Disable registration of new users - dani-garcia/vaultwarden GitHub Wiki
By default, anyone who can access your instance can register for a new account. To disable this, set the SIGNUPS_ALLOWED env variable to false:
docker run -d --name bitwarden \
-e SIGNUPS_ALLOWED=false \
-v /vw-data/:/data/ \
-p 80:80 \
vaultwarden/server:latest
Disabling organization invitations
Even when SIGNUPS_ALLOWED=false, an existing user who is an organization owner or admin can still invite new users. If you want to disable this as well, see Disable invitations.
Restricting registrations to certain email domains
You can restrict registration to email addresses from certain domains by setting SIGNUPS_DOMAINS_WHITELIST accordingly. For example:
SIGNUPS_DOMAINS_WHITELIST=example.com(single domain)SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org(multiple domains)
[!WARNING] If
SIGNUPS_DOMAINS_WHITELISTis set, then the value ofSIGNUPS_ALLOWEDis ignored.
You may also want to set SIGNUPS_VERIFY=true, which would require email verification before a newly-registered user can successfully log in. This would prevent someone from registering with a fake email address that has the proper domain.
Visibility of the Create account link
When SIGNUPS_ALLOWED=false (and the SIGNUPS_DOMAINS_WHITELIST is empty) the Create account link will be hidden in the web vault UI unless you have not configured email and allow invitations (cf. #6109). If you don't want to have the link visible even in the latter case you can hide the link by using Custom CSS.
Invitations via the admin page
The vaultwarden admin can invite anyone via the admin page, regardless of any of the restrictions above. If mail has been disabled and the link is not visible, invited users can still visit https://vaultwarden.example.tld/#/signup and use the email address that was invited to register their account.