> ## Documentation Index
> Fetch the complete documentation index at: https://www.1password.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Get started with the 1Password Events API

export const CodeResult = ({children, resultLang, wrap, expandable}) => {
  const parseChildren = () => {
    let language = "text";
    let codeContent = "";
    const extractText = node => {
      if (typeof node === "string") {
        return node;
      }
      if (Array.isArray(node)) {
        return node.map(extractText).join("");
      }
      if (node?.props?.children) {
        return extractText(node.props.children);
      }
      return "";
    };
    const extractLanguage = node => {
      if (!node) return null;
      if (node.props?.className) {
        const className = node.props.className;
        const langMatch = className.match(/language-(\w+)/);
        if (langMatch) {
          return langMatch[1];
        }
      }
      if (node.props?.["data-language"]) {
        return node.props["data-language"];
      }
      if (node.props?.language) {
        return node.props.language;
      }
      return null;
    };
    if (typeof children === "string") {
      codeContent = children;
    } else if (Array.isArray(children)) {
      codeContent = extractText(children);
      for (const child of children) {
        const detectedLang = extractLanguage(child);
        if (detectedLang) {
          language = detectedLang;
          break;
        }
      }
    } else if (children?.props) {
      const detectedLang = extractLanguage(children);
      if (detectedLang) {
        language = detectedLang;
      }
      codeContent = extractText(children);
    }
    const parts = codeContent.split("#code-result");
    if (parts.length < 2) {
      return {
        command: codeContent.trim(),
        result: null,
        language,
        defaultOpen: false
      };
    }
    const resultText = parts[1].trim();
    const defaultOpen = resultText.startsWith("open");
    const cleanResult = defaultOpen ? resultText.slice(4).trim() : resultText;
    return {
      command: parts[0].trim(),
      result: cleanResult,
      language,
      defaultOpen
    };
  };
  const {command, result, language, defaultOpen} = parseChildren();
  const [isOpen, setIsOpen] = useState(defaultOpen);
  if (!result) {
    return children;
  }
  return <div className="codeblock_accordion not-prose mb-4">
      {}
      <div className="[&>*]:!mb-0 [&>*]:!rounded-b-none">
        <CodeBlock language={language} children={command} wrap={wrap} expandable={expandable} />
      </div>

      {}
      <div className="see_results_container border-t-0 bg-gray-100/80 dark:bg-gray-800/80 overflow-hidden" style={{
    marginTop: "-0.25rem"
  }}>
        <button onClick={() => setIsOpen(!isOpen)} className="w-full px-4 py-2.5 flex items-center gap-1 text-left text-[14px] font-medium text-gray-600 dark:text-gray-400 hover:text-gray-800 dark:hover:text-gray-200 hover:bg-gray-200/60 dark:hover:bg-gray-700/60 transition-all duration-150" aria-expanded={isOpen}>
          {isOpen ? <Icon icon="caret-down" size="14" iconType="solid" /> : <Icon icon="caret-right" size="14" iconType="solid" />}

          <span>See result...</span>
        </button>

        {isOpen && <div className="[&>*]:!mt-0 [&>*]:!rounded-t-none border-t border-[var(--op-border-ui)] dark:border-[var(--op-border-ui-dark)]">
            <CodeBlock language={resultLang || language} children={result} wrap={wrap} expandable={expandable} />
          </div>}
      </div>
    </div>;
};

export const Small = ({children}) => {
  return <small>{children}</small>;
};

You can use the 1Password Events API to set up an integration between your 1Password Business account and your security information and event management (SIEM) system.

## Requirements

Before you get started, you'll need to [sign up for a 1Password Business account](https://1password.com/pricing/password-manager).

If you already have a business account, you'll need to be an [owner](https://support.1password.com/1password-glossary/#owner) or [administrator](https://support.1password.com/1password-glossary/#administrator) to set up an Events Reporting integration.

## Step 1: Set up an Events Reporting integration

You can set up an Events Reporting integration in your 1Password Business account:

1. [Sign in](https://start.1password.com/signin) to your account on 1Password.com.
2. Select [**Integrations**](https://start.1password.com/integrations/directory) in the sidebar. If you've set up other integrations in your account, you'll also need to select **Directory** on the Integrations page.
3. In the Events Reporting section, choose your SIEM from the list. If your SIEM isn't listed, select **Other**.
4. Enter a name for the integration, then select **Add Integration**.
5. Set up a bearer token:
   * **Token Name**: Enter a name for the token.
   * **Expires After**: (Optional) Choose when the token will expire: 30 days, 90 days, or 180 days. The default setting is Never.
   * **Events to Report**: Choose which events the token can access. The default scope includes all events: sign-in attempts, item usages, and audit events.
6. Select **Issue Token**.
7. On the "Save your token" page, select **Save in 1Password**. Choose the vault where you want to save your token, then select **Save**. <br /><Small>Your bearer token will be saved as an <a href="https://support.1password.com/item-categories/#api-credential">API Credential item</a> in 1Password.</Small>
8. Select **View Integration Details**.

