Gergely Brautigam

Ahhh... you aren't supposed to use the public API with a user token 🤔

https://vault.bitwarden.com/identity/connect/token

Okay, finally got the API working with right device type and stuff. ``` curl -X POST https://identity.bitwarden.com/connect/token \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=client_credentials" \ -d "client_id=${BITWARDEN_CLIENT_ID}" \ -d "client_secret=${BTIWARDEN_CLIENT_SECRET}"...

Hmmm. This is getting problematic. The Encryption and Decryption is working, but I literally replicate what they are doing in the code. It's problematic, because if they change the algorithm...

That said, it's highly unlikely that the encryption method changes...

That would be problematic during store configuration changes. Like, you'd have to have tight control over the side-car and re-create it every time the configuration or the store changes, because...

Oh sorry, not when the store changes, but when the store gets deleted, the sidecar needs to disappear or reappear if a new store is created.

The service needs to be running in a separate container either inside the pod, or outside of it. If there is no bitwarden store, there shouldn't be any service running...

Let's do this then.

> It would be helpful if this policy was highlighted somewhere in the documentation. A feature compatibility matrix of some sort would be great! I agree, absolutely! We roll out...