Bitwarden · Rate Limits
Bitwarden Rate Limits
Bitwarden documents that its Public API throttles abusive traffic and returns 429 Too Many Requests when the API is hit too quickly. Numeric per-second ceilings are not exhaustively published. List endpoints exceeding 50 results return a continuationToken for pagination. Identity tokens issued via client_credentials are valid for 3600 seconds and should be reused rather than reissued on every call. Two cloud regions exist - api.bitwarden.com (US) and api.bitwarden.eu (EU) - each with its own identity host.
3 Limits
Throttle: 429
SecurityPassword ManagerOpen SourceVaultIdentityRate LimitingThrottling
Limits
Public API Throttle client
dynamic
Bitwarden returns 429 Too Many Requests when the Public API is called too rapidly. Numeric ceiling is not published.
Pagination Window list_endpoint
50
Lists exceeding 50 results return a continuationToken; clients must page using the token to retrieve the full result set.
Identity Token Validity token
3600
Bearer tokens issued from /connect/token are valid for 3600 seconds; reuse the token until expiry rather than re-issuing per request.
Policies
429 Throttling
When throughput is excessive the Public API returns 429 Too Many Requests. Clients should back off before retrying.
Token Reuse
Cache the bearer token for its 3600-second lifetime. Re-issuing per call wastes identity quota and risks rate limiting on /connect/token.
Continuation Pagination
Use continuationToken to walk lists exceeding 50 results; do not synthesise offsets.
Regional Selection
Use api.bitwarden.com / identity.bitwarden.com for US tenants and api.bitwarden.eu / identity.bitwarden.eu for EU tenants.