Organization Policies API

Overview

Policies allow organizations to enforce security requirements and business rules for all members.

Policies are only available on Teams and Enterprise plans.

Get Policy

Retrieve a specific policy configuration.

GET /organizations/{orgId}/policies/{type}

orgId

string

required

Organization ID

type

number

required

Policy type (see Policy Types below)

Response

string

required

Policy unique identifier

organizationId

string

required

Parent organization ID

type

number

required

Policy type

enabled

boolean

required

Whether policy is active

data

object

Policy-specific configuration

List All Policies

Retrieve all policies for an organization.

GET /organizations/{orgId}/policies

orgId

string

required

Organization ID

Get Policies by Token

Retrieve enabled policies using an invitation token (for invited users).

GET /organizations/{orgId}/policies/token?email={email}&token={token}&organizationUserId={organizationUserId}

orgId

string

required

Organization ID

string

required

User’s email address

token

string

required

Invitation token

organizationUserId

string

required

Organization user ID

This endpoint does not require authentication - the token serves as verification.

Get Master Password Policy

Retrieve master password requirements for an organization.

GET /organizations/{orgId}/policies/master-password

orgId

string

required

Organization ID

Update Policy

Enable or update a policy configuration.

PUT /organizations/{orgId}/policies/{type}

orgId

string

required

Organization ID

type

number

required

Policy type

Request Body

enabled

boolean

required

Enable or disable the policy

data

object

Policy-specific configuration (varies by type)

Policy Types

Two-Factor Authentication (0)

Require all users to enable two-factor authentication.

{
  "type": 0,
  "enabled": true,
  "data": null
}

Master Password (1)

Enforce master password requirements.

{
  "type": 1,
  "enabled": true,
  "data": {
    "minComplexity": 3,
    "minLength": 12,
    "requireUpper": true,
    "requireLower": true,
    "requireNumbers": true,
    "requireSpecial": true,
    "enforceOnLogin": false
  }
}

Data Fields:

minComplexity (0-4): Minimum complexity score
minLength: Minimum password length
requireUpper: Require uppercase letters
requireLower: Require lowercase letters
requireNumbers: Require numbers
requireSpecial: Require special characters
enforceOnLogin: Force password update on next login

Password Generator (2)

Enforce minimum requirements for generated passwords.

{
  "type": 2,
  "enabled": true,
  "data": {
    "defaultType": "password",
    "minLength": 14,
    "useUpper": true,
    "useLower": true,
    "useNumbers": true,
    "useSpecial": true,
    "minNumbers": 1,
    "minSpecial": 1,
    "minNumberWords": 3,
    "capitalize": true,
    "includeNumber": true
  }
}

Single Organization (3)

Prevent users from being in multiple organizations.

{
  "type": 3,
  "enabled": true,
  "data": null
}

Require SSO (4)

Require SSO authentication for all members.

{
  "type": 4,
  "enabled": true,
  "data": null
}

Personal Ownership (5)

Require all items to be owned by the organization (no personal items).

{
  "type": 5,
  "enabled": true,
  "data": null
}

Disable Send (6)

Disable Bitwarden Send for organization members.

{
  "type": 6,
  "enabled": true,
  "data": {
    "disableHideEmail": false
  }
}

Send Options (7)

Control Send feature availability.

{
  "type": 7,
  "enabled": true,
  "data": {
    "disableHideEmail": true
  }
}

Reset Password (8)

Allow admins to reset user passwords.

{
  "type": 8,
  "enabled": true,
  "data": {
    "autoEnrollEnabled": false
  }
}

Data Fields:

autoEnrollEnabled: Automatically enroll new users in password reset

Maximum Vault Timeout (9)

Enforce maximum vault timeout period.

{
  "type": 9,
  "enabled": true,
  "data": {
    "minutes": 60
  }
}

Disable Personal Vault Export (10)

Prevent users from exporting their personal vault.

{
  "type": 10,
  "enabled": true,
  "data": null
}

Activate Autofill (11)

Require browser extension autofill to be enabled.

