Vaultwarden: Production Setup | Zenith Stack Docs

Vaultwarden is an unofficial Bitwarden-compatible server. The entire Bitwarden ecosystem (apps for all platforms, browser extensions) works exactly the same — only the server runs on your infrastructure.

Coolify’s one-click deploy gets it running quickly, but two security steps are required before going live.

Hash the ADMIN_TOKEN

The default ADMIN_TOKEN set by Coolify is plaintext. For any production or client deployment, hash it first:

docker exec -it $(docker ps | grep vaultwarden | awk '{print $1}') /vaultwarden hash --preset owasp

Copy the Argon2 output → paste as ADMIN_TOKEN in Coolify env vars → redeploy.

Disable signups after creating the first account

The first account created becomes admin. After that, immediately disable open signups:

Set SIGNUPS_ALLOWED=false in Coolify env vars and redeploy.

Without this, anyone who finds your Vaultwarden URL can create an account.

Backups

Vaultwarden uses file/SQLite storage, not Postgres. PGBackWeb cannot back it up. Use the offen/docker-volume-backup sidecar — see the Backup Strategy guide.