Requirements
Before you get started, you’ll need to sign up for a 1Password Business account. If you already have a business account, you’ll need to be an owner or administrator to set up an Events Reporting integration.Step 1: Set up an Events Reporting integration
You can set up an Events Reporting integration in your 1Password Business account:- Sign in to your account on 1Password.com.
- Select Integrations in the sidebar. If you’ve set up other integrations in your account, you’ll also need to select Directory on the Integrations page.
- In the Events Reporting section, choose your SIEM from the list. If your SIEM isn’t listed, select Other.
- Enter a name for the integration, then select Add Integration.
- Set up a bearer token:
- Token Name: Enter a name for the token.
- Expires After: (Optional) Choose when the token will expire: 30 days, 90 days, or 180 days. The default setting is Never.
- Events to Report: Choose which events the token can access. The default scope includes all events: sign-in attempts, item usages, and audit events.
- Select Issue Token.
- On the “Save your token” page, select Save in 1Password. Choose the vault where you want to save your token, then select Save.
Your bearer token will be saved as an API Credential item in 1Password. - Select View Integration Details.
Step 2: Test the integration
Before you connect your 1Password account with your SIEM, you can send a test request to the Events API using curl on the command line. Specify the endpoint along with any required request headers and data.1. Create a curl request
In your terminal, format your curl request using the following structure:Content-Type header and the --data flag with pagination content are only used in POST requests to the Events API.
Replace the highlighted content with your preferred values:
{'<METHOD>'} The HTTP request method you want to use for your request. For example: POST.
{'<base_url>'} The base URL of the server used for events in your 1Password account. For example: https://events.1password.com.
{'<path>'} The path of the endpoint you want to use. For example: /api/v2/signinattempts.
{'<YOUR_BEARER_TOKEN>'}: The bearer token you generated in step 1. You can use one of the following options:
-
Option 1: Copy the credential field from the bearer token you saved in 1Password, then paste it in the authorization header. For example:
The
...at the end of the bearer token here indicates it’s been truncated for the example. You’ll need to include the full credential string for your token. -
Option 2: Use an environment variable to load your API token to avoid revealing your bearer token in plaintext. You’ll need to use double quotes for the authorization header to allow for variable expansion. For example:
{'<number_of_records>'} The optional pagination limit for the maximum number of event records you want returned per page. (POST requests only.) Choose a value from 1 to 1000.
{'<YYYY-MM-DDTHH:MM:SSZ>'} The optional RFC 3339-formatted date and time (UTC) for when you want to start and stop retrieving events. (POST requests only.) For example: 2025-10-31T09:00:00Z.
The pagination limit, start time, and end time data is all optional. If you don’t want to include them in your POST request, use an empty request body for the --data flag:
2. Send a curl request
Send your formatted curl request from the terminal. The following example sends a POST request to thesigninattempts endpoint, using the curl command structure from the example above.
3. Review the response
Review the response that was returned to check that the request was successful. The example request above shows a successful200 response, with JSON objects detailing the sign-in attempt event(s) and a cursor for continued calling of the API. See the response schema for the signinattempts endpoint for more information.
If the request was successful but your 1Password account didn’t contain any events within the parameters of your request, the response will still return an object with a cursor string. For example: