Skip to main content
Manage Connect server instances and tokens in your 1Password account.
Looking up a Connect server by its ID is more efficient than using the Connect server’s name.

Subcommands

connect group

Subcommands

connect group grant

Grant a group access to manage Secrets Automation. 
op connect group grant [flags]

Flags

--all-servers     Grant access to all current and future servers in the authenticated
                  account.
--group group     The group to receive access.
--server server   The server to grant access to.
If you don’t specify a server, it adds the group to the list of Secrets Automation managers.

connect group revoke

Revoke a group’s access to manage Secrets Automation. 
op connect group revoke [flags]

Flags


--all-servers     Revoke access to all current and future servers in the
                  authenticated account.
--group group     The group to revoke access from.
--server server   The server to revoke access to.

connect server

Subcommands

connect server create

Add a 1Password Connect server to your account and generate a credentials file for it. 1Password CLI saves the 1password-credentials.json file in the current directory. Note: You can’t grant a Connect server access to your built-in Personal, Private, or Employee vault. 
op connect server create <name> [flags]

Flags

-f, --force            Do not prompt for confirmation when overwriting credential files.
    --vaults strings   Grant the Connect server access to these vaults.
1Password CLI saves the 1password-credentials.json file in the current directory.

connect server delete

Remove a Connect server. Specify the server by name or ID. 
op connect server delete [{ <serverName> | <serverID> | - }] [flags]
The credentials file and all the tokens for the server will no longer be valid.

connect server edit

Rename a Connect server. Specify the server by name or ID. 
op connect server edit { <serverName> | <serverID> } [flags]

Flags

--name name   Change the server's name.

connect server get

Get details about a Connect server. Specify the server by name or ID. 
op connect server get [{ <serverName> | <serverID> | - }] [flags]

connect server list

Get a list of Connect servers. 
op connect server list [flags]

connect token

Subcommands

connect token create

Issue a new token for a Connect server. 
op connect token create <tokenName> [flags]

Flags

--expires-in duration   Set how long the Connect token is valid for in (s)econds,
                        (m)inutes, (h)ours, (d)ays, and/or (w)eeks.
--server string         Issue a token for this server.
--vault  stringArray    Issue a token on these vaults.
Returns a token. You can only provision Connect server tokens to vaults that the Connect server has access to. Use op connect vault grant to grant access to vaults. Note: You can’t grant a Connect server access to your built-in Personal, Private, or Employee vault. By default, the --vaults option grants the same permissions as the server. To further limit the permissions a token has to read-only or write-only, add a comma and r or w after the vault specification. For example: 
op connect token create "Dev k8s token" --server Dev --vaults Kubernetes,r \
	--expires-in=30d

op connect token create "Prod: Customer details" --server Prod --vault "Customers,w" \
    --vault "Vendors,r"

connect token delete

Revoke a token for a Connect server. 
op connect token delete [ <token> ] [flags]

Flags

--server string   Only look for tokens for this 1Password Connect server.

connect token edit

Rename a Connect server token. 
op connect token edit <token> [flags]

Flags

--name string     Change the token's name.
--server string   Only look for tokens for this 1Password Connect server.

connect token list

List tokens for Connect servers. 
op connect token list [flags]

Flags

--server server   Only list tokens for this Connect server.
Returns both active and revoked tokens. The integrationId is the ID for the Connect server the token belongs to.

connect vault

Subcommands

connect vault grant

Grant a Connect server access to a vault. 
op connect vault grant [flags]
Note: You can’t grant a Connect server access to your built-in Personal, Private, or Employee vault.

Flags

--server string   The server to be granted access.
--vault string    The vault to grant access to.

connect vault revoke

Revoke a Connect server’s access to a vault. 
op connect vault revoke [flags]

Flags

--server server   The server to revoke access from.
--vault vault     The vault to revoke a server's access to.