> ## Documentation Index
> Fetch the complete documentation index at: https://www.1password.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Use the 1Password MCP Server to allow MCP clients to manage your 1Password Environments (beta)

export const Small = ({children}) => {
  return <small>{children}</small>;
};

export const YouTubeVideo = ({src, title, alt}) => {
  return <Frame>
      <iframe className="w-full aspect-video rounded-xl" src={src} title={alt ?? title} allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowFullScreen></iframe>
    </Frame>;
};

<Badge color="gray" stroke size="lg">
  Beta
</Badge>

The 1Password MCP server creates a bridge that allows MCP clients such as [Codex](https://help.openai.com/en/articles/11096431-openai-codex-cli-getting-started) and [Kiro](https://kiro.dev/) to manage your [1Password Environments](/environments) with secure authorization prompts.

You can use the MCP server to:

* Create Environments.
* List Environment variable names.
* Handle local `.env` files within authenticated workflows, while securely storing your credentials in 1Password.
* Manage secrets within [1Password Environments](/environments).

The MCP server doesn't read or return secrets to the MCP client. Instead, secrets remain in 1Password and are only accessed by authorized processes. As a result, the MCP server allows your agent to act on secrets without ever seeing them.

[Learn more about 1Password's approach to MCP servers](https://1password.com/blog/where-mcp-fits-and-where-it-doesnt).

## How it works

Your MCP client connects to 1Password through the MCP server to create and manage an Environment for the project. Upon completion of the project, the MCP client requests that 1Password mount a [local `.env` file](/environments/local-env-file) through an in-memory FIFO file.

At runtime, 1Password injects the required variables from your Environment directly into the application process. The values exist in memory only for the authorized process, and only for as long as the process needs them. The MCP client orchestrates, the application executes, and 1Password issues the credentials.

For example, if you ask your MCP client to create a 1Password Environment:

1. **Start a task in your MCP client**: Such as, ask Codex or Kiro to create and manage an app.
2. **Your MCP client connects to the 1Password MCP server**: This happens over a local connection, where the client can discover and invoke available actions from instructions the MCP provides.
3. **1Password validates requests**: The MCP server communicates with the 1Password desktop app, which handles identity, authorization, and secure access.
4. **You approve access**: Every interaction requires explicit 1Password user authorization prompt approval before the client can proceed.
5. **The MCP client creates and manages an Environment in 1Password**: The client can create Environments, list and manage variable names, and prepare configuration without accessing raw secrets.
6. **1Password injects secrets at runtime**: Applications run using secrets from 1Password, without those secrets ever being exposed to the agent.

This walkthrough shows how to use the MCP server for Codex:

<YouTubeVideo src="https://youtube.com/embed/5eSAbPjMSYk" title="Secure secrets for agentic workflows with 1Password MCP Server and Codex" />

## Requirements

Before you can use the MCP server, you'll need to:

* [Sign up for 1Password.](https://1password.com/pricing/password-manager)
* [Install the 1Password desktop app](https://1password.com/downloads/).
* [Create a 1Password Environment.](/environments#create-an-environment)

## Get started with the MCP server

<Note>
  1Password Enterprise Password Manager admins can turn the MCP server feature on and off. To do so, go to **Policies** > **Agentic permissions** and then turn the **Local MCP server** option on or off as needed.
</Note>

Before you can use the MCP server, you'll need to turn the feature on and configure your MCP client.

### Step 1: Turn on access to the MCP server

To turn on the MCP server:

1. In 1Password, go to **Settings** > **Labs**, then select **MCP Server**.
2. Turn on the **Enable local MCP server** toggle.
3. Navigate to **Settings** > **Developer** and select **Integrate with MCP clients**.

### Step 2: Configure your MCP client

Next, you’ll need to configure 1Password as a local MCP server within your MCP client.

<Tabs groupId="mcp-clients">
  <Tab title="Codex">
    <Note>
      This feature is in beta. Codex currently supports Mac and Linux.
    </Note>

    To configure the 1Password MCP Server for Codex:

    1. In Codex, go to **MCP servers** and select **+ Add server**. Make sure the toggle is turned on.
    2. Set the path in the **Command to launch** field.
       * For Mac, use: `/Applications/1Password.app/Contents/MacOS/onepassword-mcp`
       * For Linux, use: `./dist/onepassword-mcp`

    Next, update your `AGENTS.md` file to instruct Codex to explicitly use the MCP server without needing to ask.

    To do this, go to **Personalization** and fill in the **Custom instructions** field. For example, add the instruction:

    "Always use the 1Password MCP server if you need to work with the 1Password developer environments without me having to explicitly ask."
  </Tab>

  <Tab title="Kiro">
    <Note>
      This feature is in beta. The Kiro plugin currently only supports Mac.
    </Note>

    To configure the [1Password MCP Server for Kiro](https://github.com/1Password/1password-kiro-plugin), you can either install the plugin from the Kiro Power Marketplace or from GitHub.

    #### Option 1: Install from the Kiro Power Marketplace

    1. Search for "1Password Developer Environments" at [kiro.dev/powers](https://kiro.dev/powers).
    2. Select **Add to Kiro** to open the installation page in Kiro.
    3. Select **+Install** to install the Power.
    4. Select **Try power** to validate your Environment and get started.

    #### Option 2: Install from GitHub

    1. Select **Powers** in the Activity Bar, or open the Command Palette and search for **Powers: Focus on Installed view**.
    2. Select **Add Custom Power**.
    3. Select **Import Power from GitHub** from the menu options.
    4. Paste the repository URL: `https://github.com/1Password/1password-kiro-plugin`
    5. Select `1password-kiro-plugin` from the list of installed Powers.
    6. From the `Power: 1Password Developer Environments` screen, select **Try power** to validate your Environment and get started.
  </Tab>

  <Tab title="Other">
    To manually configure the 1Password MCP server, follow your MCP client's instructions to add a local MCP server. Enter the path for your platform as the command:

    | Platform | Binary location                                              |
    | -------- | ------------------------------------------------------------ |
    | Mac      | `/Applications/1Password.app/Contents/MacOS/onepassword-mcp` |
    | Linux    | `/opt/1Password/onepassword-mcp`                             |
    | Windows  | Path varies depending on your installation method.\*         |

    <Small>
      \*For Microsoft Store and MSIX installations, open Powershell and run the following command to find the correct path:

      ```PowerShell theme={null}
      (Get-AppxPackage -Name "AgileBits.1Password").InstallLocation + "\onepassword-mcp.exe"
      ```
    </Small>
  </Tab>
</Tabs>

## Example prompts

After your MCP client is configured, you can prompt it to perform tasks like:

* "List my 1Password Environments"
* "Create a local .env mount here"
* "Show me the variable names in my project environment"
* "Add a placeholder variable for my OpenAI API key"
* "Create a new Environment called my-project"

The 1Password desktop app may prompt for approval when your MCP client connects to the MCP server or accesses an Environment.

## Learn more

* [1Password Environments (beta)](/environments)
* [Use 1Password's agent hook to validate local .env files from 1Password Environments](/environments/agent-hook-validate)
* [Sync secrets between 1Password and AWS Secrets Manager (beta)](/environments/aws-secrets-manager)
* [Get started with 1Password Developer](https://support.1password.com/developer)
* [Manage team policies in 1Password Business: Sharing and permissions](https://support.1password.com/team-policies/#sharing-and-permissions)
* [Workflow: Secure AI access](/get-started/secure-ai-access)
