NodeWarden: Bitwarden on Cloudflare Workers — No Server Required

Tue, 07 Apr 2026 17:34:00 +0800

Self-hosting Bitwarden gives you two paths. The official version requires Docker and eats memory. Vaultwarden rewrites it in Rust, much lighter, but you still need a VPS, HTTPS configuration, regular updates, and database backups.

NodeWarden takes a third path: run directly on Cloudflare Workers. No VPS, no SSL management, no uptime monitoring. Cloudflare’s free tier is enough.

How It Differs from Vaultwarden

Vaultwarden is the most popular third-party Bitwarden server, written in Rust, running in Docker. NodeWarden is written in TypeScript, running on Cloudflare Workers.

	Vaultwarden	NodeWarden
Language	Rust	TypeScript
Deployment	Docker / VPS	Cloudflare Workers
Database	SQLite / MySQL / PostgreSQL	Cloudflare D1
Attachment storage	Local filesystem	R2 or KV
SSL	Self-configured	Cloudflare handles it
Maintenance	Manual updates and backups	Fork + auto-sync upstream
Cost	VPS monthly fee	Cloudflare free tier
Organizations/Collections	Supported	Not supported

The biggest difference is operational burden. Vaultwarden needs you to maintain a VPS. NodeWarden is fully serverless. The downside is no organization or collection features, making it unsuitable for teams.

Technical Architecture

NodeWarden is built entirely on Cloudflare’s infrastructure:

Compute: Cloudflare Workers (serverless)
Database: D1 (Cloudflare’s SQLite)
Attachment storage: R2 (object storage) or KV (key-value)
Frontend: Preact (original Web Vault interface)

Two storage options:

Option	Credit card required	Max attachment size	Free quota
R2	Yes	100 MB (adjustable)	10 GB
KV	No	25 MiB (hard limit)	1 GB

If you don’t want to add a credit card, use KV mode. 1 GB free quota is more than enough for personal password management. Only consider R2 if you need large attachments.

Feature Comparison

Compared to official Bitwarden, everything needed for personal use is covered:

Web Vault password manager interface
Full sync (/api/sync), compatible with official clients
Attachment upload and download
Send feature (text and files)
Import/export (Bitwarden JSON/CSV, ZIP with attachments)
TOTP and Steam TOTP
Multi-user (invitation code registration)
Password hints (viewable directly in web, no email required)

NodeWarden adds one feature the official version lacks: a cloud backup center. Supports WebDAV and E3 protocol for scheduled backups, including db.json, manifest.json, and attachments/ directory. During restoration, missing attachments are safely skipped without leaving broken records.

Not supported: organizations, collections, permission management, SSO, SCIM, enterprise directories. These are team features unnecessary for personal use.

Client Compatibility

Tested and working:

Windows desktop
Mobile apps (iOS / Android)
Browser extensions
Linux desktop
macOS desktop (not fully verified)

Deployment

Web Deployment (Recommended)

The simplest approach, no local tools needed:

Fork the NodeWarden repo
Go to the Cloudflare Workers console and create a new project
Choose Continue with GitHub, point to your forked repo
Keep default settings and deploy
For KV mode, change the deploy command to npm run deploy:kv
Set the JWT_SECRET environment variable (at least 32 random characters)

The whole process takes under five minutes.

CLI Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


git clone https://github.com/shuaiplus/NodeWarden.git
cd NodeWarden
npm install
npx wrangler login

# R2 mode
npm run deploy

# KV mode
npm run deploy:kv

Local development:

1
2


npm run dev # R2 mode
npm run dev:kv # KV mode

Automatic Updates

After forking, enable the Sync upstream workflow in GitHub Actions. It auto-syncs with upstream daily at 3am. For manual updates, click Sync fork → Update branch on your fork page.

NodeWarden or Vaultwarden

If you already have a stable VPS, Vaultwarden is more feature-complete with a larger community. Organizations, collections, and login 2FA are all supported.

NodeWarden fits these scenarios:

No VPS management. No server means no maintenance — no uptime worries, no expired SSL certs, no full disks
Zero budget. Cloudflare’s free tier is plenty for personal use
Solo user. No need for organizations and permission management
Offsite backups. Built-in WebDAV backup is more convenient than Vaultwarden’s approach

The main risk is that your password vault runs on Cloudflare’s infrastructure. D1 and Workers are relatively new services. While Cloudflare probably won’t shut them down suddenly, free tier limits and terms can change anytime. Regular WebDAV backups are essential.

Also note that NodeWarden hasn’t undergone the same level of community security review as Vaultwarden. Password managers are high-sensitivity applications — assess the risk yourself before using it.

Bitwarden on recca0120 Tech Notes