Password and Secrets Management Release Notes
Release notes for password managers and secrets management tools
Products (13)
Latest Password and Secrets Management Updates
- Apr 17, 2026
- Date parsed from source:Apr 17, 2026
- First seen by Releasebot:Apr 18, 2026
Bitwarden Clients by Bitwarden
Web v2026.4.1
Bitwarden Clients updates exit survey options and fixes an Android avatar color storage crash.
Updated exit survey options
Fix an issue with how avatar color selections are stored to fix a crash with some Android devices.
Original source - Apr 17, 2026
- Date parsed from source:Apr 17, 2026
- First seen by Releasebot:Apr 17, 2026
Royal TS/TSX
Keeper adds KSM support for Royal TS and Royal TSX, letting users launch SSH, RDP, SFTP, and database sessions with vault-backed dynamic credentials. It brings secure secret retrieval at connection time across Windows and macOS.
Launch SSH, RDP, SFTP, and database sessions with secrets protected by your Keeper vault.
Use Keeper Secrets Manager (KSM) with Royal TS (Windows) and Royal TSX (macOS) to connect to servers and databases. Vault records appear as dynamic credentials; secrets are retrieved from Keeper when you connect.
This page describes how to install and use the Keeper KSM (Python) Dynamic Folder, which uses the official Python package keeper-secrets-manager-core to communicate with Keeper.Overview
What it does
Imports Server and Database records from your Keeper vault into a Royal Dynamic Folder so you can link connections to Keeper-backed credentials.
Where secrets live
Passwords and other sensitive fields remain in Keeper. Royal TS(X) resolves them at connection time via KSM.
Platforms
Royal TS v7+ on Windows; Royal TSX v6+ on macOS.
Authentication
A KSM configuration file tied to a Secrets Manager application in your Keeper organization.
Information
This integration requires Keeper Secrets Manager and the KSM client SDK libraries.
What you can do
Use Server records for SSH, SFTP, and RDP workflows by creating the connection in Royal and selecting a matching dynamic credential.
Use Database records to open MySQL, PostgreSQL, Microsoft SQL Server, Oracle, MongoDB, or Redis client sessions from a generated connection tree. You configure paths to database client executables on the machine where Royal runs; the database server addressed in each record can be local or remote (host and port come from Keeper).
Configure KSM with a JSON or Base64 file from the Vault on both platforms, or additionally with an INI file from ksm init on macOS.Requirements
Keeper subscription
Access to Secrets Manager (Consumer, Business, or Enterprise per your organization’s plan).
KSM application
A Secrets Manager application in the Keeper Admin Console, with vault records shared to that application. See the Secrets Manager Quick Start Guide.
Royal TS (Windows)
Version 7 or later.
Royal TSX (macOS)
Version 6 or later.
Python
3.9 or later (3.13 recommended). Must be the same Python executable that Royal TS(X) uses to run Dynamic Folder scripts.
Python package
keeper-secrets-manager-core installed into that Python environment.
Configuration file
A JSON or Base64 file downloaded from the Vault (Windows and macOS), or an .ini from ksm init (macOS only).
Optional — only if you use Keeper Database records
What you install
The database client programs (for example mysql, psql, sqlcmd, mongosh, redis-cli, sqlplus) on the same computer where Royal TS or Royal TSX is installed — not on the database server.
What you configure in Royal
In the Dynamic Folder Custom Properties, the MySQL Path, PostgreSQL Path, and so on point to those local client executables. Set a path only for each database engine you actually use (for example configure MySQL Path only if you have MySQL Database records).
Where the database runs
The database server can be on this machine or anywhere on the network (cloud, datacenter, another office). Host and port in each Keeper Database record identify that server; the local client connects to them over the network.
If you use only Server records (SSH, RDP, SFTP) and no Database records, you do not need database clients or these paths.
Before you begin
Create or use an existing KSM application, then obtain a config file: download JSON or Base64 from the Vault (Windows and macOS), or run ksm init to create an INI file (macOS only). See Secrets Manager Quick Start Guide.
Share vault records with that KSM application. Records that are not shared will not appear or will fail to resolve at connection time.
Download the Dynamic Folder package Keeper KSM (Python).rdfx from the Royal Applications Toolbox.
Install on Windows (Royal TS)
- Install Python
Install Python 3.9+ (3.13 recommended). Use the build that Royal TS will call for scripts.
- Install the KSM Python package
Royal TS uses the interpreter configured under File → Options → Plugins (script interpreter). Install the package with that python.exe:
"C:\Path\To\Python\python.exe" -m pip install keeper-secrets-manager-coreReplace the path with the exact interpreter shown in Royal TS.
- Add a KSM configuration file on disk
In Keeper Vault, go to Secrets Manager → Add Device → Configuration File → Download. This gives you a JSON or Base64 config file. Save it to a known location on your PC (for example C:\Users\YourName\keeper-config.json).
- Create or open a Royal document
Create a new document and save it (for example My Connections.rtsz).
- Import the Dynamic Folder
File → Open → Import → choose file type Dynamic Folder → select Keeper KSM (Python) → OK.
- Set Custom Properties
Right-click Keeper Secrets Manager (Python) → Properties → Custom Properties:
KSM Config Path (Windows) — Full path to your KSM config file (.json or .base64). Example: C:\Users\YourName\keeper-config.json.
Database client paths (only if you use Database records): Each path is the client tool on this Windows PC. The remote host and port of the database are not entered here—they come from each Keeper Database record. Set only the rows for engines you use.
MySQL Path (Windows)
C:\Program Files\MySQL\MySQL Server 8.0\bin\mysql.exe
PostgreSQL Path (Windows)
C:\Program Files\PostgreSQL\16\bin\psql.exe
MSSQL Path (Windows)
C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\SQLCMD.EXE
Oracle Path (Windows)
C:\oracle\instantclient\sqlplus.exe
MongoDB Path (Windows)
C:\Program Files\MongoDB\mongosh.exe
Redis Path (Windows)
C:\Program Files\Redis\redis-cli.exe or C:\Program Files\Memurai\memurai-cli.exe
- Reload the folder
Right-click the Dynamic Folder → Reload. Expand the tree to confirm that credentials appear.
Optional: install database clients (Windows)
These programs run on your PC so Royal can launch them; they connect to local or remote databases per the Host field in each Keeper record. Install only the clients you need, using each vendor’s official Windows installer or package:
MySQL
MySQL Installer (client tools / shell) or a standalone MySQL Shell build — use the resulting mysql.exe path in Custom Properties.
PostgreSQL
Windows installer — includes psql.exe (often under C:\Program Files\PostgreSQL<version>\bin).
Microsoft SQL Server
sqlcmd and ODBC tools from Microsoft (often under ...\Microsoft SQL Server\Client SDK\ODBC...\Binn\ — match your installed version).
