LoginSign Up
← Back to all sparks
B

Bitwarden

DEVOPS
Velocity2.5

Open-source password manager for individuals and teams.

bitwarden.com

Bitwarden's server line is a steady drip of enterprise plumbing — billing, identity, and post-quantum groundwork laid behind feature flags.

enterprise-featuresbilling-infrastructurepost-quantum-cryptodotnet-upgradefeature-flag-cleanupaccount-recovery
Current state
Six consecutive dot releases of the Bitwarden server show a team executing in two modes: shipping infrastructure (Stripe schedule-aware billing, organization invite links, .NET 10 upgrade, ml-dsa44 post-quantum keypair support, master password service refactor) while methodically retiring older feature flags as long-running rollouts complete. SSH key storage and the SSH Agent are now GA, the vault items archive is fully on, and 2FA account recovery has landed. User-visible novelty per release is modest; the substance is in the foundations.
Where it's heading
The team is building enterprise readiness without breaking the consumer product — Stripe subscription schedules for tax and discount migrations, invite-link infrastructure for org admins, SCIM v2, automatic member confirmation, and PQC-ready keypair primitives. The cadence of feature-flag removals in every release is the clearest signal: a lot of work that started months ago is graduating to GA across the 2026 series.
Prediction
Expect a user-visible org invite-link launch and the master-password-service refactor to surface in the clients within the next two release cycles, both gated behind the flags landed here.

Recent moves

  1. 7d ago

    v2026.4.2: .NET 10, ml-dsa44 keypairs, and org invite-link endpoints

    Heavy infrastructure release: .NET 10 upgrade, ml-dsa44 post-quantum keypair support, master-password-service foundation, full organization-invite-link CRUD endpoints, and a long tail of Stripe subscription-schedule fixes. User-visible features remain gated, but the post-quantum and master-password groundwork are notable plumbing moves.

    View source ↗
  2. 12d ago

    v2026.4.1: passkey unlock GA, SCIM v2 groundwork, autoconfirm shipped

    Automatic member confirmation, unlock with passkey, and the SCIM refactor all graduate from feature flags, while SCIM v2 features and provider authorization attributes get scaffolded. The pattern is a wave of small previously-flagged features landing together rather than one headline change.

    View source ↗
  3. 1mo ago

    v2026.4.0: vault items archive GA, HTTPS deeplinks, SSO redirect

    Vault items archive becomes available to everyone, alternate login methods can be hidden when SSO is required, and a substantial block of Stripe subscription-schedule plumbing lands to support phased pricing migrations. 2FA account recovery also appears, alongside HTTPS deeplink redirect support.

    View source ↗
  4. 1mo ago

    v2026.3.2: Windows biometrics refactor, push notifications, Switzerland tax

    Biometrics refactor on Windows, updated org invitation and confirmation emails, data recovery tool, and push notifications infrastructure all complete their rollouts. Switzerland tax handling is the only meaningful net-new logic.

    View source ↗
  5. 1mo ago

    v2026.3.1: cipher key corruption hotfix

    Single-purpose hotfix for a cipher key corruption issue that could occur under certain conditions — no other content in the release.

    View source ↗
  6. 2mo ago

    v2026.3.0: SSH Agent and multi-thread decryption ship broadly

    SSH key storage and the SSH Agent are fully shipped, multi-thread decryption goes GA, and admins can disable My Items in the system portal. The SSH Agent reaching GA quietly extends the password manager toward developer credential workflows.

    View source ↗