> ## Documentation Index
> Fetch the complete documentation index at: https://www.1password.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# About 1Password Shell Plugins security

## Authorization model

To get your consent when a 1Password CLI command or 1Password Shell Plugin is invoked, 1Password will present you with an approval dialog:

<div style={{ textAlign: 'center' }}>
  <Frame>
    <img alt="A CLI being authenticated using 1Password CLI biometric unlock." src="https://mintcdn.com/ab-634991b8/Ul-COtb5ywadNlrP/static/img/shell-plugins/aws-5.png?fit=max&auto=format&n=Ul-COtb5ywadNlrP&q=85&s=29e1785425ad21c02080c96aaad2ee55" width="900" data-path="static/img/shell-plugins/aws-5.png" />
  </Frame>
</div>

This dialog will show which application is requesting permission to use which 1Password account. After you approve the request, a *session* will be established between 1Password and the terminal window or tab the plugin was invoked from.

Any consecutive invocations of 1Password CLI within that terminal window can use your 1Password account without additional authorization until 1Password locks. This includes invocations of the same plugin, a different plugin and any other 1Password CLI commands. As always when working with secrets, it's worth being mindful of the processes, scripts, and plugins you run that can access those secrets.

A session is ended in any of the following scenarios:

* When 1Password is locked
* After 10 minutes of inactivity
* After 12 hours
* When `op signout` is run in the authorized terminal session
* When `op signout --all` is run in any terminal session

## Extendability & community contributions

1Password Shell Plugins is [extendable](/cli/shell-plugins/contribute/). Contributed plugins are curated and reviewed by 1Password before they are included and shipped in 1Password CLI.

1Password has only reviewed contributed plugins if they are included in 1Password CLI. We recommend you only run plugins included in 1Password CLI and plugins you've written yourself.
In practice, this means you should not download binaries and place them in `~/.op/plugins/local`.

## Learn more

* [Biometric security](/cli/app-integration/)
