Vaultwarden stores highly sensitive credentials and secrets. Treat configuration as security-critical infrastructure. This guide provides a complete reference for all configuration options, production-ready defaults, and operational best practices.
Version: Configuration reference for Vaultwarden 1.35.x (February 2026)
Vaultwarden is configured primarily through environment variables. These can be set in:
- Docker Compose
environment section
.env files- Systemd service units
- Kubernetes ConfigMaps/Secrets
- Shell exports (for testing)
| Deployment |
Config Location |
| Docker |
.env file or docker-compose.yml |
| Systemd |
/etc/systemd/system/vaultwarden.service |
| Native |
Environment variables or config.json |
| Variable |
Description |
Default |
Production Value |
DOMAIN |
Full URL where Vaultwarden is accessible |
http://localhost |
https://vault.example.com |
DATABASE_URL |
Database connection string |
SQLite in /data |
/data/db.sqlite3 or PostgreSQL URL |
ADMIN_TOKEN |
Admin panel authentication token |
Disabled |
<secure-random-token> |
SIGNUPS_ALLOWED |
Allow public user registration |
true |
false |
SIGNUPS_VERIFY |
Require email verification for signups |
false |
true (if signups enabled) |
# =============================================================================
# VAULTWARDEN PRODUCTION CONFIGURATION
# Version: 1.35.x
# =============================================================================
# -----------------------------------------------------------------------------
# Core Settings
# -----------------------------------------------------------------------------
DOMAIN=https://vault.example.com
DATABASE_URL=/data/db.sqlite3
ADMIN_TOKEN=your-32-character-secure-token-here
# -----------------------------------------------------------------------------
# Access Control
# -----------------------------------------------------------------------------
SIGNUPS_ALLOWED=false
SIGNUPS_VERIFY=false
SIGNUPS_DOMAINS_WHITELIST=example.com,corp.example.com
INVITATIONS_ALLOWED=true
ADMIN_PAGE_TOKEN=separate-admin-token
# -----------------------------------------------------------------------------
# WebSocket Configuration
# -----------------------------------------------------------------------------
WEBSOCKET_ENABLED=true
WEBSOCKET_PORT=3012
# -----------------------------------------------------------------------------
# SMTP/Email Configuration
# -----------------------------------------------------------------------------
SMTP_HOST=mail.example.com
SMTP_FROM=vault@example.com
SMTP_PORT=587
SMTP_SECURITY=starttls
SMTP_USERNAME=smtp_user
SMTP_PASSWORD=smtp_secure_password
SMTP_AUTH_MECHANISM=Login
# -----------------------------------------------------------------------------
# Security Settings
# -----------------------------------------------------------------------------
LOGIN_RATELIMIT_MAX_BURST=10
LOGIN_RATELIMIT_SECONDS=60
ADMIN_RATELIMIT_MAX_BURST=5
ADMIN_RATELIMIT_SECONDS=300
IP_HEADER=X-Forwarded-For
# -----------------------------------------------------------------------------
# Feature Flags
# -----------------------------------------------------------------------------
ORGANIZATIONS_ALLOWED=true
ATTACHMENTS_ALLOWED=true
SEND_ALLOWED=true
EMERGENCY_ACCESS_ALLOWED=true
WEB_VAULT_ENABLED=true
API_KEY_ENABLED=true
# -----------------------------------------------------------------------------
# Performance & Tuning
# -----------------------------------------------------------------------------
ROCKET_ADDRESS=0.0.0.0
ROCKET_PORT=80
WEBSOCKET_ADDRESS=0.0.0.0
NUM_WORKERS=4
# -----------------------------------------------------------------------------
# Logging
# -----------------------------------------------------------------------------
LOG_LEVEL=info
LOG_FILE=/data/vaultwarden.log
EXTENDED_LOGGING=false
# -----------------------------------------------------------------------------
# Backup & Maintenance
# -----------------------------------------------------------------------------
BACKUP_FOLDER=/data/backups
DISABLE_ICON_VALIDATION=false
¶ Domain & URL Settings
| Variable |
Description |
Default |
Example |
DOMAIN |
Public URL for Vaultwarden |
http://localhost |
https://vault.example.com |
DOMAIN_ORIGINS |
Comma-separated list of allowed origins |
Auto |
https://vault.example.com |
DOMAIN_SET |
Force domain setting |
false |
true |
| Variable |
Description |
Default |
Example |
DATABASE_URL |
Database connection string |
SQLite |
postgresql://user:pass@host:5432/vaultwarden |
DATABASE_MAX_CONNS |
Maximum database connections |
5 |
10 |
DATABASE_MIN_CONNS |
Minimum database connections |
1 |
2 |
Database URL Formats:
# SQLite (default, recommended for ≤100 users)
DATABASE_URL=/data/db.sqlite3
# PostgreSQL (recommended for larger deployments)
DATABASE_URL=postgresql://vw_user:secure_pass@localhost:5432/vaultwarden
# MySQL/MariaDB
DATABASE_URL=mysql://vw_user:secure_pass@localhost:3306/vaultwarden
| Variable |
Description |
Default |
Production |
ADMIN_TOKEN |
Admin panel token (plain or hashed) |
Disabled |
<secure-token> |
ADMIN_TOKEN_HASH |
Pre-hashed admin token |
Disabled |
<argon2-hash> |
SIGNUPS_ALLOWED |
Allow new user registrations |
true |
false |
SIGNUPS_VERIFY |
Require email verification |
false |
true |
SIGNUPS_DOMAINS_WHITELIST |
Allowed email domains |
All |
example.com,corp.com |
INVITATIONS_ALLOWED |
Allow user invitations |
true |
true |
ORGANIZATIONS_ALLOWED |
Enable organization features |
true |
true |
DISABLE_2FA_REMEMBER |
Disable “remember 2FA” option |
false |
true |
| Variable |
Description |
Default |
Example |
SMTP_HOST |
SMTP server hostname |
- |
smtp.example.com |
SMTP_FROM |
Sender email address |
- |
vault@example.com |
SMTP_PORT |
SMTP port |
587 |
587 |
SMTP_SECURITY |
Encryption: starttls, tls, none |
starttls |
starttls |
SMTP_USERNAME |
SMTP authentication username |
- |
smtp_user |
SMTP_PASSWORD |
SMTP authentication password |
- |
smtp_pass |
SMTP_AUTH_MECHANISM |
Auth mechanism |
Login |
Login |
SMTP_TIMEOUT |
SMTP connection timeout (seconds) |
15 |
30 |
| Variable |
Description |
Default |
Production |
WEBSOCKET_ENABLED |
Enable WebSocket for live sync |
false |
true |
WEBSOCKET_PORT |
WebSocket listening port |
3012 |
3012 |
WEBSOCKET_ADDRESS |
WebSocket bind address |
0.0.0.0 |
127.0.0.1 |
WEBSOCKET_URL |
Public WebSocket URL |
Auto-detected |
wss://vault.example.com |
| Variable |
Description |
Default |
Recommended |
LOGIN_RATELIMIT_MAX_BURST |
Max login attempts before rate limit |
10 |
5 |
LOGIN_RATELIMIT_SECONDS |
Time window for rate limit |
60 |
120 |
ADMIN_RATELIMIT_MAX_BURST |
Max admin panel attempts |
5 |
3 |
ADMIN_RATELIMIT_SECONDS |
Admin rate limit window |
300 |
300 |
IP_HEADER |
Header for client IP detection |
X-Real-IP |
X-Forwarded-For |
DISABLE_ADMIN_TOKEN |
Disable admin panel |
false |
false |
HIBP_API_KEY |
Have I Been Pwned API key |
- |
<api-key> |
| Variable |
Description |
Default |
Production |
WEB_VAULT_ENABLED |
Enable web interface |
true |
true |
API_KEY_ENABLED |
Enable API key authentication |
true |
true |
ATTACHMENTS_ALLOWED |
Allow file attachments |
true |
true |
SEND_ALLOWED |
Enable Send feature |
true |
true |
EMERGENCY_ACCESS_ALLOWED |
Enable emergency access |
true |
true |
EVENTS_ENABLED |
Enable event logging |
false |
true |
EVENTS_DAYS_RETAIN |
Days to retain events |
0 (forever) |
90 |
| Variable |
Description |
Default |
Recommended |
ROCKET_ADDRESS |
HTTP bind address |
0.0.0.0 |
127.0.0.1 (with proxy) |
ROCKET_PORT |
HTTP listening port |
80 |
80 |
NUM_WORKERS |
Number of worker threads |
CPU cores |
4-8 |
REQUEST_SIZE_LIMIT |
Max request size (bytes) |
10485760 |
10485760 |
SEND_SIZE_LIMIT |
Max Send attachment size |
104857600 |
52428800 |
| Variable |
Description |
Default |
Production |
LOG_LEVEL |
Log verbosity |
info |
info or warn |
LOG_FILE |
Log file path |
stdout |
/data/vaultwarden.log |
LOG_TO_FILE |
Enable file logging |
false |
true |
EXTENDED_LOGGING |
Extended log details |
false |
false |
DISABLE_ICON_VALIDATION |
Skip icon validation |
false |
false |
| Variable |
Description |
Default |
Example |
SSO_ENABLED |
Enable SSO authentication |
false |
true |
SSO_OIDC_ISSUER |
OIDC issuer URL |
- |
https://auth.example.com |
SSO_CLIENT_ID |
OIDC client ID |
- |
vaultwarden |
SSO_CLIENT_SECRET |
OIDC client secret |
- |
<secret> |
SSO_REDIRECT_URI |
Callback URL |
Auto |
https://vault.example.com/sso/callback |
¶ Storage and Backup Strategy 💾
| Data Type |
Location |
Priority |
| Database |
/data/db.sqlite3 or external DB |
🔴 Critical |
| Attachments |
/data/attachments/ |
🔴 Critical |
| Icons |
/data/icons/ |
🟡 Recommended |
| Sends |
/data/sends/ |
🔴 Critical |
| Config |
.env or environment secrets |
🔴 Critical |
#!/bin/bash
# vaultwarden-backup.sh
BACKUP_DIR="/backup/vaultwarden"
DATE=$(date +%Y%m%d_%H%M%S)
DATA_DIR="/opt/vaultwarden/vw-data"
mkdir -p "${BACKUP_DIR}"
# Create compressed backup
tar -czf "${BACKUP_DIR}/vaultwarden_${DATE}.tar.gz" \
-C "${DATA_DIR}" .
# Keep only last 30 days of backups
find "${BACKUP_DIR}" -name "vaultwarden_*.tar.gz" -mtime +30 -delete
echo "Backup completed: ${BACKUP_DIR}/vaultwarden_${DATE}.tar.gz"
- Restore Data: Extract backup to test environment
- Validate Login: Test user authentication
- Verify Decryption: Confirm vault items decrypt correctly
- Test Attachments: Access stored file attachments
- Check WebSocket: Verify live sync between clients
- Test Admin Panel: Confirm admin functionality
Any questions?
Feel free to contact us. Find all contact information on our contact page.