MongoDB
mongosh for Windows.
Redis
redis-cli or Memurai’s memurai-cli.exe (same -h / -p / -a / --user flags). Set Redis Path to your actual redis-cli.exe or memurai-cli.exe.
Oracle
Oracle Instant Client (or full client) — sqlplus.exe path depends on your install folder.
Point Custom Properties at the exact .exe paths after installation (see the examples in step 6).
Install on macOS (Royal TSX)
- Install Python
Install Python 3.9+ (3.13 recommended).
- Install the KSM Python package
Royal TSX selects Python under Settings → Plugins → Python (or Settings → Python), often via a version menu. Install keeper-secrets-manager-core into that interpreter—the same one you get from which python3 in Terminal if that matches your selection:
python3 -m pip install keeper-secrets-manager-coreVerify:
python3 -c "import keeper_secrets_manager_core; print('ok')"If Homebrew Python returns externally-managed-environment, install with your actual Python path, for example:
/opt/homebrew/bin/python3 -m pip install keeper-secrets-manager-core --break-system-packagesOr use a virtual environment and point Royal TSX to that Python if your version supports it.
- Add a KSM configuration file on disk
There are two supported ways to obtain a config file. Use one only:
Option A — Configuration file from the Vault (JSON or Base64) — Vault → Secrets Manager → Add Device → Configuration File → Download. (JSON is recommended on macOS.)
Option B — INI file from the Keeper CLI — Run ksm init default --token YOUR_TOKEN after obtaining a token (Quick Start), producing an .ini such as keeper.ini.
- Create or open a Royal document
File → New Document → File → Save.
- Import the Dynamic Folder
File → Import → Dynamic Folder → Keeper KSM (Python) → Import.
- Set Custom Properties
Right-click Keeper Secrets Manager (Python) → Properties → Custom Properties:
KSM Config Path (macOS) — Full path to one file: .json, .base64, or .ini. Examples: /Users/yourname/keeper-config.json or /Users/yourname/keeper.ini.
Database client paths (only if you use Database records): Each path is the client tool on this Mac. The database host and port are defined in each Keeper Database record, not in Custom Properties. Set only the rows for engines you use.
MySQL Path (macOS)
/opt/homebrew/opt/mysql-client/bin/mysql
PostgreSQL Path (macOS)
/opt/homebrew/opt/libpq/bin/psql
MSSQL Path (macOS)
/opt/homebrew/opt/mssql-tools18/bin/sqlcmd
Oracle Path (macOS)
/usr/local/bin/sqlplus
MongoDB Path (macOS)
/opt/homebrew/bin/mongosh
Redis Path (macOS)
/opt/homebrew/bin/redis-cli
- Reload the folder
Right-click the Dynamic Folder → Reload (or press Cmd+R).
Optional: install database clients (macOS)
These programs run on your Mac so Royal can launch them; they connect to local or remote databases per the Host field in each Keeper record. Many users install CLIs with Homebrew, for example:
brew install mysql-client libpq mongosh redis brew tap microsoft/mssql-release https://github.com/Microsoft/homebrew-mssql-release brew install mssql-tools18Oracle Instant Client paths depend on your installation.
Use Server records (SSH, SFTP, RDP)
Server records supply host, port, login, and password. You create the connection object in Royal (Terminal, File Transfer, or Remote Desktop) and bind it to the dynamic credential that corresponds to that record.
For SSH, choose a credential from the server credential group exposed by the Dynamic Folder (not SSH-key-only listings, unless your deployment documents otherwise).
Example: SSH
Keeper — Server record
Title
Production web
Login
deploy
Password
(in vault)
Host
203.0.113.10
Port
22
Royal TS / Royal TSX
Reload the Dynamic Folder.
Add → Terminal.
Set Connection type to SSH Connection; Computer name 203.0.113.10; Port 22.
On Credentials, choose Specify a credential name and select the matching Keeper dynamic credential.
Save and connect.
Example: SFTP
Use the same Server record shape as SSH. Install the File Transfer plugin (Settings → Plugins). Then Add → File Transfer → SFTP, set host/port, and attach the same style of dynamic credential.
Example: RDP
Keeper — Server record
Title
Finance workstation
Login
CORP\jdoe
Password
(in vault)
Host
192.168.50.100
Port
3389
Install the Remote Desktop plugin. Add → Remote Desktop, enter host and port, attach the credential.
The destination Windows edition must allow inbound Remote Desktop (Pro, Enterprise, Education, or Windows Server). Windows 11/10 Home does not host the RDP server role.
Use Database records
Database records drive automatic connection entries under databaseCredentials in the Dynamic Folder. After you set database CLI paths and reload, open the subfolder for your engine (for example MySQL Connections) and double-click an entry. Royal starts the client on your workstation; that client connects to the host and port stored in the Keeper record (same machine or remote — your network path must allow access, for example VPN or firewall rules).
Set the database type in Keeper
When you create or edit a Database record in the vault, set the Type field (in the standard Keeper Database template this is the field used to identify the engine). The integration reads that value and places the record under the matching folder (MySQL Connections, PostgreSQL Connections, and so on).
Use one of the following Type values (case is ignored). Common synonyms are accepted:
MySQL — MySQL, MariaDB
PostgreSQL — PostgreSQL, Postgres, PG
Microsoft SQL Server — MSSQL, SQL Server, Microsoft SQL Server
Oracle — Oracle, OracleDB
MongoDB — MongoDB, Mongo
Redis — Redis
If Type is empty or does not match any supported value, the integration treats the record as MySQL. Always set Type explicitly for non-MySQL databases.
Each example uses the same Keeper Database record shape. Host and Port are whatever your database listens on (local or remote). After Custom Properties include the matching client path, reload the Dynamic Folder and open databaseCredentials → the folder for that engine (for example MySQL Connections, PostgreSQL Connections). On Windows, database clients usually launch via External Application; on macOS, a helper script runs the client in a terminal session.
Example: MySQL
Record type
Database
Type
MySQL
Title
Staging MySQL
Login
appuser
Password
(in vault)
Host
127.0.0.1
Port
3306
Set MySQL Path for your OS in Custom Properties, reload the Dynamic Folder, then open databaseCredentials → MySQL Connections.
Example: PostgreSQL
Record type
Database
Type
PostgreSQL
Title
Staging Postgres
Login
postgres (or your DB user)
Password
(in vault)
Host
127.0.0.1
Port
5432
Set PostgreSQL Path for your OS in Custom Properties, reload the Dynamic Folder, then open databaseCredentials → PostgreSQL Connections. On Windows, psql runs via cmd /k so the console stays open.
Example: Microsoft SQL Server
Record type
Database
Type
MSSQL
Title
Local SQL
Login
sa (or your SQL login)
Password
(in vault)
Host
127.0.0.1
Port
1433 (or your TCP port — see hint)
Set MSSQL Path for your OS in Custom Properties, reload the Dynamic Folder, then open databaseCredentials → MSSQL Connections.
