skip to content

How to Fix Bitwarden CLI Login

DodaTech Updated 2026-06-24 2 min read

In this tutorial, you'll learn about How to Fix Bitwarden CLI Login. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

bw login returns "Invalid email or password" or "client_id is required." The Bitwarden CLI requires API key authentication, not just the master password.

The Wrong Way

bw login user@example.com
# Password: ****
# Error: Invalid email or password

The CLI does not support password-only login. It requires an API key for initial authentication.

The Right Way

Step 1: Generate an API key from the web vault

# Log into https://vault.bitwarden.com
# Settings → Account → "View API Key"
# Copy:
# - client_id: user.xxxx-xxxx-xxxx-xxxx
# - client_secret: xxxxxxxx...

Step 2: Log in with the API key

bw login --apikey
# Client ID: user.xxxx-xxxx-xxxx-xxxx
# Client Secret: xxxxxxxx...
# Master Password: ****
# Success: You are logged in!

Step 3: Set environment variables for automation

export BW_CLIENTID="user.xxxx-xxxx-xxxx-xxxx"
export BW_CLIENTSECRET="xxxxxxxx..."
export BW_PASSWORD="your-master-password"

bw login --apikey
# Non-interactive, reads from environment variables

Step 4: Unlock the vault

bw unlock --passwordenv BW_PASSWORD
# Export the session key:
export BW_SESSION="$(bw unlock --raw --passwordenv BW_PASSWORD)"
CLI authenticated — bw list items returns 47 items, bw generate creates secure passwords.

Prevention

  • Store API keys in environment variables for CI/CD pipelines.
  • Never commit BW_CLIENTSECRET or BW_PASSWORD to version control.
  • The API-key authentication model is the same approach used by Doda Browser's CLI tools — app credentials separate from user passwords.

Common Mistakes with cli login

  1. Using head and tail instead of pattern matching, causing runtime errors on empty lists
  2. Forgetting that lazy evaluation defers computation until the value is forced, causing space leaks with unevaluated thunks
  3. Using return to exit a function early instead of wrapping a pure value in the monad

These mistakes appear frequently in real-world BITWARDEN code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### Why does `bw login` with API key still fail?

Check that: (1) the client_id format is user.xxxxx (user prefix), (2) the client_secret has no extra spaces or quotes, and (3) the API key is not expired (they do not expire by default but can be revoked).

How do I log out of the Bitwarden CLI?

bw logout
# Clears the session key from memory
# For complete logout, also unset BW_SESSION:
unset BW_SESSION

Can I use biometric unlock with the CLI?

No. The Bitwarden CLI does not support biometric unlock. You must use the master password or API key. For unattended automation, use the API key method with environment variables.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro