bitwarden · Hinton · Aug 22, 2025 · May 26, 2025 · May 26, 2025 · May 26, 2025
@@ -1,5 +1,5 @@
 use bitwarden_api_api::models::ProjectCreateRequestModel;
-use bitwarden_core::{key_management::SymmetricKeyId, Client};
+use bitwarden_core::{key_management::SymmetricKeyId, Client, OrganizationId};
 use bitwarden_crypto::PrimitiveEncryptable;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
@@ -28,7 +28,7 @@ pub(crate) async fn create_project(
     input.validate()?;
 
     let key_store = client.internal.get_key_store();
-    let key = SymmetricKeyId::Organization(input.organization_id);
+    let key = SymmetricKeyId::Organization(OrganizationId::new(input.organization_id));
 
     let project = Some(ProjectCreateRequestModel {
         name: input

@@ -1,7 +1,7 @@
 use bitwarden_api_api::models::ProjectResponseModel;
 use bitwarden_core::{
     key_management::{KeyIds, SymmetricKeyId},
-    require,
+    require, OrganizationId,
 };
 use bitwarden_crypto::{Decryptable, EncString, KeyStoreContext};
 use chrono::{DateTime, Utc};
@@ -28,7 +28,7 @@ impl ProjectResponse {
         ctx: &mut KeyStoreContext<KeyIds>,
     ) -> Result<Self, SecretsManagerError> {
         let organization_id = require!(response.organization_id);
-        let key = SymmetricKeyId::Organization(organization_id);
+        let key = SymmetricKeyId::Organization(OrganizationId::new(organization_id));
 
         let name = require!(response.name)
             .parse::<EncString>()?

@@ -1,5 +1,5 @@
 use bitwarden_api_api::models::ProjectUpdateRequestModel;
-use bitwarden_core::{key_management::SymmetricKeyId, Client};
+use bitwarden_core::{key_management::SymmetricKeyId, Client, OrganizationId};
 use bitwarden_crypto::PrimitiveEncryptable;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
@@ -30,7 +30,7 @@ pub(crate) async fn update_project(
     input.validate()?;
 
     let key_store = client.internal.get_key_store();
-    let key = SymmetricKeyId::Organization(input.organization_id);
+    let key = SymmetricKeyId::Organization(OrganizationId::new(input.organization_id));
 
     let project = Some(ProjectUpdateRequestModel {
         name: input

@@ -1,5 +1,5 @@
 use bitwarden_api_api::models::SecretCreateRequestModel;
-use bitwarden_core::{key_management::SymmetricKeyId, Client};
+use bitwarden_core::{key_management::SymmetricKeyId, Client, OrganizationId};
 use bitwarden_crypto::PrimitiveEncryptable;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
@@ -36,7 +36,7 @@ pub(crate) async fn create_secret(
     input.validate()?;
 
     let key_store = client.internal.get_key_store();
-    let key = SymmetricKeyId::Organization(input.organization_id);
+    let key = SymmetricKeyId::Organization(OrganizationId::new(input.organization_id));
 
     let secret = {
         let mut ctx = key_store.context();

@@ -4,7 +4,7 @@ use bitwarden_api_api::models::{
 use bitwarden_core::{
     client::Client,
     key_management::{KeyIds, SymmetricKeyId},
-    require,
+    require, OrganizationId,
 };
 use bitwarden_crypto::{Decryptable, EncString, KeyStoreContext};
 use schemars::JsonSchema;
@@ -99,7 +99,7 @@ impl SecretIdentifierResponse {
         ctx: &mut KeyStoreContext<KeyIds>,
     ) -> Result<SecretIdentifierResponse, SecretsManagerError> {
         let organization_id = require!(response.organization_id);
-        let enc_key = SymmetricKeyId::Organization(organization_id);
+        let enc_key = SymmetricKeyId::Organization(OrganizationId::new(organization_id));
 
         let key = require!(response.key)
             .parse::<EncString>()?

