Is it possible to login only with API keys, in a 'passwordless' manner?

[DodoLeDev]

Hi everyone!
Firstly, thank you so much for this incredible project!

I am currently trying to configure it, but I don't want to give my Master Password to Goldwarden, because... You understand the security implications if it leaks.... While if it's my API key, I can easily invalidate it from the web interface!

Is there any way to do it?

[quexten]

Bitwarden only uses API keys for authentication.
This circumvents captcha and 2FA. For decryption of your vault it still needs either your master password, or passkey(webauthn) PRF key (not implemented), just based on how the cryptographic architecture is designed. API keys

Goldwarden needs to have a way to decrypt the vault. Your master password is never saved, only your account's encryption key is saved locally on your device, encrypted with your pin. This is the same as what the official clients do.

Is there any specific concern about where the master password would leak?

If the concern is that you don't trust the software itself (I.e assume the developer (me) is malicious, despite it being open source, or the developer account getting compromised, and an attacker publishing a malicious version of the app) then you should probably only use the official clients, or verify the source and compile locally.

If your concern is that there is a security vulnerability in Goldwarden, then the attack surface is limited to your local device. If your local device is compromised, there are easier ways to get to your credentials (i.e dumping the memory of Chrome/Firefox while your Bitwarden extension is unlocked, or by using a keylogger).