Skip to main content
Get startedIf you’re new to 1Password CLI, learn how to set it up and sign in to your account.

Command structure

op [command] <flags>
1Password CLI uses a noun-verb command structure that groups commands by topic rather than by operation. The basic structure of a command starts with the 1Password program op, then the command name (noun), often followed by a subcommand (verb), then flags (which include additional information that gets passed to the command). For example, to retrieve a list of all the items in your Private vault: 
op item list --vault Private
To get a list of all global commands and flags, run the following: ​ 
op --help

Command reference

  • account: Manage your locally configured 1Password accounts
  • completion: Generate shell completion information
  • connect: Manage Connect server instances and tokens in your 1Password account
  • document: Perform CRUD operations on Document items in your vaults
  • events-api: Manage Events API integrations in your 1Password account
  • group: Manage the groups in your 1Password account
  • inject: Inject secrets into a config file
  • item: Perform CRUD operations on the 1Password items in your vaults
  • plugin: Manage the shell plugins you use to authenticate third-party CLIs
  • read: Read a secret reference
  • run: Pass secrets as environment variables to a process
  • service-account: Manage service accounts
  • signin: Sign in to a 1Password account
  • signout: Sign out of a 1Password account
  • update: Check for and download updates
  • user: Manage users within this 1Password account
  • vault: Manage permissions and perform CRUD operations on your 1Password vaults
  • whoami: Get information about a signed-in account

Global flags

      --account string     Select the account to execute the command by account shorthand, sign-in address, account ID, or user ID. For a list of available accounts, run 'op account list'. Can be set as the OP_ACCOUNT environment variable.
      --cache              Store and use cached information. Caching is enabled by default on UNIX-like systems. Caching is not available on Windows. Options: true, false. Can also be set with the OP_CACHE environment variable. (default true)
      --config directory   Use this configuration directory.
      --debug              Enable debug mode. Can also be enabled by setting the OP_DEBUG environment variable to true.
      --encoding type      Use this character encoding type. Default: UTF-8. Supported: SHIFT_JIS, gbk.
      --format string      Use this output format. Can be 'human-readable' or 'json'. Can be set as the OP_FORMAT environment variable. (default "human-readable")
  -h, --help               Get help for op.
      --iso-timestamps     Format timestamps according to ISO 8601 / RFC 3339. Can be set as the OP_ISO_TIMESTAMPS environment variable.
      --no-color           Print output without color.
      --session token      Authenticate with this session token. 1Password CLI outputs session tokens for successful `op signin` commands when 1Password app integration is not enabled.

Unique identifiers (IDs)

When you retrieve information about an object using the get and list subcommands, you’ll see a string of 26 numbers and letters that make up the object’s unique identifier (ID). You can use names or IDs in commands that take any account, user, vault, or item as an argument. IDs are the most stable way to reference an item. An item’s ID only changes when you move the item to a different vault. Commands provided with an ID are also faster and more efficient. You can get information about an item, including the item’s ID and the ID for the vault where it’s stored, with op item get. 
op item get Netflix
# code-result
ID:          t2Vz6kMDjByzEAcq6peKnHL4k3
Title:       Netflix
Vault:       Private (sdfsdf7werjgdf8gdfgjdfgkj)
Created:     6 months ago
Updated:     1 month ago by Wendy Appleseed
Favorite:    false
Version:     1
Category:    LOGIN
To only fetch the item ID, use the same command with the format set to JSON, then use jq to parse the output. To get the IDs for all vaults in an account:

Shell completion

You can add shell completion so that 1Password CLI automatically completes your commands. With shell completion enabled, start typing an op command, then press Tab to see the available commands and options.
To enable shell completion with Bash:
  1. Install the bash-completion package
  2. Add this line to your .bashrc file: 
    source <(op completion bash)

Cache item and vault information

1Password CLI can use its daemon process to cache items, vault information, and the keys to access information in an account. The daemon stores encrypted information in memory using the same encryption methods as on 1Password.com. It can read the information to pass to 1Password CLI, but can’t decrypt it. On UNIX-like systems, caching between commands is enabled by default. This helps maximize performance and reduce the number of API calls. If you use 1Password CLI in an environment where caching is not possible, you can turn it off by appending the --cache=false flag to your commands, or by setting the OP_CACHE environment variable to false. Caching is not currently available on Windows.

Alternative character encoding

By default, 1Password CLI processes input and output with UTF-8 encoding. You can use an alternative character encoding with the --encoding option. Supported alternative character encoding types:
  • gbk
  • shift-jis

Parse JSON output with jq

You can use the --format flag or the OP_FORMAT environment variable to set your 1Password CLI command output to json. To parse JSON output, we recommend using the command-line tool jq. For example, to use jq to retrieve a secret reference for the password saved on an item named GitHub:

Beta builds

To download 1Password CLI beta builds, navigate to the 1Password CLI downloads page and select Show betas. On Linux, you can switch the channel from “stable” to “beta” when adding the 1Password repository in your package manager.

Example commands

Items

To get information about an item: 
op item get <item name>
You’ll see the item’s ID, title, vault, when it was created, when it was last modified, the item’s version, if it’s marked as a favorite, the type of item it is, and the item’s fields. If an item name includes spaces or special characters, enclose it in quotes. For example: To use op item get to retrieve specific fields, include the --fields flag followed by a comma-separated list, with the prefix label= before each field name. For example, to only retrieve the username and password for the item work email: Learn more about working with items.

Users and groups

To get details about a user: To list the users who belong to a group: Learn more about working with users and groups.

Vaults

To create a new vault named Test: 
op vault create Test
To get details about an existing vault: To list the vaults in an account: Learn more about working with vaults.

Secrets

To insert a secret into an environment variable, config file, or script without putting the plaintext secret in code, use a secret reference that specifies where the secret is stored in your 1Password account: 
op://vault-name/item-name/[section-name/]field-name
Then, you can use op read, op run, or op inject to replace the secret reference with the actual secret at runtime. To resolve a secret reference and confirm it outputs correctly: Learn more about loading secrets.

Get help

For help with any command, use the --help option: 
op <command> [subcommand] --help