decoy logodecoy
decoy vs Bitwarden

a password manager with aliases, inbox ai and user-controlled agent access.

bitwarden is the open-source standard and now ships an MCP server, but aliases require a third party and its MCP access is tied to the CLI session. Decoy adds account selection, duration and a user-visible access record.

see side by side →
decoy
free for founding members
Bitwarden
free · $19.80 / yr premium
premium doubled from $10 in early 2026
the password manager basics

everything Bitwarden does

  • passwords, TOTP codes, and passkeys autofilled across iOS and safari.
  • zero-knowledge encryption means even we can't read your vault — it can only ever be read on your device.
  • move passwords, passkeys, and 2fa seeds from bitwarden in one tap via CXP on iOS 26. secure notes and file attachments export separately.
  • we tell you which of your passwords showed up in a known breach (via HIBP, the standard breach database) and which weak or reused ones to fix first.
what decoy adds

and what Bitwarden skips

  • disposable emails built in — generated on demand for every signup, with an optional personal alias (yourname.decoys.me) for prefixes you invent on the fly. no simplelogin or fastmail subscription bolted on top.
  • your inbox never leaves your phone — we use on-device ai so we can surface promo codes, catch 2fa, and summarize mail, all without the contents going to a server.
  • Decoy lets users choose which accounts and information an ai agent can access and for how long. every Decoy data access is recorded. bitwarden's MCP scopes access through its CLI session.

side by side

where decoy wins, and where it doesn't.

disposable emails
a different email for every signup — so when a site gets breached or starts spamming, you burn the decoy, not your real inbox. send and reply from any of them.
decoy
unlimited, send + receive
Bitwarden
integrations w/ simplelogin, addy, fastmail
password manager + 2fa
passwords, 2fa codes, and passkeys in one place, autofilled on iOS — so you stop juggling an authenticator app to sign in.
decoy
passwords, TOTP, passkeys
Bitwarden
passwords, TOTP, passkeys
end-to-end encryption
end-to-end encrypted means even we can't read your data — it can only ever be read on your device. if we ever got breached, there's nothing readable to steal.
decoy
yes
Bitwarden
yes (zero-knowledge)
migration & import
move your whole vault over in one tap via apple's credential exchange (CXP) — and one tap moves it back out if you change your mind. no csv files, no lock-in.
decoy
CXP import from apple passwords
Bitwarden
CXP import on iOS 26
on-device ai
your inbox never leaves your phone — we use on-device ai so we can pull out promo codes, catch 2fa automatically, summarize what's new, and flag breach hints, all without shipping your mail to a server.
decoy
iOS 26 foundation models
Bitwarden
no ai
ai agents
when an ai agent needs a login, inbox or personal detail, Decoy lets the user choose the exact accounts and information it can access and for how long. every Decoy data access is recorded.
decoy
MCP + user-controlled access
Bitwarden
MCP server (session-scoped CLI, no push approval)

be a nobody. get unlimited perks.

free for founding members. lock it in now.

switch to decoy if…

  • you want disposable emails built into your password manager — generated on demand by default, with an optional personal alias (yourname.decoys.me) for prefixes you invent on the fly. not a simplelogin or fastmail account glued on top.
  • you want send + reply from any decoy, not just forwarding.
  • you want promo codes, 2fa, and summaries pulled from your inbox on-device — bitwarden doesn’t look at email at all.
  • you want ai agents to act on your behalf using a disposable identity — not your real email, real password, real account. bitwarden's MCP scopes the agent to your CLI session; decoy gives the agent its own throwaway identity.
  • you want one app for passwords, TOTP, passkeys, aliases, and inbox ai — not two subscriptions (bitwarden + simplelogin/addy/fastmail) stitched together.
or pick Bitwarden if…
  • you want to audit the full app source on github before trusting it with your vault.
  • you need linux, windows, android, or a self-hosted server today (decoy starts on iOS).
  • you share a family vault or run a team/enterprise deployment.

free for founding members

join the waitlist to lock in founding-member status. paid tiers come later — you stay free.

questions

bitwarden is free and open source. why switch?
Decoy is free for founding members and combines disposable emails, on-device inbox ai and user-controlled agent access. keep bitwarden if full open source and broader platform support matter more.
can i import my bitwarden vault into decoy?
yes. bitwarden supports CXP export on iOS 26, so one tap moves passwords, passkeys, and TOTP seeds straight into decoy. no csv dance.
bitwarden has an MCP server now. is decoy still different?
yes, but the access models differ. bitwarden authenticates through its CLI session. Decoy lets users approve one request or standing access to selected accounts and information, with an expiry or until revoked. every Decoy data access is recorded.
what about simplelogin or fastmail aliases with bitwarden?
they work, but you're paying for two products. decoy bundles disposable emails with the vault — generated on demand by default, with an optional personal alias where you can invent prefixes inline (gym@, netflix@, that-weird-app@) and reply from any of them.
does decoy work on android, windows, linux like bitwarden?
decoy is an iOS app. but your decoys forward to any inbox you already use on any platform, and any ai agent can manage them from any device via MCP.
is decoy open source?
the ai surface is open source — anyone can audit exactly what an agent can do on your behalf. the rest of the stack is on the roadmap. our encryption is public and anyone can poke holes in it today.
does decoy only work on iPhone?
today, yes — the decoy app is iOS (iPhone + iPad) with a safari extension on iOS and macOS. desktop and other platforms are in active development. your decoys already forward to whatever inbox you use on any platform (gmail, outlook, proton), and any ai agent can manage them from any device via MCP.