You can issue or revoke bearer tokens for your Events Reporting integration at any time. Learn more about [how to manage bearer tokens](/events-api/authorization#manage-bearer-tokens).

## Step 2: Test the integration

Before you connect your 1Password account with your SIEM, you can send a test request to the Events API using [curl <Icon icon="arrow-up-right-from-square" />](https://curl.se/) on the command line. Specify the [endpoint](/events-api/endpoints/) along with any required [request headers](/events-api/request-headers/) and data.

### 1. Create a curl request

In your terminal, format your curl request using the following structure:

```shell theme={null}
curl --request <METHOD> \
  --url <base_url>/<path> \
  --header 'Authorization: Bearer <YOUR_BEARER_TOKEN>' \
  --header 'Content-Type: application/json' \
  --data '{
    "limit": <number_of_records>,
    "start_time": "<YYYY-MM-DDTHH:MM:SSZ>",
    "end_time": "<YYYY-MM-DDTHH:MM:SSZ>"
}'
```

<Small>The `Content-Type` header and the `--data` flag with [pagination](/events-api/pagination/) content are only used in `POST` requests to the Events API.</Small>

Replace the highlighted content with your preferred values:

`{'<METHOD>'}` The [HTTP request method](/events-api/request-methods/) you want to use for your request. For example: `POST`.

`{'<base_url>'}` The [base URL](/events-api/servers/) of the server used for events in your 1Password account. For example: `https://events.1password.com`.

`{'<path>'}` The path of the [endpoint](/events-api/endpoints/) you want to use. For example: `/api/v2/signinattempts`.

`{'<YOUR_BEARER_TOKEN>'}`: The bearer token you generated in [step 1](#step-1-set-up-an-events-reporting-integration). You can use one of the following options:

* Option 1: Copy the credential field from the bearer token you saved in 1Password, then paste it in the authorization header. For example:

  ```shell theme={null}
  --header 'Authorization: Bearer eyJhbGciOiJFUzI1NiIsImtpZCI6IjNyaTN0NDR0anZvZmNmbWc0Z2tsNWk2b2FpIiwidHlwIjoiSldUIn0...'
  ```

  <Small>The `...` at the end of the bearer token here indicates it's been truncated for the example. You'll need to include the full credential string for your token.</Small>

* Option 2: [Use an environment variable to load your API token](/events-api/generic-scripts#usage) to avoid revealing your bearer token in plaintext. You'll need to use double quotes for the authorization header to allow for variable expansion. For example:

  ```shell theme={null}
  --header "Authorization: Bearer ${EVENTS_API_TOKEN}"
  ```

`{'<number_of_records>'}` The optional [pagination limit](/events-api/pagination/) for the maximum number of event records you want returned per page. (POST requests only.) Choose a value from `1` to `1000`.

`{'<YYYY-MM-DDTHH:MM:SSZ>'}` The optional [RFC 3339-formatted <Icon icon="arrow-up-right-from-square" />](https://datatracker.ietf.org/doc/html/rfc3339) date and time (UTC) for when you want to start and stop retrieving events. (POST requests only.) For example: `2025-10-31T09:00:00Z`.

The pagination limit, start time, and end time data is all optional. If you don't want to include them in your POST request, use an empty request body for the `--data` flag:

```shell theme={null}
  --data '{}'
```

### 2. Send a curl request

Send your formatted curl request from the terminal.

The following example sends a POST request to the [`signinattempts` endpoint](/events-api/reference#post-%2Fapi%2Fv2%2Fsigninattempts), using the curl command structure from the example above.