Use 127.0.0.1 instead of localhost if connections time out (IPv6 resolution). SQL Express often uses a non-default port — check SQL Server Configuration Manager → TCP/IP → IPAll for TCP Port or TCP Dynamic Port ; put that value in Port. Current sqlcmd (ODBC Driver 18) encrypts by default; the integration passes -C -No (trust server certificate, optional encryption), similar to Trust server certificate in SSMS. For SQL logins, the server must use mixed mode (SQL + Windows authentication).
Example: Oracle
Record type
Database
Type
Oracle
Title
Local XE
Login
system (or your app user)
Password
(in vault)
Host
127.0.0.1 (or remote listener host)
Port
1521
Set Oracle Path to sqlplus (or your installed path) in Custom Properties, reload the Dynamic Folder, then open databaseCredentials → Oracle Connections. The integration uses Easy Connect …/XEPDB1 by default (Oracle 21c XE PDB). Other SERVICE_NAME values (XE, ORCL) may require editing the Dynamic Folder script. On Windows, sqlplus runs via cmd /k.
Example: MongoDB
Record type
Database
Type
MongoDB
Title
Dev Mongo
Login
(empty for no auth) or your user
Password
(in vault), or leave empty if the server has no auth
Host
127.0.0.1
Port
27017
Set MongoDB Path to mongosh in Custom Properties, reload the Dynamic Folder, then open databaseCredentials → MongoDB Connections. On Windows, mongosh runs via cmd /k.
Example: Redis
Record type
Database
Type
Redis
Title
Local Memurai
Login
(empty for no auth) or ACL username
Password
(empty for no auth) or (in vault)
Host
127.0.0.1
Port
6379
Set Redis Path to redis-cli.exe or memurai-cli.exe in Custom Properties, reload the Dynamic Folder (reload after changing Login / Password so the script can detect auth), then open databaseCredentials → Redis Connections. No auth: leave Login and Password empty. Requirepass: set Password only. ACL: set Login and Password. On Windows, the client runs via cmd /k.
Feature summary
Workflow
Windows (Royal TS)
macOS (Royal TSX)
SSH / SFTP / RDP
Manual connection + dynamic credential
Same
Database CLIs
Auto-listed connections, double-click
Same
Troubleshooting
Python and the Dynamic Folder
ImportError or prompt to run pip install keeper-secrets-manager-core
Package installed for a different Python than Royal uses
Install with the exact python.exe or python3 from Royal’s settings. Confirm: python3 -c "import keeper_secrets_manager_core" (macOS) or the Windows path from File → Options → Plugins.
externally-managed-environment (macOS)
PEP 668 restriction on system Python
Use --break-system-packages for that interpreter, or a venv if Royal TSX can use it.
KSM configuration and vault access
KSM Config Path is not configured
Missing Custom Property
Set KSM Config Path (Windows) or KSM Config Path (macOS).
Config file not found
Wrong path or permissions
Verify the file path and that your user can read the file.
Record not found
Record not shared with the KSM application
In Keeper, share the record with the Secrets Manager application tied to your config file.
Database clients
No such file or directory
Database executable path missing or wrong
Set the correct MySQL / PostgreSQL / … Path in Custom Properties and reload.
Connection refused
Service down or network
Confirm the database is listening and reachable on the host/port in the Keeper record.
MSSQL login timeout / server not found
Wrong host/port or TCP disabled
Use 127.0.0.1. For Express, enable TCP/IP and set Port to the value from Configuration Manager → TCP/IP → IPAll (often not 1433).
MSSQL certificate / SSL errors
ODBC 18 + self-signed cert
Reload the latest Dynamic Folder (-C -No). Manual sqlcmd: add -C -No; SSMS: Options → Trust server certificate.
MSSQL Login failed (SQL user)
Windows-only auth or disabled login
Enable mixed mode in SSMS → server Properties → Security, restart SQL Server; ensure the login exists and is enabled.
Oracle no listener / timeout
Listener host or stopped service
Use Host that matches listener (often 127.0.0.1 locally). Start Oracle listener + DB services; align LOCAL_LISTENER with listener.ora if you changed from a LAN-only IP.
Oracle ORA-12514
Service not registered
ALTER SYSTEM REGISTER as SYSDBA; confirm lsnrctl status lists xepdb1 / XE.
Redis AUTH errors
Password set when server has none
Clear the password in the Keeper record.
SSH on macOS (local testing)
Connection closed or repeated auth failure to this Mac
Remote Login restrictions
System Settings → Sharing → Remote Login → Options — allow your user or All users.
Remote Desktop
Cannot RDP to a Home edition PC
No RDP server
Use Pro or higher, Windows Server, or another target.
Security and compliance
Secrets remain under Keeper control; resolved dynamic credentials are not written into the Royal document as stored passwords.
Protect the KSM configuration file as you would any secret with access to your vault. Restrict file permissions and device access according to your organization’s policy.
How database passwords are passed
On macOS, the helper script passes passwords to database clients via environment variables or restricted temp files rather than command-line arguments where the client supports it:
Client
Method
MySQL
MYSQL_PWD environment variable
PostgreSQL
PGPASSWORD environment variable
Microsoft SQL Server
SQLCMDPASSWORD environment variable
Oracle
Mode-0600 temp SQL file with sqlplus -L /nolog @file; file removed on exit
MongoDB
URI passed as argument (mongosh has no native env-var mechanism)
Redis
REDISCLI_AUTH environment variable
On Windows, database connections use External Application with Royal credential tokens ($$EffectivePassword$$). Royal substitutes values into the command line at launch time. This means:
Resolved secrets may be visible in process listings — this is inherent to the External Application model.
Passwords containing &, %, ", or ! may break command-line parsing and cause authentication failures. If you encounter this, consider updating the Keeper record password to avoid these characters for database connections launched via External Application.
macOS helper file safety
Launcher and helper scripts under ~/.config/royal-keeper/ are written using atomic writes (temp file → chmod → replace) with directory permissions set to 0700.
All arguments interpolated into launcher scripts are escaped with shlex.quote() to prevent shell injection from paths containing quotes or metacharacters.
Base64 configuration cleanup
When using a .base64 KSM config file, the decoded content is written to a mode-0600 temp file, used for the KSM session, and deleted when the script finishes (via a finally block).
Original source All of your release notes in one feed
Join Releasebot and get updates from Bitwarden and hundreds of other software products.
- April 2026
- No date parsed from source.
- First seen by Releasebot:Apr 16, 2026
- Modified by Releasebot:Apr 20, 2026
2026.4.0
Bitwarden adds Android image attachment previews in the Password Manager and updates the Admin Console with streamlined Enterprise policies, a reorganized Policies page, and new Access Intelligence graphs for tracking risk over time.
