Agent Access

Agent Access allows users to provide credentials from their password manager to remote systems, without exposing their entire vault. Agent Access creates an end-to-end encrypted tunnel between a remote system and a credential provider.

Agent Access is an open protocol, CLI tool, and SDK that can be implemented directly into agents or custom software. While Agent Access has been built and developed by the team at Bitwarden, it is open for any credential provider to further support agentic or automation use cases.

Important

This project is in an early preview stage. APIs and protocols are subject to change. We do not recommend inputting sensitive credentials directly into LLMs or AI agents (any unknown software, really).

For LLM's specifically, where possible use environment injection (e.g. aac run) to pass secrets to processes without exposing them in recorded context.

Installation

macOS (Apple Silicon)

curl -L https://github.com/bitwarden/agent-access/releases/latest/download/aac-macos-aarch64.tar.gz | tar xz
sudo mv aac /usr/local/bin/ # Makes it available on PATH

macOS (Intel)

curl -L https://github.com/bitwarden/agent-access/releases/latest/download/aac-macos-x86_64.tar.gz | tar xz
sudo mv aac /usr/local/bin/ # Makes it available on PATH

Linux (x86_64)

curl -L https://github.com/bitwarden/agent-access/releases/latest/download/aac-linux-x86_64.tar.gz | tar xz
sudo mv aac /usr/local/bin/ # Makes it available on PATH

Windows (x86_64)

Download aac-windows-x86_64.zip from the latest release and extract it to a directory on your PATH.

OpenClaw skill

curl -fsSL "https://raw.githubusercontent.com/bitwarden/agent-access/main/examples/skills/agent-access/SKILL.md" -o ~/.openclaw/skills/agent-access/SKILL.md --create-dirs

Examples

• OpenClaw skill
• Fetch credential via aac connect — parse JSON output with jq and pipe to docker login
• Connect to PostgreSQL via aac run — inject PGUSER/PGPASSWORD as env vars directly into psql
• Github Action

Use from your code

Use Agent Access directly from your code by referencing the Rust SDK. See the full examples:

• Python (PyO3 bindings) — connect and request credentials from Python
• Rust remote client — minimal Rust example using RemoteClient

Here's a quick Python example:

from agent_access import RemoteClient

client = RemoteClient("python-remote")
client.connect(token="ABC-DEF-GHI")
cred = client.request_credential("example.com")
print(cred.username, cred.password)
client.close()

Getting started (Bitwarden CLI)

In this short guide we'll walk you through setting up Agent Access on your local machine and connect it to the Bitwarden CLI.

Prerequisites

• Bitwarden CLI (bw) installed and available on your PATH

Enabling Agent Access for Bitwarden

The aac CLI tool has built-in support for connecting to the Bitwarden CLI. The interactive CLI can be used to unlock your vault (/unlock) and create a pairing token that the remote side can use to connect.

aac listen

If you don't have the bw CLI installed, you can use the built-in example credential provider (has credentials for example.com):

aac listen --provider example

The interactive CLI will create a pairing token that you can use to establish a connection on the remote side.

Setting up the remote side

You can run the remote side interactively (Useful for testing/demonstration) or without interactivity which is useful for agents and automation.

# interactive mode
aac connect

# Pairing (without interactivity)
aac connect --token <pairing-token> --output json

# Fetching credentials (without interactivity)
aac connect --domain example.com --output json
aac connect --domain github.com --provider bitwarden --output json

# Pair + Fetch in one command (without interactivity)
aac connect --token <pairing-token> --domain example.com --output json

# Fetch by vault item ID instead of domain
aac connect --id <vault-item-id> --output json

# Output:
{"credential":{"notes":null,"password":"alligator5","totp":null,"uri":"https://github.com","username":"example"},"domain":"github.com","success":true}

Fetching by ID

You can use --id instead of --domain to fetch a specific vault item by its unique identifier. This is useful when multiple items share the same domain, or when you know the exact item you need.

aac connect --id <vault-item-id> --output json

The --id and --domain flags are mutually exclusive — use one or the other.

Running commands with credentials

The run subcommand fetches a credential and injects it as environment variables into a child process. Secrets never touch stdout or disk — they're passed exclusively through the child process's environment.

# Map specific credential fields to env vars
aac run --domain example.com --env DB_PASSWORD=password --env DB_USER=username -- psql

# Inject all fields with AAC_ prefix (AAC_USERNAME, AAC_PASSWORD, etc.)
aac run --domain example.com --env-all -- deploy.sh

# Combine defaults with custom overrides
aac run --domain example.com --env-all --env CUSTOM_PW=password -- deploy.sh

# Use --id instead of --domain
aac run --id <vault-item-id> --env-all -- deploy.sh

Available credential fields: username, password, totp, uri, notes, domain, credential_id

When using --env-all, each field is injected with an AAC_ prefix (e.g., AAC_USERNAME, AAC_PASSWORD). Explicit --env mappings override --env-all defaults. At least one of --env or --env-all is required.

Contributing

This repo contains multiple building blocks that power Agent Access.

It contains:

• An end-to-end encrypted tunnel, using Noise
• A Rust SDK for establishing a tunnel, sending requests, and responding to them
• A CLI tool for requesting / releasing credentials
• A proxy server for demo/development purposes

See CONTRIBUTING.md for development setup, crate structure, and how to run the project.