Vaultwarden is the lightweight, self-hosted Bitwarden-compatible password manager that engineering teams and security-conscious organizations run on their own infrastructure to keep credentials under their full control. Unlike a managed service, Vaultwarden is a live Rust application backed by a database that handles authentication, vault sync, emergency access, and encrypted credential storage for every member of your team. When Vaultwarden goes down, your team can't log in to the web vault, mobile apps stop syncing credentials, and browser extensions start showing offline errors — making it impossible to retrieve passwords needed for any system access. Password manager downtime is not just an inconvenience: it's a security incident that locks teams out of the tools they need to work. Vigilmon gives you external visibility into Vaultwarden's alive endpoint, API health, web vault availability, and SSL certificate so you know before your team does when the password manager is unreachable.
What You'll Build
- An HTTP monitor for Vaultwarden web vault availability
- A liveness check on the
/aliveendpoint - A health check on the Vaultwarden API config endpoint (
/api/config) - SSL certificate monitoring for your Vaultwarden domain
Prerequisites
- A running Vaultwarden instance with a public or network-reachable domain
- HTTPS configured via a reverse proxy (e.g.,
https://vault.example.com) - A free account at vigilmon.online
Step 1: Verify Vaultwarden Web Vault Availability
Vaultwarden serves the Bitwarden web vault from the root path. A successful response confirms the Rust application is running and the reverse proxy is routing traffic correctly:
curl -I https://vault.example.com
# Expected: HTTP/2 200
The root path returns the Bitwarden-compatible web vault interface. A 200 response confirms the application is serving the frontend — this is what your team uses to access credentials in a browser.
Step 2: Create a Vigilmon HTTP Monitor for Web Vault Availability
- Log in to Vigilmon → Add Monitor → HTTP.
- URL:
https://vault.example.com. - Check interval: 60 seconds.
- Response timeout: 10 seconds.
- Expected status:
200. - Keyword:
Bitwarden. - Label:
Vaultwarden Web Vault. - Click Save.
This monitor catches:
- Vaultwarden Rust process crashes or container restarts
- Database connection failures that prevent the application from serving requests
- Reverse proxy failures that block traffic from reaching the vault
- Configuration errors after upgrades that prevent the application from starting
- Out-of-memory kills that terminate the process
When this monitor fires, your team's entire credential access workflow is disrupted — no web vault, no browser extension sync, no mobile app sync.
Step 3: Monitor the /alive Endpoint
Vaultwarden exposes a dedicated /alive endpoint designed for health checks. It returns a simple response confirming the application process is running:
curl https://vault.example.com/alive
# Expected: HTTP 200
- Add Monitor → HTTP.
- URL:
https://vault.example.com/alive. - Check interval: 60 seconds.
- Expected status:
200. - Label:
Vaultwarden Alive. - Click Save.
Why monitor
/aliveseparately from the root path? The root path serves the web vault static assets, which may still load from cache or a CDN even if the Vaultwarden backend is down. The/aliveendpoint is served directly by the Rust application and returns a live response only when the process is running. If the root path stays green but/alivefails, the static frontend is being served but the vault backend is down — a critical distinction for a password manager.
Step 4: Monitor the API Config Endpoint
Vaultwarden's API config endpoint at /api/config returns a JSON response with server configuration details. This endpoint is unauthenticated and confirms that the API layer, database connectivity, and application initialization are all working correctly:
curl https://vault.example.com/api/config
# Expected: HTTP 200 with JSON body
A typical response:
{"version":"1.30.0","gitHash":"...","feature_flags":{},"environment":{...},"server":{...}}
- Add Monitor → HTTP.
- URL:
https://vault.example.com/api/config. - Check interval: 2 minutes.
- Expected status:
200. - Keyword:
version. - Label:
Vaultwarden API Config. - Click Save.
Why this endpoint matters: The
/api/configresponse confirms the entire Vaultwarden application stack — Rust process, database query path, and configuration loading — is functioning. Browser extensions and mobile apps query this endpoint before attempting to sync credentials. If this check fails, your team's Bitwarden clients will silently fail to sync even if the web vault appears available.
Step 5: Monitor SSL Certificates
For a password manager, SSL certificate health is non-negotiable. An expired or invalid certificate on Vaultwarden:
- Blocks browser extensions from syncing credentials, triggering offline mode
- Prevents mobile apps from authenticating, locking users out of saved passwords
- Breaks API access for any automation or scripts that retrieve secrets from the vault
- Prevents web vault access in all browsers, which treat expired certificates as a security error
- May trigger security warnings that cause users to distrust the vault and stop using it
- Add Monitor → SSL Certificate.
- Domain:
vault.example.com. - Alert when expiry is within: 30 days.
- Alert again: 14 days, 7 days, 3 days, 1 day.
- Click Save.
SSL certificate expiry on a password manager is uniquely damaging because the failure mode (browser extension offline, mobile app locked out) is not immediately obvious to users — they may assume they've forgotten their master password rather than diagnosing a certificate issue.
Step 6: Configure Alerting
In Vigilmon under Settings → Notifications, configure your alert channels:
| Monitor | Trigger | Action |
|---|---|---|
| Web Vault | Non-200 or keyword missing | Check Vaultwarden container; inspect application logs; verify database |
| /alive | Non-200 response | Vaultwarden process is down; restart container; check system resources |
| API Config | Non-200 or keyword missing | API layer failure; check DB connectivity; inspect Vaultwarden logs |
| SSL certificate | < 30 days to expiry | Renew certificate; verify ACME/Let's Encrypt auto-renewal is configured |
Alert after: 1 consecutive failure for all Vaultwarden monitors. Password manager availability is critical — a single failure confirmation is sufficient to page on-call. Do not wait for a second failure.
Common Vaultwarden Failure Modes and What Vigilmon Catches
| Scenario | Vigilmon monitor | |---|---| | Vaultwarden process crash | All HTTP monitors fire; alert within 60 s | | Database connection failure | API config monitor fires; application cannot serve vault data | | Database file corruption (SQLite) | Application may crash on startup; all monitors fire | | Reverse proxy misconfiguration | Web vault monitor fires; application container remains healthy | | Disk full (attachment storage) | File uploads fail; vault sync may degrade; application may crash | | Out-of-memory kill | Rust process terminated; all monitors fire simultaneously | | SSL certificate expires | SSL monitor alerts at 30 days; all Bitwarden clients go offline | | Vaultwarden upgrade breaks config | Application fails to start; all HTTP monitors fire | | Admin token misconfiguration | Admin panel unavailable; API config may still return 200 | | DNS misconfiguration | All monitors fire simultaneously |
Your password manager is the keychain for your entire infrastructure — every SSH key, API token, database credential, and service account flows through it. Vaultwarden downtime doesn't just inconvenience your team: it locks them out of the systems they need to respond to incidents and do their jobs. Vigilmon watches Vaultwarden's alive endpoint, API health, web vault, and SSL certificate so you're alerted within 60 seconds of any failure, before your team discovers it by getting locked out of their own tools.
Start monitoring Vaultwarden in under 5 minutes — register free at vigilmon.online.