(The listed release number is for the Bitwarden Server, other version numbers released in this cycle also include Web 2026.4.0 and Mobile 2026.4.0.)
Password Manager
- Preview image attachments on Android: You can now preview image attachments from within the Password Manager Android app, without having to download the file to your device. Previewing image attachments will be available on iOS in a future release.
Admin Console
- Send controls Enterprise policy: Two Enterprise policies, Send Options and Remove Send, were merged into the newly titled Send controls policy. If either policy was previously turned on, the chosen options will transfer and remain unchanged.
- Updated Enterprise Policies page: On the Policies page, the Enterprise Policies are now organized into three categories: Data Controls, Authentication, and Vault Management. You can also review at a glance which policies are turned on or off.
- Access Intelligence dashboard update: Visualize how at-risk applications, passwords, and members have changed over time relative to absolute changes in application, password, and member counts with new graphs on the Access Intelligence Activity view.
- April 2026
- No date parsed from source.
- First seen by Releasebot:Apr 16, 2026
Version 1.36.1
Proton Pass fixes group share manager actions, resolves a decryption edge case, and improves group sharing UI.
Fix group share manager actions
Fix group share decryption edge-case
Improve group sharing UI
- Apr 16, 2026
- Date parsed from source:Apr 16, 2026
- First seen by Releasebot:Apr 17, 2026
Slack App
Keeper adds Slack Approval Workflow Integration for Vault and Endpoint Privilege Manager, bringing record, folder, one-time share, secret creation, and device approval requests and approvals directly into Slack with zero-knowledge, end-to-end encrypted setup.
Slack Approval Workflow Integration with the Keeper Vault and Endpoint Privilege Manager
Overview
The Keeper Slack App helps achieve zero standing privilege and streamlines credential workflow requests and approvals directly from Slack. The customer hosts the Slack agent and Commander Service Mode, ensuring that zero knowledge is maintained with end-to-end encryption.
This document describes the installation of the Keeper Slack App using a streamlined setup method that requires the use of Keeper Secrets Manager. If you don't have a Secrets Manager or KeeperPAM license, please contact your Keeper account manager.
Features
- Record Access Requests
Request access to specific Keeper records with justification, custom permissions and access time limits. This includes standard vault records and KeeperPAM resources.
- Folder Access Requests
Request access to specific Keeper Shared Folders with justification, custom permissions and access time limits.
- One-Time Share Requests
Request for a one-time share, password reset or other dynamic password generation with a self-destructing share link. The one-time share can also be editable, offering bi-directional sharing capabilities.
- Self-Serve Record Creation
Engineers can create new Keeper records directly in shared folders via /keeper-create-secret. Only shared folders accessible to the requesting user are displayed. Admins are notified of all record creations.
- Endpoint Privilege Manager Approvals
Keeper Endpoint Privilege Manager (KEPM) just-in-time elevation approvals in realtime through a dedicated Slack channel.
- SSO Cloud Device Approvals
Perform approvals of SSO Cloud devices directly through Slack, if the Keeper Automator service is not deployed.
Prerequisites
System RequirementsTo maintain zero knowledge and full end-to-end encryption, the Keeper Slack App and Commander Service Mode containers are hosted by each customer on their own infrastructure to interact with the Slack cloud service. Commander is used locally to help set everything up.
- Linux VM
Any VM in the cloud or on-prem which can establish https/443 outbound connections to Slack and Keeper services.
- Docker
Docker is the recommended method for setting up the service
- Keeper Commander
Service Mode running and accessible
- Keeper Secrets Manager
Either Keeper Secrets Manager or KeeperPAM license used for retrieving the secret configuration data
- Slack Workspace
Requires admin access to install and configure apps
Important: The slack-app-setup command requires Keeper Secrets Manager (KSM) to be activated. If KSM is not available, please contact your account manager.
Setup Steps
In the below setup instructions, we'll be using Commander and Slack-App Docker Images (keeper/commander and keeper/slack-app). This integration also leverages Keeper Secrets Manager to secure the configurations used by the services.
Follow these five steps to configure the Slack app:
- Create Slack App
- Create Approvals Channel
- Commander Service Mode Setup
- Run Slack App Setup Command
- Deploy to Docker Environment
Step 1. Create Slack App
In this section, you will create the Slack App in your Slack workspace as the administrator and gather the necessary configuration values.
As the Slack Admin, go to api.slack.com/apps
Click Create New App → From an app manifest
Select your workspace
Paste the JSON content below into the manifest file
Review setting of the slack app and create it.
Go to Basic Information → Display Information and upload a Keeper icon for your app's profile picture. Below is a 512x512 Keeper icon that can be downloaded for use.
On the left side, click on Basic Information → App-Level Tokens → Generate Token and Scopes, and generate an app-level token called "keeper-slack-app" with the connections:write scope. Save the token to use as the "App Token" in the next step.
On the left side, click on Install App, click Install to [Workspace], then save the Bot User OAuth Token for the next step.
After creating the app, collect these credentials:
- App Token
Basic Information → App-Level Tokens → Generate
- Bot Token
OAuth & Permissions → Bot User OAuth Token
- Signing Secret
Basic Information → App Credentials
Save the Generated App Token, Bot Token, and Signing Secret for Step 4.
Step 2. Create Approvals Channel
In your Slack workspace, create a Private channel (e.g., #keeper-vault-approvers)
Invite the Keeper bot to the approval channel created:
- Option 1. In the approvals channel, type /invite @Keeper Security.
- Option 2. Click the channel name → Settings → Integrations → Add an App → Search for Keeper Security → Add
Copy the Channel ID (right-click channel → View Details → copy ID at bottom)
Save the Channel ID for Step 4.
Step 3. Commander Service Mode Setup
To enable the service to authenticate and execute commands within the Keeper tenant, an authorized Keeper Commander configuration file must be created. This configuration can be generated on a host computer or workstation.
Install Keeper Commander locally on your machine
If required, create a new Keeper service account dedicated to this integration, ensuring it has access to the relevant records and folders and the ability to perform record and folder sharing.
Login to Commander with the Keeper Service account ([email protected])
Complete the authentication process including any 2FA requirements. Once you are fully authenticated, proceed to Step 4.
Step 4. Run Slack App Setup Command
The slack-app-setup command generates a docker-compose.yml file which you will use to operate the Slack App and Commander Service Mode services.
From the Commander shell, type:
slack-app-setupCommand Line Options
The slack-app-setup command supports the following optional flags for customization:
- --folder-name (optional)
- --app-name (optional)
- --config-record-name (optional)
- --slack-record-name (optional)
- --config-path (optional)
- --timeout (optional)
- --skip-device-setup (optional)
Example with Custom Names:
slack-app-setup --folder-name "My Slack Integration" --timeout 7dThe command will guide you through the following prompts:
Phase 1: Docker Service Mode Setup
It automatically configures KSM and uploads the config file required for setting up service mode via Docker.