@@ -3,7 +3,7 @@ use bitwarden_api_api::models::{
 };
 use bitwarden_core::{
     key_management::{KeyIds, SymmetricKeyId},
-    require,
+    require, OrganizationId,
 };
 use bitwarden_crypto::{Decryptable, EncString, KeyStoreContext};
 use chrono::{DateTime, Utc};
@@ -52,7 +52,7 @@ impl SecretResponse {
         ctx: &mut KeyStoreContext<KeyIds>,
     ) -> Result<SecretResponse, SecretsManagerError> {
         let organization_id = require!(response.organization_id);
-        let enc_key = SymmetricKeyId::Organization(organization_id);
+        let enc_key = SymmetricKeyId::Organization(OrganizationId::new(organization_id));
 
         let key = require!(response.key)
             .parse::<EncString>()?

@@ -1,5 +1,5 @@
 use bitwarden_api_api::models::SecretUpdateRequestModel;
-use bitwarden_core::{key_management::SymmetricKeyId, Client};
+use bitwarden_core::{key_management::SymmetricKeyId, Client, OrganizationId};
 use bitwarden_crypto::PrimitiveEncryptable;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
@@ -35,7 +35,7 @@ pub(crate) async fn update_secret(
     input.validate()?;
 
     let key_store = client.internal.get_key_store();
-    let key = SymmetricKeyId::Organization(input.organization_id);
+    let key = SymmetricKeyId::Organization(OrganizationId::new(input.organization_id));
 
     let secret = {
         let mut ctx = key_store.context();

@@ -16,17 +16,14 @@ uniffi = [
     "bitwarden-crypto/uniffi",
     "dep:uniffi"
 ] # Uniffi bindings
-wasm = [
-    "bitwarden-core/wasm",
-    "dep:tsify",
-    "dep:wasm-bindgen"
-] # WASM support
+wasm = ["bitwarden-core/wasm", "dep:tsify", "dep:wasm-bindgen"] # WASM support
 
 [dependencies]
 bitwarden-api-api = { workspace = true }
 bitwarden-core = { workspace = true, features = ["internal"] }
 bitwarden-crypto = { workspace = true }
 bitwarden-error = { workspace = true }
+bitwarden-uuid = { workspace = true }
 serde = { workspace = true }
 serde_repr = { workspace = true }
 thiserror = { workspace = true }

@@ -1,9 +1,10 @@
 use bitwarden_api_api::models::CollectionDetailsResponseModel;
 use bitwarden_core::{
     key_management::{KeyIds, SymmetricKeyId},
-    require,
+    require, OrganizationId,
 };
 use bitwarden_crypto::{CryptoError, Decryptable, EncString, IdentifyKey, KeyStoreContext};
+use bitwarden_uuid::uuid_newtype;
 use serde::{Deserialize, Serialize};
 use serde_repr::{Deserialize_repr, Serialize_repr};
 use uuid::Uuid;
@@ -12,14 +13,16 @@ use {tsify::Tsify, wasm_bindgen::prelude::*};
 
 use crate::{error::CollectionsParseError, tree::TreeItem};
 
+uuid_newtype!(pub CollectionId);
+
 #[allow(missing_docs)]
 #[derive(Serialize, Deserialize, Debug)]
 #[serde(rename_all = "camelCase", deny_unknown_fields)]
 #[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
 #[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
 pub struct Collection {
-    pub id: Option<Uuid>,
-    pub organization_id: Uuid,
+    pub id: Option<CollectionId>,
+    pub organization_id: OrganizationId,
     pub name: EncString,
     pub external_id: Option<String>,
     pub hide_passwords: bool,
@@ -35,8 +38,8 @@ pub struct Collection {
 #[cfg_attr(feature = "uniffi", derive(uniffi::Record))]
 #[cfg_attr(feature = "wasm", derive(Tsify), tsify(into_wasm_abi, from_wasm_abi))]
 pub struct CollectionView {
-    pub id: Option<Uuid>,
-    pub organization_id: Uuid,
+    pub id: Option<CollectionId>,
+    pub organization_id: OrganizationId,
     pub name: String,
     pub external_id: Option<String>,
     pub hide_passwords: bool,
@@ -94,8 +97,8 @@ impl TryFrom<CollectionDetailsResponseModel> for Collection {
 
     fn try_from(collection: CollectionDetailsResponseModel) -> Result<Self, Self::Error> {
         Ok(Collection {
-            id: collection.id,
-            organization_id: require!(collection.organization_id),
+            id: collection.id.map(CollectionId::new),
+            organization_id: OrganizationId::new(require!(collection.organization_id)),
             name: require!(collection.name).parse()?,
             external_id: collection.external_id,
             hide_passwords: collection.hide_passwords.unwrap_or(false),
@@ -117,7 +120,7 @@ impl IdentifyKey<SymmetricKeyId> for Collection {
 #[allow(missing_docs)]
 impl TreeItem for CollectionView {
     fn id(&self) -> Uuid {
-        self.id.unwrap_or_default()
+        self.id.map(|id| id.0).unwrap_or_default()
     }
 
     fn short_name(&self) -> &str {
@@ -149,7 +152,6 @@ impl From<bitwarden_api_api::models::CollectionType> for CollectionType {
 mod tests {
     use bitwarden_core::key_management::{KeyIds, SymmetricKeyId};
     use bitwarden_crypto::{KeyStore, PrimitiveEncryptable, SymmetricCryptoKey};
-    use uuid::Uuid;
 
     use super::*;
 
@@ -160,7 +162,7 @@ mod tests {
     fn create_test_key_store() -> KeyStore<KeyIds> {
         let store = KeyStore::<KeyIds>::default();
         let key = SymmetricCryptoKey::make_aes256_cbc_hmac_key();
-        let org_id = Uuid::parse_str(ORGANIZATION_ID).unwrap();
+        let org_id = ORGANIZATION_ID.parse().unwrap();
 
         #[allow(deprecated)]
         store
@@ -175,13 +177,13 @@ mod tests {
     fn test_decrypt_with_name_only() {
         let store = create_test_key_store();
         let mut ctx = store.context();
-        let org_id = Uuid::parse_str(ORGANIZATION_ID).unwrap();
+        let org_id = ORGANIZATION_ID.parse().unwrap();
         let key = SymmetricKeyId::Organization(org_id);
 
         let collection_name: &str = "Collection Name";
 
         let collection = Collection {
-            id: Some(Uuid::parse_str(COLLECTION_ID).unwrap()),
+            id: Some(COLLECTION_ID.parse().unwrap()),
             organization_id: org_id,
             name: collection_name.encrypt(&mut ctx, key).unwrap(),
             external_id: Some("external-id".to_string()),
@@ -201,14 +203,14 @@ mod tests {
     fn test_decrypt_with_default_user_collection_email() {
         let store = create_test_key_store();
         let mut ctx = store.context();
-        let org_id = Uuid::parse_str(ORGANIZATION_ID).unwrap();
+        let org_id = ORGANIZATION_ID.parse().unwrap();
         let key = SymmetricKeyId::Organization(org_id);
 
         let collection_name: &str = "Collection Name";
         let default_user_collection_email = String::from("[email protected]");
 
         let collection = Collection {
-            id: Some(Uuid::parse_str(COLLECTION_ID).unwrap()),
+            id: Some(COLLECTION_ID.parse().unwrap()),
             organization_id: org_id,
             name: collection_name.encrypt(&mut ctx, key).unwrap(),
             external_id: None,
@@ -229,10 +231,10 @@ mod tests {
     fn test_decrypt_all_fields_preserved() {
         let store = create_test_key_store();
         let mut ctx = store.context();
-        let org_id = Uuid::parse_str(ORGANIZATION_ID).unwrap();
+        let org_id = ORGANIZATION_ID.parse().unwrap();
         let key = SymmetricKeyId::Organization(org_id);
 
