Overview
The Public Policies API allows programmatic configuration of organization security policies.
Policies are only available on Teams and Enterprise plans.
List Policies
Retrieve all policies for the organization.
Response
Policy Object
Policy type (see Policy Types below)
Policy-specific configuration
Get Policy
Retrieve a specific policy by ID.
GET /public/policies/{id}
curl -X GET "https://api.bitwarden.com/public/policies/{id}" \
-H "Authorization: Bearer {org_api_token}"
Update Policy
Enable or update a policy configuration.
PUT /public/policies/{id}
Request Body
Enable or disable the policy
Policy-specific configuration (varies by type)
Policy Types
Two-Factor Authentication
Require all members to enable 2FA.
{
"type": "twoFactorAuthentication",
"enabled": true,
"data": null
}
Master Password
Enforce master password requirements.
{
"type": "masterPassword",
"enabled": true,
"data": {
"minComplexity": 3,
"minLength": 12,
"requireUpper": true,
"requireLower": true,
"requireNumbers": true,
"requireSpecial": true
}
}
Password Generator
Set minimum password generator requirements.
{
"type": "passwordGenerator",
"enabled": true,
"data": {
"defaultType": "password",
"minLength": 14,
"useUpper": true,
"useLower": true,
"useNumbers": true,
"useSpecial": true,
"minNumbers": 1,
"minSpecial": 1
}
}
Single Organization
Prevent members from joining other organizations.
{
"type": "singleOrg",
"enabled": true,
"data": null
}
Require SSO
Require SSO authentication.
{
"type": "requireSso",
"enabled": true,
"data": null
}
Personal Ownership
Require all items to be organization-owned.
{
"type": "personalOwnership",
"enabled": true,
"data": null
}
Disable Send
Disable Bitwarden Send.
{
"type": "disableSend",
"enabled": true,
"data": null
}
Send Options
Control Send feature options.
{
"type": "sendOptions",
"enabled": true,
"data": {
"disableHideEmail": true
}
}
Reset Password
Allow admin password reset.
{
"type": "resetPassword",
"enabled": true,
"data": {
"autoEnrollEnabled": false
}
}
Maximum Vault Timeout
Enforce maximum vault timeout.
{
"type": "maximumVaultTimeout",
"enabled": true,
"data": {
"minutes": 60
}
}
Examples
Enable Two-Factor Requirement
curl -X PUT "https://api.bitwarden.com/public/policies/{policyId}" \
-H "Authorization: Bearer {org_api_token}" \
-H "Content-Type: application/json" \
-d '{
"enabled": true,
"data": null
}'
const masterPasswordPolicy = policies.data.find(
p => p.type === 'masterPassword'
);
await fetch(
`https://api.bitwarden.com/public/policies/${masterPasswordPolicy.id}`,
{
method: 'PUT',
headers: {
'Authorization': `Bearer ${orgToken}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
enabled: true,
data: {
minComplexity: 4,
minLength: 14,
requireUpper: true,
requireLower: true,
requireNumbers: true,
requireSpecial: true,
enforceOnLogin: false
}
})
}
);
Audit Policy Compliance
import requests
# Get all policies
response = requests.get(
'https://api.bitwarden.com/public/policies',
headers={'Authorization': f'Bearer {org_token}'}
)
policies = response.json()['data']
# Check which security policies are enabled
security_policies = [
'twoFactorAuthentication',
'masterPassword',
'singleOrg',
'requireSso'
]
print("Security Policy Status")
print("=====================")
for policy_type in security_policies:
policy = next(
(p for p in policies if p['type'] == policy_type),
None
)
if policy:
status = "✓ Enabled" if policy['enabled'] else "✗ Disabled"
print(f"{policy_type}: {status}")
Automated Policy Setup
// Configure all security policies for new organization
const securityPolicies = {
twoFactorAuthentication: { enabled: true, data: null },
singleOrg: { enabled: true, data: null },
masterPassword: {
enabled: true,
data: {
minComplexity: 3,
minLength: 12,
requireUpper: true,
requireLower: true,
requireNumbers: true,
requireSpecial: true
}
},
maximumVaultTimeout: {
enabled: true,
data: { minutes: 60 }
}
};
// Get current policies
const response = await fetch(
'https://api.bitwarden.com/public/policies',
{headers: {'Authorization': `Bearer ${orgToken}`}}
);
const policies = await response.json();
// Update each policy
for (const [type, config] of Object.entries(securityPolicies)) {
const policy = policies.data.find(p => p.type === type);
if (policy) {
await fetch(
`https://api.bitwarden.com/public/policies/${policy.id}`,
{
method: 'PUT',
headers: {
'Authorization': `Bearer ${orgToken}`,
'Content-Type': 'application/json'
},
body: JSON.stringify(config)
}
);
console.log(`✓ Configured ${type}`);
}
}
Policy Dependencies
Some policies require others:
| Policy | Requires |
|---|
| Reset Password | Single Organization |
| Require SSO | Single Organization |
Enable prerequisite policies first to avoid errors.
Best Practices
- Test in staging - Test policy changes with a subset of users first
- Communicate changes - Notify users before enabling policies
- Grace period - Give users time to comply before enforcement
- Monitor compliance - Check policy adherence regularly
- Document policies - Keep records of when/why policies were enabled