Service Configuration
Configure the Commander Service port:
Port
Port number for Commander Service Mode (1024-65535).
Tunneling Configuration (Optional)
If external access is required, configure one of the following:
- Ngrok Auth Token
- Ngrok Custom Domain
- Cloudflare Tunnel Token
- Cloudflare Custom Domain
Ngrok and Cloudflare are mutually exclusive. Choose one if needed. This is NOT a requirement for the Slack App. But if you are using other integrations such as our Jira app, you might need to set up a cloud tunnel.
Phase 2: Slack App Integration Setup
Enter the Slack credentials obtained from Steps 1 and 2:
- Slack App Token (required)
- Slack Bot Token (required)
- Slack Signing Secret (required)
- Approvals Channel ID (required)
- Enable PEDM? (optional)
- PEDM Polling Interval (optional)
- Enable Device Approvals?(optional)
- Device Approval Polling Interval (optional)
In order to process Endpoint Privilege Manager approvals and SSO Cloud approvals, the Slack App service user must have administrative permissions "Manage Endpoint Privilege" and "Managing the Keeper Admin Console.
After the command executes successfully, it automatically performs the following actions:
- Configures persistent device authentication
- Creates a Shared Folder named “Commander Service Mode – Slack App”
- Creates a KSM application with access to the shared folder
- Creates a client device and generates a Base64-encoded configuration value
- Creates a Docker Config record and uploads the config.json file from the .keeper directory
- Creates a Slack App Config record containing the Slack App credentials.
Upon successful execution, a docker-compose.yml is generated containing both the Commander Service Mode and Slack App services, ready for deployment.
Once setup is complete, ensure that the Commander session is terminated and the local .keeper/config.json file is deleted to prevent device token conflicts.
Step 5. Deploy to Docker Environment
In this section, you will set up a Docker Compose environment on a Linux virtual machine or host where the Commander Service will run.
Launch a Linux VM or prepare a Linux host and connect to it via SSH.
Install docker and docker-compose (refer to the installation instructions here)
Transfer the generated docker-compose.yml file from Step 4 to the target Linux server.
Start up the services on the host machine:
docker compose up -dService Startup Sequence
The services start sequentially:
- Commander Service starts first, generates an API key, and saves it along with the service URL to the vault record
- Health checks validate the Commander service is running
- Slack App starts after health checks pass, automatically retrieving the API key and service URL from the vault record
Verify Successful Startup
Monitor the logs to make sure everything starts up.
Check container status:
$ docker ps NAME STATUS PORTS keeper-service Up (healthy) 127.0.0.1:<port> -> <port>/tcp keeper-slack-app UpView Commander Service logs:
$ docker logs keeper-service [2026-01-21 10:00:00] Starting Commander Service Mode... Generated API key: ****nQ= (stored in vault record: <CONFIG_VAULT_RECORD>) Commander Service starting on <SERVICE_URL>/api/v2 Keeper Commander Service initialization completeThe API key is redacted in Docker logs for security. Both services communicate securely via the shared vault record.
View Slack App logs:
docker logs keeper-slack-appIf everything is successful, you'll see the messages below:
============================================================ Starting Keeper Slack App ============================================================ [INFO] Config: /app/slack_config.yaml =========================================================== [INFO] Initializing Keeper Commander Slack App... [INFO] Credentials fetched successfully from KSM vault: Service Mode Credentials, Slack Credentials [INFO] Loaded configuration from KSM records [OK] Configuration loaded [OK] Keeper client initialized: http://commander:<port>/api/v2 [OK] Slack app initialized [OK] All handlers registered [OK] Socket Mode handler ready [INFO] Approval channel: C0A42QVAY4A [OK] PEDM poller initialized (disabled, interval: 120s) [OK] Cloud SSO Device Approval poller initialized (disabled, interval: 120s) ============================================================ Starting Keeper Commander Slack App ============================================================ [OK] Socket Mode enabled [INFO] Listening for Slack commands and interactions... ============================================================ [OK] Keeper Service Mode is accessible [INFO] PEDM polling is disabled (set pedm.enabled=true in config to enable) [INFO] Cloud SSO Device Approval polling is disabled (set device_approval.enabled=true in config to enable) ⚡️ Bolt app is running!Command Reference for Requesting User
- /keeper-request-record
Request access to a specific Keeper record.
Syntax:
/keeper-request-record <record-uid-or-description> <justification>Example:-
/keeper-request-record kR3cF9Xm2Lp8NqT1uV6w Emergency server access /keeper-request-record "prod db EU region" Need to run migration- /keeper-request-folder
Request access to a shared folder.
Syntax:
/keeper-request-folder <folder-uid-or-description> <justification>Example:-
/keeper-request-folder kF8zQ2Nm5Wx9PtR3sY7a Need staging access /keeper-request-folder "Staging Team Folder" Need staging access- /keeper-create-secret
Create a new secret record in a shared folder that has been shared with you.
Syntax:
/keeper-create-secretThis command opens an interactive form with the following steps:
- Select a Shared Folder — Only shared folders that have been shared with your Keeper account are displayed.
- Select a Subfolder (optional) — If the selected shared folder contains subfolders, you can choose one.
- Enter Record Details — Fill in the record fields:
a. Title (required)
b. Login (optional)
c. Password (optional — Enter password (or check auto-generate checkbox above))
d. URL (optional)
e. Notes (optional)
Confirmation — The modal displays the created Record UID and folder path.
Admins are notified in the approvals channel: "User @name created record in SharedFolder / Subfolder"
Note: The requesting user's Slack email must match their Keeper account email for folder visibility to work correctly.
- /keeper-one-time-share
Request a one-time share link for a record.
Syntax:
/keeper-one-time-share <record-uid-or-description> <justification>Example:-
/keeper-one-time-share kR3cF9Xm2Lp8NqT1uV6w Need to share with contractor John /keeper-one-time-share "AWS Production Password" Sharing with vendorScreenshots
The below screenshots demonstrate the core features of the Keeper Slack App.
- Interacting with the Slack App for Requests
- Requesting Access to a Record (no UID provided)
- Requesting Access to a Record (with UID provided)
- Record Access Request - Admin View
- Requesting Access to a Folder (with UID provided)
- Folder Access Request - Admin View
- One-time Share Request for Password Reset
- One-Time Share - Admin View with New Record Creation
- Self-Serve Record Creation (Requesting user)
- One-Time Share - Admin View with Search for Existing Record
- Endpoint Privilege Manager - Approval for Elevation
- SSO Cloud Device Approval - Admin View
Updates
Updating the Commander Service Mode and Slack app ContainerTo update to the latest version of Commander or the Slack App, follow the steps below to stop the service, update the containers and start up the new containers.