-        let collection_id = Some(Uuid::parse_str(COLLECTION_ID).unwrap());
+        let collection_id = Some(COLLECTION_ID.parse().unwrap());
         let external_id = Some("external-test-id".to_string());
         let collection_name: &str = "Collection Name";
         let collection_type = CollectionType::SharedCollection;

@@ -121,6 +121,7 @@ mod tests {
             crypto::{AuthRequestMethod, InitUserCryptoMethod, InitUserCryptoRequest},
             SymmetricKeyId,
         },
+        UserId,
     };
 
     #[test]
@@ -265,7 +266,7 @@ mod tests {
         new_device
             .crypto()
             .initialize_user_crypto(InitUserCryptoRequest {
-                user_id: Some(uuid::Uuid::new_v4()),
+                user_id: Some(UserId::new_v4()),
                 kdf_params: kdf,
                 email: email.to_owned(),
                 private_key,

@@ -5,7 +5,6 @@ use bitwarden_crypto::{BitwardenLegacyKeyBytes, EncString, KeyDecryptable, Symme
 use chrono::Utc;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
-use uuid::Uuid;
 
 use super::LoginError;
 use crate::{
@@ -17,7 +16,7 @@ use crate::{
     client::{LoginMethod, ServiceAccountLoginMethod},
     require,
     secrets_manager::state::{self, ClientState},
-    Client,
+    Client, OrganizationId,
 };
 
 pub(crate) async fn login_access_token(
@@ -119,7 +118,7 @@ fn load_tokens_from_state(
     client: &Client,
     state_file: &Path,
     access_token: &AccessToken,
-) -> Result<Uuid, LoginError> {
+) -> Result<OrganizationId, LoginError> {
     let client_state = state::get(state_file, access_token)?;
 
     let token: JwtToken = client_state.token.parse()?;
@@ -128,7 +127,7 @@ fn load_tokens_from_state(
         let time_till_expiration = (token.exp as i64) - Utc::now().timestamp();
 
         if time_till_expiration > 0 {
-            let organization_id: Uuid = organization_id
+            let organization_id: OrganizationId = organization_id
                 .parse()
                 .map_err(|_| LoginError::InvalidOrganizationId)?;
             let encryption_key = SymmetricCryptoKey::try_from(client_state.encryption_key)?;

@@ -12,13 +12,13 @@ use bitwarden_error::bitwarden_error;
 #[cfg(feature = "internal")]
 use log::warn;
 use thiserror::Error;
-#[cfg(any(feature = "internal", feature = "secrets"))]
-use uuid::Uuid;
 
 #[cfg(feature = "internal")]
 use crate::key_management::{AsymmetricKeyId, SecurityState, SignedSecurityState, SigningKeyId};
 #[cfg(any(feature = "internal", feature = "secrets"))]
 use crate::key_management::{KeyIds, SymmetricKeyId};
+#[cfg(any(feature = "secrets", feature = "internal"))]
+use crate::OrganizationId;
 use crate::{error::UserIdAlreadySetError, MissingPrivateKeyError, VaultLockedError};
 
 #[allow(missing_docs)]
@@ -190,7 +190,7 @@ impl EncryptionSettings {
     /// This is used only for logging in Secrets Manager with an access token
     #[cfg(feature = "secrets")]
     pub(crate) fn new_single_org_key(
-        organization_id: Uuid,
+        organization_id: OrganizationId,
         key: SymmetricCryptoKey,
         store: &KeyStore<KeyIds>,
     ) {
@@ -204,7 +204,7 @@ impl EncryptionSettings {
 
     #[cfg(feature = "internal")]
     pub(crate) fn set_org_keys(
-        org_enc_keys: Vec<(Uuid, UnsignedSharedKey)>,
+        org_enc_keys: Vec<(OrganizationId, UnsignedSharedKey)>,
         store: &KeyStore<KeyIds>,
     ) -> Result<(), EncryptionSettingsError> {
         use crate::key_management::AsymmetricKeyId;