The Bitwarden alternative for vendor and contractor access
Bitwarden shares collections, and its own guidance asks a human to remember to take them back. You need to hand one credential to one contractor for four hours, and prove afterwards who opened it.
In Bitwarden, the unit of access is a collection, and it lasts until an admin removes the person.
Here, the unit of access is a credential. It is requested, approved, and it expires by itself.
Bitwarden is good. A collection is still the wrong unit.
Let us be straight about this one, because Bitwarden earns it. It is free, it is open source, it is audited, and it does log password reveals. Any comparison page that tells you otherwise is lying to you, and you should close it.
The problem is not quality. It is shape. Bitwarden shares “collections”, which its docs describe as grouping “related logins, notes, cards, and identities for secure sharing”. So when a contractor needs the ad platform login, you put them in a collection, and they can open everything in it. Not the one credential they needed. All of it.
And then it just sits there. Bitwarden is honest about how that ends. Their own contractor guidance says every shared credential “should have an internal owner responsible for reviewing and revoking access when the engagement ends”. That is a person, holding a task, that nobody is ever thanked for doing. Permissions only accumulate, because removing one risks breaking somebody's work and removing none risks nothing you can see.
Side by side, in their own words
Every claim below about Bitwarden is a quote from Bitwarden's own documentation, linked so you can check it yourself. Scoped to the job you came here for: giving an outside person access to a credential you own.
| Bitwarden Teams | Vendor Access Vault | |
|---|---|---|
| The unit of access | A collection. You grant someone the container, and they can open the credentials inside it. “Collections group together related logins, notes, cards, and identities for secure sharing within an organization.”Source: their documentation | A single credential. Access is granted to one secret, not to a container of them. |
| How access begins | An admin assigns the person, or a group they belong to, into the collection. The permission is set at that moment. “Collection permissions are set when a member or group is first assigned to a collection.”Source: their documentation | The person asks for one credential, with a justification and a duration. Nothing is visible until an admin approves that specific request. |
| How access ends | Somebody has to remember. Bitwarden's own guidance for contractor credentials makes that a named person's job. “Every credential shared with a contractor should have an internal owner responsible for reviewing and revoking access when the engagement ends.”Source: their documentation | The grant expires on its own, at the time it was approved for. Nobody has to remember, so nobody can forget. |
| One-off sharing that expires | Yes. Bitwarden Send hands someone a temporary link to text or a file, up to a 31-day maximum. It is a copy you transmit, not access to the vault item itself. “Bitwarden Send is a tool to transmit sensitive text or files directly to anyone through secure, temporary links.”Source: their documentation | The ongoing access expires too, not just a one-off copy. The credential stays in the vault, and the grant to open it is what runs out. |
| Logging when someone reveals a password | Yes, and treat any page that tells you otherwise as unserious. Bitwarden records a password view as event 1108. It is available to Teams and Enterprise organisations. “Track your organization's activity and investigate incidents with event logs, timestamped records that capture changes and usage across your Teams or Enterprise organization.”Source: their documentation | Every reveal is written to an append-only log with the actor, timestamp, IP and user agent, and tied to the approval that authorised it. On the free plan. |
| What the free plan gives a team | A free organisation covers two users and two collections. A third contractor, or a third collection, moves you onto a paid tier, which is also where the event log starts. “Free organizations allow two users to securely share in up to two collections.”Source: their documentation | Free while we build it. Every feature, unlimited vendors, unlimited team members, and the audit log is not a paid tier. |
| Cost for a team of ten | $4 per user per month billed annually on Teams, so about $480 a year. That is the same tier the event log lives on. “$4 per month / per user billed annually”Source: their documentation | Free while we build it. Every feature, unlimited team members. |
The free-plan trap
Bitwarden's free organisation is real, and for two people sharing two collections it is genuinely all you need. The catch arrives quietly: “Free organizations allow two users to securely share in up to two collections”.
Hire a third contractor and you are on Teams, at $4 per user per month billed annually. That is not an outrageous price and Bitwarden is worth it. But notice what you were actually buying: the event log, the thing that answers who opened the Stripe key in March, starts at the same tier. Until you pay, the audit trail you assumed you had is not running.
Here, the audit log is not a tier. It is the point of the product.
What replaces the shared collection
- The contractor requests one credential, with a justification and a duration.
- An admin approves or denies. Until then, nothing is visible.
- On approval they can reveal it, and every reveal is written to an append-only audit log with the actor, timestamp, IP and user agent, tied to the approval that authorised it.
- The access expires on its own. No internal owner, no review task, no calendar reminder.
- Offboard the vendor and every pending request against its credentials is denied in the same transaction.
See vendor offboarding or the security model.
Common questions
- Does Bitwarden have an audit log?
- Yes. Bitwarden records a password view as event 1108, and copying a password as 1111. Be sceptical of any comparison page that claims otherwise, including ours if we ever slip. Two things differ. Event logs run on Teams and Enterprise organisations, and a free Bitwarden organisation is two users and two collections, so the free path most small teams actually take has no event log on it. And because every reveal here happens behind an approval, our log ties the reveal to the person who authorised it, not only to the person who opened it.
- Bitwarden is free and open source. Why would I switch?
- For most of what Bitwarden does, you would not, and we are not asking you to. Bitwarden is a genuinely good password manager and it is open source, which we are not. What we do is the narrow job it was not built for: handing one credential to an outside person for a fixed window, behind an approval, and being able to prove afterwards who opened it and who said yes.
- Can't I just use Bitwarden Send for a contractor?
- For a one-off, yes, and it is a good feature. Send transmits text or a file over a temporary link that can live up to 31 days. But Send is a copy you hand over, not a grant of access you can watch and withdraw. Once someone has the contents, the link expiring does not take the password back. For access that continues over an engagement, you want the credential to stay in the vault and the permission to open it to be the thing that expires.
- Do we have to drop Bitwarden to use this?
- No, and most teams should not. Bitwarden is where your team's own logins belong. What we replace is the shared collection you created for vendors and contractors, where the unit of access is the container and it lasts until somebody remembers to take it back.
- Do you have SSO, SOC 2, or self-hosting?
- Not yet. All three are on the roadmap, and Bitwarden has all three today. If your procurement requires a SOC 2 report or self-hosting right now, they are the better answer and we would rather you knew that here than after a sales call.
Keep reading
- vs 1PasswordSame problem, different container: there the unit is a vault.
- Sharing credentials with contractorsThe workflow that replaces the shared collection, end to end.
- Temporary accessAccess that expires beats access somebody must remember to revoke.
- PricingFree. Every feature, unlimited team members.
Give contractors access that expires on its own
Free while we build. No credit card, no sales call.