Updating the Slack App Versiondocker compose down docker compose pull docker compose up -dWhen a new version of the Keeper Slack App introduces new slash commands (e.g., /keeper-create-secret), existing customers must update their Slack App manifest to register these commands. Without this step, the new commands will not appear in your Slack workspace.
Steps to update:
Go to api.slack.com/apps and select your Keeper Security app.
In the left sidebar, click App Manifest.
Copy the latest manifest JSON from Step 1: Create Slack App above.
Replace the entire existing manifest with the copied JSON.
Click Save Changes and review the summary of changes.
In the left sidebar, go to Install App → click Reinstall to Workspace and approve the permissions.
After reinstalling, the new slash commands will be available to all users in your workspace.
You must click Reinstall to Workspace after updating the manifest. Simply saving the manifest is not enough — Slack requires a reinstall to activate new commands and permission changes.
Troubleshooting
Startup ErrorsCommander Service Mode is prompting for master password
Multiple config.json files are attached to the Vault record
Follow steps 4-5 to run the slack-app-setup command with new folder name again to create a new JSON config file.
[WARN] Warning: Cannot reach Keeper Service Mode
Service Mode not running or wrong URL
Verify the service URL in the vault record is as expected
invalid_auth
Wrong Slack bot token
Verify bot_token starts with xoxb- (not xapp- or xoxp-)
Socket Mode not enabled
App-level token missing or wrong
Generate App-Level Token with connections:write scope
Slack API Errorschannel_not_found
Bot not invited to approvals channel
Run /invite @Keeper Commander in the channel
not_in_channel
Bot removed from channel
Re-invite the bot to the channel
missing_scope
Bot lacks required permissions
Reinstall app; ensure scopes: chat:write, commands, im:write, users:read, channels:read
invalid_blocks
Malformed Block Kit message
Check logs for specific block error; usually a data formatting issue
user_not_found
Invalid Slack user ID
User may have been deactivated from workspace
Service Mode ErrorsFailed to submit command: HTTP 403
API key invalid or missing
Verify api_key in config vault record matches service mode
Failed to submit command: HTTP 404
Wrong API endpoint version
Use V2 endpoint: /api/v2/ (not /api/v1/)
Failed to submit command: HTTP 405
Using wrong HTTP method
Ensure Service Mode is running with queue enabled
Command timed out or failed
Service Mode overloaded or command not registered
Register command in Service Mode; increase timeout
No request_id received from API
Service Mode not using queue/async mode
Restart Service Mode with queue enabled (V2)
Access Grant ErrorsRecord Not Found
Invalid UID or record deleted
Verify the record UID exists in Keeper vault
Folder Not Found
Invalid folder UID
Verify the folder UID exists in Keeper vault
Invalid UID Type (record vs folder)
Used wrong command for item type
Use /keeper-request-folder for folders, /keeper-request-record for records
This user already has time-limited access...
Conflict with existing share
Revoke existing access first, then grant new permission
Share permissions require permanent access
Trying to use duration with Can Share/Edit & Share
Share permissions (Can Share, Edit & Share, Change Owner) are always permanent
User share...failed
Permission conflict on folder
User may have incompatible existing access; revoke and re-grant
Search & Modal ErrorsNo records found matching...
Search query too specific or no matches
Try broader search terms; check record exists in vault
Search command timed out
Service Mode slow or vault very large
Increase max_wait in _poll_for_result() or use more specific search
Error processing search modal submission
Modal data corrupted or expired
Close modal and try again; check logs for specific error
Modal shows "Searching..." forever
Poll result never returned
Check Service Mode logs; verify search command is registered
One-Time Share Errorsone-time share links can not be created for PAM records
Commander doesn't support
Request for non-pam records
Share link created but URL not found in response
Unexpected Service Mode response format
Check Service Mode version; verify one-time-share command registered
Failed to create one-time share
Record may not be shareable
Verify user has share permissions on the record
Record Creation ErrorsFailed to create record
Missing required fields or command error
Ensure title, login, and password are provided
Record created but UID could not be retrieved
Search after creation failed
Record exists but search timed out; manually search for it
KEPM ErrorsNo data returned
KEPM feature not enabled
Enable KEPM in your Keeper enterprise settings. Ensure that your service user has necessary admin permissions.
KEPM sync failed
Service Mode can't reach KEPM server
Check network connectivity and KEPM configuration
Failed to approve/deny KEPM request
Request may have expired
Check if request is still pending; it may have auto-expired
References
- Commander CLI Overview
- Commander Service Mode
- Endpoint Privilege Manager
- SSO Connect Cloud
- Apr 16, 2026
- Date parsed from source:Apr 16, 2026
- First seen by Releasebot:Apr 17, 2026
1Password CLI
Developers releases 1Password CLI 2.34.0 with new shell plugins and a fix for op run signal handling.
1Password CLI 2.34.0 is now available. 🎉
This release adds shell plugins for Claude Code CLI, Scaleway CLI, and others, and also fixes a bug in op run where termination signals were not being forwarded to sub-processes.
Read more
Original source - Apr 16, 2026
- Date parsed from source:Apr 16, 2026
- First seen by Releasebot:Apr 17, 2026
Bitwarden Android by Bitwarden
Password Manager 2026.4.0 (21434)
Bitwarden Android releases attachment previewing, clearer TOTP code alignment, and fixes for autofill crashes and passphrase spacing. It also improves attachment handling, premium upgrade UI, and accessibility, with several maintenance updates under the hood.
