Can access the API after "Deauthorize sessions" using a captured Bearer token

[zacknewman]

Steps To Reproduce

Log into the web vault using a browser (e.g., Firefox). Using the developer tools, copy the Bearer Authorization header. Click on "Deauthorize sessions". Access the API using the copied bearer authorization token to your heart's content until the token expires.

For example, capture the entire JSON request when editing a vault entry. Capture the JSON response last revision date. After deauthorizing sessions, you can re-send the JSON request with any changes you'd like so long as you update the last revision data accordingly.

Expected Result

A 401 Unauthorized response.

Actual Result

Able to freely access the API using the captured Bearer token.

Screenshots or Videos

No response

Additional Context

No response

Build Version

2025.3.1

Environment

Cloud (bitwarden.com)

Environment Details

No response

Issue Tracking Info

• I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[NovaSilentium]

Hi there,

Your issue appears to be describing the intended behavior of the software. Deauthorizing sessions in the Bitwarden web vault does not immediately revoke bearer tokens. Captured tokens remain valid for up to 60 minutes, as indicated by the expires_in value, and can still access the API until they expire. A new token is required after expiration.

If you want this to be changed, it would be a feature request.

We use GitHub issues as a place to track bugs and other development related issues. The Bitwarden Community Forums has a Feature Requests section for submitting, voting for, and discussing requests like this one: https://community.bitwarden.com/c/feature-requests/

Please sign up on our forums (https://community.bitwarden.com/signup) and search to see if this request already exists. If so, you can vote for it and contribute to any discussions about it. If not, you can re-create the request there so that it can be properly tracked.

This issue will now be closed.

Thanks!