<CodeResult>
  ```json theme={null}
  curl --request POST \
    --url https://events.1password.com/api/v2/signinattempts \
    --header 'Authorization: Bearer eyJhbGciOiJFUzI1NiIsImtpZCI6Imt6aXJ4NHQ0Mm1laDVwbmFhcm4yYjZucXN1IiwidHlwIjoiSldUIn0...' \
    --header 'Content-Type: application/json' \
    --data '{
      "limit": 1,
      "start_time": "2025-10-31T09:00:00Z",
      "end_time": "2025-10-31T17:00:00Z"
    }'
  #code-result
  {
    "cursor": "ZX8DAQETRWxhc3RpY3NlYXJjaEN1cnNvcgH_gAABBQEFTGltaXQBBAABCVN0YXJ0VGltZQH_ggABB0VuZFRpbWUB_4IAAQtTZWFyY2hBZnRlcgEEAAEKVGllQnJlYWtlcgEMAAAACv-BBQEC_4QAAABL_4ABAgEPAQAAAA7gjFYQAAAAAP7UAQ8BAAAADuCSBYgAAAAA_tQB-gM0JEhDqgEaQlRYUFUzM1ZOTkJLVERST0lGRUVUQkZQNlUA",
    "has_more": true,
    "items": [
      {
        "uuid": "BTXPU33VNNBKTDROIFEETBFP6U",
        "session_uuid": "DU72R2RHZRHUTOYHMG44EDG4UI",
        "timestamp": "2025-10-31T13:45:49.203617068Z",
        "country": "CA",
        "category": "success",
        "type": "credentials_ok",
        "details": null,
        "client": {
          "app_name": "1Password for Mac",
          "app_version": "81118011",
          "platform_name": "Wendy’s MacBook Pro",
          "platform_version": "MacBookPro18,2",
          "os_name": "MacOSX",
          "os_version": "15.7.1",
          "ip_address": "192.0.2.254"
        },
        "location": {
          "country": "CA",
          "region": "Ontario",
          "city": "Toronto",
          "latitude": 43.5991,
          "longitude": -79.4988
        },
        "target_user": {
          "uuid": "ETWZJTQCSRFPVOX74KERGHPBTU",
          "name": "Wendy Appleseed",
          "email": "wendy_appleseed@agilebits.com",
          "type": "user"
        },
        "account_uuid": "4XHKKHXODJANPD6ZTBAXK4IM7E"
      }
    ]
  }
  ```
</CodeResult>

### 3. Review the response

Review the response that was returned to check that the request was successful.

The example request above shows a successful `200` response, with JSON objects detailing the sign-in attempt event(s) and a cursor for continued calling of the API. See the [response schema for the `signinattempts` endpoint](/events-api/reference#responses-3) for more information.

If the request was successful but your 1Password account didn't contain any events within the parameters of your request, the response will still return an object with a [cursor string](/events-api/pagination#cursor). For example:

```json theme={null}
{
  "cursor": "ZX8DAQETRWxhc3RpY3NlYXJjaEN1cnNvcgH_gAABBQEFTGltaXQBBAABCVN0YXJ0VGltZQH_ggABB0VuZFRpbWUB_4IAAQtTZWFyY2hBZnRlcgEEAAEKVGllQnJlYWtlcgEMAAAACv-BBQEC_4QAAAAn_4ABAgEPAQAAAA7gfNhwAAAAAP__AQ8BAAAADuB84vwAAAAA__8A",
  "has_more": false,
  "items": []
}
```

If you made a call to a different endpoint, check the [Events API reference](/events-api/reference/) for the appropriate response object schema.

If you see an error, learn more about [HTTP status codes and recommended actions for error messages](/events-api/status-codes).

## Step 3: Connect your 1Password account to your SIEM

### Use a pre-built connector

Many SIEMs already support connecting with 1Password. To use a pre-built connector, [check if your SIEM is in the list of supported applications or services](https://support.1password.com/events-reporting/#step-2-connect-your-1password-account-to-your-siem). If it is, you can follow the provided link for documentation on how to connect your 1Password account.

If your SIEM isn't listed, you can also check the documentation for that service for any information they might have about connecting to a 1Password account.

### Build your own integration

If your SIEM doesn't have a pre-built connector, you can build your own client to send your 1Password account activity to your SIEM. Use the [Events API reference](/events-api/reference/) and documentation to learn more about how the API works.

To help you get started, you can refer to the [example scripts in our GitHub repository <Icon icon="github" />](https://github.com/1Password/events-api-generic/) for JavaScript, Python, Ruby, Go, and PHP. Learn more about [how to use the example scripts](/events-api/generic-scripts/).

## Learn more

* [1Password Events API reference](/events-api/reference/)
* [About the 1Password Events API](/events-api/introduction/)
* [1Password Events API generic scripts](/events-api/generic-scripts/)
* [GitHub repository of example scripts <Icon icon="github" />](https://github.com/1Password/events-api-generic/)
* [Workflow: Get data and analytics for your account](/get-started/get-data-and-analytics)
* [Administrator quickstart](/get-started/administrator-quickstart)