{
  "type": 11,
  "enabled": true,
  "data": {
    "useTotp": false,
    "useAutofillOnPageLoad": false
  }
}

Policy Dependencies

Some policies require other policies to be enabled:

Policy	Required Policies
Reset Password	Single Organization
Require SSO	Single Organization

Policy Enforcement

When Policies Apply

Immediately: For existing users when policy is enabled
On Login: Some policies enforce requirements at next login
On Invitation: New users see policy requirements before accepting

User Impact

When a policy is enabled:

Existing users may need to comply (e.g., enable 2FA)
Non-compliant users may be locked out until they comply
New users must meet requirements to join

Best Practices

Security Policies

Enable Two-Factor Authentication - Require all users to use 2FA
Set Master Password Requirements - Enforce strong passwords
Use Single Organization - Prevent data leakage to other orgs
Enable SSO - Centralize authentication control

Compliance Policies

Personal Ownership - Ensure all sensitive data is org-owned
Disable Send - Prevent data sharing via Send if not allowed
Vault Export - Disable exports to prevent data exfiltration
Vault Timeout - Ensure vaults lock after inactivity

Rollout Strategy

Test policies in a pilot group first
Communicate policy changes to users
Provide time for compliance (grace period)
Enable policy enforcement
Monitor compliance and user issues

Policy Conflicts

When a user is in multiple organizations with conflicting policies:

Strictest policy wins - The most restrictive requirement applies
Example: If Org A requires 2FA and Org B doesn’t, user must enable 2FA

Checking Policy Status

// Check if policy is enabled
const response = await fetch(
  `/organizations/${orgId}/policies/${policyType}`,
  { headers: { 'Authorization': `Bearer ${token}` }}
);

const policy = await response.json();
if (policy.enabled) {
  console.log('Policy is active');
  console.log('Configuration:', policy.data);
}

Authentication

Vault

Organizations

Secrets Manager

Public API

Overview

Get Policy

Response

List All Policies

Get Policies by Token

Get Master Password Policy

Update Policy

Request Body

Policy Types

Two-Factor Authentication (0)

Master Password (1)

Password Generator (2)

Single Organization (3)

Require SSO (4)

Personal Ownership (5)

Disable Send (6)

Send Options (7)

Reset Password (8)

Maximum Vault Timeout (9)

Disable Personal Vault Export (10)

Activate Autofill (11)

Policy Dependencies

Policy Enforcement

When Policies Apply

User Impact

Best Practices

Security Policies

Compliance Policies

Rollout Strategy

Policy Conflicts

Checking Policy Status

Build docs developers (and LLMs) love

Authentication

Vault

Organizations

Secrets Manager

Public API

​Overview

​Get Policy

​Response

​List All Policies

​Get Policies by Token

​Get Master Password Policy

​Update Policy

​Request Body

​Policy Types

​Two-Factor Authentication (0)

​Master Password (1)

​Password Generator (2)

​Single Organization (3)

​Require SSO (4)

​Personal Ownership (5)

​Disable Send (6)

​Send Options (7)

​Reset Password (8)

​Maximum Vault Timeout (9)

​Disable Personal Vault Export (10)

​Activate Autofill (11)

​Policy Dependencies

​Policy Enforcement

​When Policies Apply

​User Impact

​Best Practices

​Security Policies

​Compliance Policies

​Rollout Strategy

​Policy Conflicts

​Checking Policy Status

Build docs developers (and LLMs) love

Overview

Get Policy

Response

List All Policies

Get Policies by Token

Get Master Password Policy

Update Policy

Request Body

Policy Types

Two-Factor Authentication (0)

Master Password (1)

Password Generator (2)

Single Organization (3)

Require SSO (4)

Personal Ownership (5)

Disable Send (6)

Send Options (7)

Reset Password (8)

Maximum Vault Timeout (9)

Disable Personal Vault Export (10)

Activate Autofill (11)

Policy Dependencies

Policy Enforcement

When Policies Apply

User Impact

Best Practices

Security Policies

Compliance Policies

Rollout Strategy

Policy Conflicts

Checking Policy Status