> ## Documentation Index
> Fetch the complete documentation index at: https://www.1password.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Template syntax

export const CodeWrapper = ({variant, children}) => {
  const variantStyles = {
    bad: "[&_.code-block-background]:!mint-bg-red-100 [&_.code-block-background]:dark:!mint-bg-red-950/50",
    good: "[&_.code-block-background]:!mint-bg-green-100 [&_.code-block-background]:dark:!mint-bg-green-950/50"
  };
  const appliedStyles = variant ? variantStyles[variant] : "";
  return <div className={`coloredCodeWrapper ${appliedStyles}`}>{children}</div>;
};

You can create a templated config file that contains [secret references](/cli/secret-reference-syntax/), then [use op inject](/cli/secrets-config-files/) to receive a resolved config file that contains the actual secrets.

Here's an example of a template file with enclosed secret references in place of the plaintext secrets:

```yml config.yml.tpl theme={null}
database:
  host: localhost
  port: 5432
  username: {{ op://prod/database/username }}
  password: {{ op://prod/database/password }}
```

## Secret references

Secret references included in template files can be formatted as either [unenclosed secret references](#unenclosed-secret-references) or [enclosed secret references](#enclosed-secret-references).

### Unenclosed secret references

```shell theme={null}
op://test-app/database/password
```

An unenclosed secret reference is a string that:

* Begins with `op://` and is not preceded by any of the characters from: `alphanumeric`, `-`, `+` , `\`, `.`.
* Ends with either the end of the template, or the first encountered character outside the following set: `alphanumeric`, `-`, `?`, `_`, `.`.

Examples of good and bad unenclosed secret references:

<CodeWrapper variant="good">
  ```yml theme={null}
  op://prod/docker-credentials/username
  ```
</CodeWrapper>

<CodeWrapper variant="good">
  ```yml theme={null}
  op://d3v/stripe.keys/s3ct10n/public_key
  ```
</CodeWrapper>

<CodeWrapper variant="bad">
  ```yml theme={null}
  op://h?ack/1Password!/for"real
  ```
</CodeWrapper>

(contains special characters that are not supported by the syntax)

<CodeWrapper variant="bad">
  ```yml theme={null}
  op://{vault}/[item]/(section)/field
  ```
</CodeWrapper>

(contains special characters that are not supported by the syntax)

### Enclosed secret references

```shell theme={null}
{{ op://test-app/database/password }}
```

An enclosed secret reference is defined as any string that satisifies all of the following:

* Begins with two closed braces `{{`
* Ends with the two closed braces `}}`
* Contains a valid unenclosed secret reference between the two pairs of braces, possibly padded with spaces

Examples of good and bad enclosed secret references:

<CodeWrapper variant="good">
  ```yml theme={null}
  {{op://prod/docker-credentials/username}}
  ```
</CodeWrapper>

<CodeWrapper variant="good">
  ```yml theme={null}
  {{ op://d3v/stripe.keys/s3ct10n/public_key }}
  ```
</CodeWrapper>

<CodeWrapper variant="bad">
  ```yml theme={null}
  {{op://h?ack/1Password!/for"real}}
  ```
</CodeWrapper>

(the secret reference contains unsupported characters)

### Special characters

If you need to escape special characters in your template, you can use curly braces and double quotes:

```yml theme={null}
{{ "{{ test op://prod/docker-credentials/username }}" }}
will be resolved to
{{ test op://prod/docker-credentials/username }}
```

If the content contains double quotes, they must be escaped with `\`:

```yml theme={null}
{{ "{{ test \"test\" test }}" }}
will be resolved to
{{ test "test" test }}
```

## Variables

The template syntax also supports variable tags:

* `$var` (unenclosed variables)
* `${var}` (enclosed variables)

When resolving an unenclosed variable of the form `$FOO`, it is replaced with the value of the environment variable named `FOO`.

When resolving an enclosed variable of the form `${FOO}`, any whitespace at the beginning or end of `FOO` is discarded and the reference is replaced with the value of the environment variable named `FOO`.

Variable names are case-insensitive, cannot start with a number, and can only contain letters, numbers, and underscores.

Examples of good and bad unenclosed variables:

<CodeWrapper variant="good">
  ```yml theme={null}
  $my_var
  ```
</CodeWrapper>

<CodeWrapper variant="good">
  ```yml theme={null}
  $mY_2nd_vAr
  ```
</CodeWrapper>

<CodeWrapper variant="bad">
  ```yml theme={null}
  $2nd_var
  ```
</CodeWrapper>

(starts with a number)

<CodeWrapper variant="bad">
  ```yml theme={null}
  $var-?notvar!
  ```
</CodeWrapper>

(contains unsupported special characters)

Examples of good and bad enclosed variables:

<CodeWrapper variant="good">
  ```yml theme={null}
  ${my_var}
  ```
</CodeWrapper>

<CodeWrapper variant="good">
  ```yml theme={null}
  ${ mY_2nd_vAr }
  ```
</CodeWrapper>

<CodeWrapper variant="bad">
  ```yml theme={null}
  ${my_var\}
  ```
</CodeWrapper>

(the closing brace is escaped)

### Default values

To set a default value for a template variable, use this syntax:

`${VAR_NAME:-<default-value>}`

The default value will be used when the variable can't be found in the environment.

For example, `op://${VAULT:-dev}/docker/password` evaluates to `op://dev/docker/password` when the `VAULT` environment variable isn't set.
If `VAULT` is set to `prod` instead, it will evaluate to `op://prod/docker/password`.

## Learn more

* [Load secrets into config files](/cli/secrets-config-files/)
* [Load secrets into the environment](/cli/secrets-environment-variables/)
* [Secret reference syntax](/cli/secret-reference-syntax/)
* [Workflow: Secure your developer secrets](/get-started/secure-developer-secrets)
* [Developer quickstart](/get-started/developer-quickstart)