Overview
What's New
Preview image attachments before downloading
Improvements
TOTP codes now align consistently for easier reading
Bug Fixes
Fixed crash during autofill with special characters in URIs
Fixed passphrase generator incorrectly adding spaces as separators
What's Changed
✨ Community Highlight
PM-25654: feat: Preview attachment by @david-livefront in #6675
[PM-34168] Add future CalyxOS Chromium key to FIDO2 privilege community list by @lucasmz-dev in #6723
Feature Development
[PM-33515] feat: Render premium upgrade banner in Vault UI by @SaintPatrck in #6698
PM-34042: feat: Preview attachments from AttachmentsScreen by @david-livefront in #6712
[PM-33516] feat: Create PlanScreen, PlanViewModel, and modal navigation by @SaintPatrck in #6715
PM-34228: feat: Add feature flag for forthcoming attachment updates by @david-livefront in #6739
PM-34231: feat: Support renaming attachments during creation by @david-livefront in #6742
🐛 Bug fixes
PM-29871: bug: Add more accessibility callouts for external links by @david-livefront in #6708
PM-32721: bug: Sort password history before persisting by @david-livefront in #6709
BWA-238: bug: Send additional cipher data for Authenticator Sync by @david-livefront in #6714
PM-34115: bug: Consistent visual length of TOTP codes by @david-livefront in #6716
PM-34193: bug: Unlock vault from Never-Lock should be on io thread by @david-livefront in #6728
BWA-224: bug: Add sort order for Authenticator items by @david-livefront in #6740
BWA-228: bug: Update identity custom field keys to use index by @david-livefront in #6743
PM-29763: bug: Handle invalid URI crash by @david-livefront in #6748
PM-34499: bug: Add appropriate external link callouts for attachments by @david-livefront in #6752
PM-34498: bug: Update attachments premium dialogs by @david-livefront in #6753
PM-34544: bug: Handle large attachments in preview by @david-livefront in #6757
⚙️ Maintenance
misc: Update BitwardenButtonData for more usability by @david-livefront in #6704
Crowdin Pull by @bw-ghapp[bot] in #6705
[PM-33999] chore: Standardize casing of Premium account status references by @SaintPatrck in #6707
chore: Implement Folder Repo interface for Bitwarden SDK by @david-livefront in #6691
chore: Update RootNavScreen to enforce state-based navigation by @david-livefront in #6713
chore: Update UI lists to ImmutableLists by @david-livefront in #6718
Crowdin Pull by @bw-ghapp[bot] in #6731
chore: Update AttachmentsState to use immutable list by @david-livefront in #6741
[deps]: Update actions/create-github-app-token action to v3 by @renovate[bot] in #6737
chore: Create common UI elements for VaultItemScreen by @david-livefront in #6746
chore: Attachment UI tweaks by @david-livefront in #6749
📦 Dependency Updates
[deps]: Lock file maintenance by @renovate[bot] in #6738
[deps]: Update com.google.firebase:firebase-bom to v34.11.0 by @renovate[bot] in #6736
🎨 Other
[PM-33941] llm: Refine skills and commands for agent reliability by @SaintPatrck in #6703
[PM-34107] llm: Add android-architect agent by @SaintPatrck in #6686
llm: Add test constants placement rule to testing skill by @SaintPatrck in #6726
llm: Add AI review label prompt to PR creation skill by @SaintPatrck in #6729
Full Changelog: v2026.3.1-bwpm...v2026.4.0-bwpm
Builds Source: https://github.com/bitwarden/android/actions/runs/23952219208
Original source - Apr 16, 2026
- Date parsed from source:Apr 16, 2026
- First seen by Releasebot:Apr 17, 2026
Bitwarden Android by Bitwarden
Authenticator 2026.4.0 (1497)
Bitwarden Android releases under-the-hood improvements and bug fixes, including attachment preview updates, a new premium upgrade banner, plan screen and modal navigation, plus attachment renaming support.
Overview
Various under-the-hood improvements and bug fixes
What's Changed
✨ Community Highlight
PM-25654: feat: Preview attachment by @david-livefront in #6675
[PM-34168] Add future CalyxOS Chromium key to FIDO2 privilege community list by @lucasmz-dev in #6723
Feature Development
[PM-33515] feat: Render premium upgrade banner in Vault UI by @SaintPatrck in #6698
PM-34042: feat: Preview attachments from AttachmentsScreen by @david-livefront in #6712
[PM-33516] feat: Create PlanScreen, PlanViewModel, and modal navigation by @SaintPatrck in #6715
PM-34228: feat: Add feature flag for forthcoming attachment updates by @david-livefront in #6739
PM-34231: feat: Support renaming attachments during creation by @david-livefront in #6742
🐛 Bug fixes
PM-29871: bug: Add more accessibility callouts for external links by @david-livefront in #6708
PM-32721: bug: Sort password history before persisting by @david-livefront in #6709
BWA-238: bug: Send additional cipher data for Authenticator Sync by @david-livefront in #6714
PM-34115: bug: Consistent visual length of TOTP codes by @david-livefront in #6716
PM-34193: bug: Unlock vault from Never-Lock should be on io thread by @david-livefront in #6728
BWA-224: bug: Add sort order for Authenticator items by @david-livefront in #6740
BWA-228: bug: Update identity custom field keys to use index by @david-livefront in #6743
PM-29763: bug: Handle invalid URI crash by @david-livefront in #6748
PM-34499: bug: Add appropriate external link callouts for attachments by @david-livefront in #6752
PM-34498: bug: Update attachments premium dialogs by @david-livefront in #6753
PM-34544: bug: Handle large attachments in preview by @david-livefront in #6757
⚙️ Maintenance
misc: Update BitwardenButtonData for more usability by @david-livefront in #6704
Crowdin Pull by @bw-ghapp[bot] in #6705
[PM-33999] chore: Standardize casing of Premium account status references by @SaintPatrck in #6707
chore: Implement Folder Repo interface for Bitwarden SDK by @david-livefront in #6691
chore: Update RootNavScreen to enforce state-based navigation by @david-livefront in #6713
chore: Update UI lists to ImmutableLists by @david-livefront in #6718
Crowdin Pull by @bw-ghapp[bot] in #6731
chore: Update AttachmentsState to use immutable list by @david-livefront in #6741
[deps]: Update actions/create-github-app-token action to v3 by @renovate[bot] in #6737
chore: Create common UI elements for VaultItemScreen by @david-livefront in #6746
chore: Attachment UI tweaks by @david-livefront in #6749
📦 Dependency Updates
[deps]: Lock file maintenance by @renovate[bot] in #6738
[deps]: Update com.google.firebase:firebase-bom to v34.11.0 by @renovate[bot] in #6736
🎨 Other
[PM-33941] llm: Refine skills and commands for agent reliability by @SaintPatrck in #6703
[PM-34107] llm: Add android-architect agent by @SaintPatrck in #6686
llm: Add test constants placement rule to testing skill by @SaintPatrck in #6726
llm: Add AI review label prompt to PR creation skill by @SaintPatrck in #6729
Full Changelog: v2026.3.1-bwa...v2026.4.0-bwa
Builds Source: https://github.com/bitwarden/android/actions/runs/23952220034
Original source - Apr 16, 2026
- Date parsed from source:Apr 16, 2026
- First seen by Releasebot:Apr 17, 2026
Password Manager 2026.4.0 (3082)
Bitwarden iOs releases autofill, passkey, and VoiceOver fixes, improves master password hint security, and adds premium billing upgrade support. It also fixes login request handling and sync behavior for a smoother iOS experience.
