on our Vaultwarden instance we have new signups disabled, but have a domain whitelist in place, so that people belonging to our organization can self-signup. This is great and works as expected!

On the other hand sometimes it is necessary for admins to invite new users with an e-mail address not on that whitelist, and where it is not feasible to add it to the whitelist, e.g.

So in summary: Currently the SIGNUPS_DOMAINS_WHITELIST also blocks outgoing invites when the email address is not on that whitelist. I would argue to change this behavior so that Invites always go through no matter the domain restrictions for self-signup.


That kind beats the purpose of setting what you are suggesting there. Because it would also open-up anyone with manager access or above to invite anyone.

If you really need to invite someone outside of the currently allowed whitelist i suggest to invite them via the /admin interface first, let them create an account and after that you can invite them into the organization. That way it will not check the whitelist.


@BlackDex Did not know you could do that! Thank you for posting that very useful tidbit!

But what if that is exactly what I want? I don’t want everyone to be able to register (except for users from the allowed domains) but I still want my friends and family to be able to invite someone else using other domains?

If I understand correctly the only way to achieve this use case is by instead of whitelisting the domain I’d need to make registration invite only (i.e. SIGNUPS_ALLOWED=false, INVITATIONS_ALLOWED=true) and invite all my domain users manually?

Yes, that’s what you would have to do. Vaultwarden already has quite a lot of options, perhaps too many, and I don’t think it’s worth it to add another one to support what seems to be a pretty niche use case.