Overview
Fixed autofill unexpectedly closing when using long press
Fixed passkeys not saving for users with My Items
Fixed the missing confirmation message after editing or deleting a vault item
Improved account security when setting a master password hint
Fixed the duplicate password field appearing in VoiceOver
What's Changed
✨ Community Highlight
[PM-33390] PM-33287: Change minimum numbers/special max value from 5 to 9 by @marcdejesus in #2432
Feature Development
[PM-33859] feat: Premium upgrade dismissed to state by @andrebispo5 in #2463
[PM-33569] feat: Handle displaying login request for alert style notification by @matt-livefront in #2482
[PM-33853] feat: Add BillingAPIService for premium upgrade endpoints by @andrebispo5 in #2496
[PM-33854] feat: Add getPlans endpoint to BillingAPIService by @andrebispo5 in #2501
🐛 Bug fixes
[PM-33930] fix: Exclude items with invalid keys from TOTP section count by @matt-livefront in #2477
[PM-32401] fix: Prevent TOTP autofill for non-premium accounts by @matt-livefront in #2467
[PM-32401] fix: Prevent copy TOTP autofill action for non-premium accounts by @matt-livefront in #2479
[PM-34062] fix: Fix dismiss sync with browser automatically by @fedemkr in #2484
[PM-34062] [Backport] fix: Increase wait time for dismiss on sync with browser by @fedemkr in #2497
[PM-34205] fix: Hide unmasked password text field from VO when password is masked by @matt-livefront in #2499
[PM-250] fix: Update MP Hint Validation by @morganzellers-bw in #2495
[PM-33569] fix: Remove pending login request if it no longer exists by @matt-livefront in #2498
⚙️ Maintenance
Crowdin Pull by @bw-ghapp[bot] in #2472
[PM-33945] chore: Consolidate AppIDService to BitwardenKit by @KatherineInCode in #2478
[PM-33908] chore: Consolidate KeychainService to BitwardenKit by @KatherineInCode in #2470
[PM-32730] [BEEEP] chore: Improve spell check script by @fedemkr in #2471
[PM-34052] chore: Consolidate BitwardenError into BitwardenKit by @KatherineInCode in #2481
[PM-34106] chore: Consolidate KeychainItem into BitwardenKit via protocol by @KatherineInCode in #2492
Crowdin Pull by @bw-ghapp[bot] in #2502
[PM-34443] chore: Fix Testing.md Sourcery usage/path by @fedemkr in #2508
[PM-34527] chore: Fix non-Sendable related trivial warnings. by @fedemkr in #2512
[PM-25831] chore: Remove cxp-import-mobile feature flag by @matt-livefront in #2514
[PM-34522] chore: Add sourcery automocks to AuthenticatorBridgeKit and convert SharedKeychainRepository to use it by @KatherineInCode in #2515
[PM-34592] chore: Update iOS version for tests to 26.2 by @matt-livefront in #2517
📦 Dependency Updates
Update public suffix list by @github-actions[bot] in #2473
[deps]: Update GitHub Artifact Actions (major) by @renovate[bot] in #2454
[deps]: Update gh minor by @renovate[bot] in #2475
Update public suffix list by @github-actions[bot] in #2503
🎨 Other
[PM-33853] llm: Add Billing domain to CLAUDE.md by @andrebispo5 in #2500
[PM-33574] llm: Add build-test-verify skill by @SaintPatrck in #2448
New Contributors
@marcdejesus made their first contribution in #2432
Full Changelog: v2026.3.1-bwpm...v2026.4.0-bwpm
Builds Source: https://github.com/bitwarden/ios/actions/runs/23952232681
Original source - Apr 16, 2026
- Date parsed from source:Apr 16, 2026
- First seen by Releasebot:Apr 17, 2026
Authenticator 2026.4.0 (567)
Bitwarden iOs releases under-the-hood improvements and bug fixes, along with premium upgrade and login request handling updates. It also tightens TOTP behavior for non-premium accounts, improves accessibility, and consolidates internal services for a smoother app experience.
Overview
Various under-the-hood improvements and bug fixes
What's Changed
✨ Community Highlight
[PM-33390] PM-33287: Change minimum numbers/special max value from 5 to 9 by @marcdejesus in #2432
Feature Development
[PM-33859] feat: Premium upgrade dismissed to state by @andrebispo5 in #2463
[PM-33569] feat: Handle displaying login request for alert style notification by @matt-livefront in #2482
[PM-33853] feat: Add BillingAPIService for premium upgrade endpoints by @andrebispo5 in #2496
[PM-33854] feat: Add getPlans endpoint to BillingAPIService by @andrebispo5 in #2501
🐛 Bug fixes
[PM-33930] fix: Exclude items with invalid keys from TOTP section count by @matt-livefront in #2477
[PM-32401] fix: Prevent TOTP autofill for non-premium accounts by @matt-livefront in #2467
[PM-32401] fix: Prevent copy TOTP autofill action for non-premium accounts by @matt-livefront in #2479
[PM-34062] fix: Fix dismiss sync with browser automatically by @fedemkr in #2484
[PM-34062] [Backport] fix: Increase wait time for dismiss on sync with browser by @fedemkr in #2497
[PM-34205] fix: Hide unmasked password text field from VO when password is masked by @matt-livefront in #2499
[PM-250] fix: Update MP Hint Validation by @morganzellers-bw in #2495
[PM-33569] fix: Remove pending login request if it no longer exists by @matt-livefront in #2498
⚙️ Maintenance
Crowdin Pull by @bw-ghapp[bot] in #2472
[PM-33945] chore: Consolidate AppIDService to BitwardenKit by @KatherineInCode in #2478
[PM-33908] chore: Consolidate KeychainService to BitwardenKit by @KatherineInCode in #2470
[PM-32730] [BEEEP] chore: Improve spell check script by @fedemkr in #2471
[PM-34052] chore: Consolidate BitwardenError into BitwardenKit by @KatherineInCode in #2481
[PM-34106] chore: Consolidate KeychainItem into BitwardenKit via protocol by @KatherineInCode in #2492
Crowdin Pull by @bw-ghapp[bot] in #2502
[PM-34443] chore: Fix Testing.md Sourcery usage/path by @fedemkr in #2508
[PM-34527] chore: Fix non-Sendable related trivial warnings. by @fedemkr in #2512
[PM-25831] chore: Remove cxp-import-mobile feature flag by @matt-livefront in #2514
[PM-34522] chore: Add sourcery automocks to AuthenticatorBridgeKit and convert SharedKeychainRepository to use it by @KatherineInCode in #2515
[PM-34592] chore: Update iOS version for tests to 26.2 by @matt-livefront in #2517
📦 Dependency Updates
Update public suffix list by @github-actions[bot] in #2473
[deps]: Update GitHub Artifact Actions (major) by @renovate[bot] in #2454
[deps]: Update gh minor by @renovate[bot] in #2475
Update public suffix list by @github-actions[bot] in #2503
🎨 Other
[PM-33853] llm: Add Billing domain to CLAUDE.md by @andrebispo5 in #2500
[PM-33574] llm: Add build-test-verify skill by @SaintPatrck in #2448
New Contributors
@marcdejesus made their first contribution in #2432
Full Changelog: v2026.3.1-bwa...v2026.4.0-bwa
Builds Source: https://github.com/bitwarden/ios/actions/runs/23952233246
Original source