Knowing how your team uses 1Password — who’s signing in from where, what items are being accessed, and when admin settings change — is essential for security investigations, compliance reviews, and day-to-day account management. 1Password gives administrators several ways to access this activity data, from logs and reports available on 1Password.com to APIs that send events to your security and analytics tools or take action on user accounts.Documentation Index
Fetch the complete documentation index at: https://www.1password.dev/llms.txt
Use this file to discover all available pages before exploring further.
Choose your workflow
Use the table below to decide which tools best suit your use case:| Audit log and reports | 1Password Events API | 1Password Users API | |
|---|---|---|---|
| Best for | Reviewing activity and exporting reports on 1Password.com | Sending 1Password activity to a SIEM or analytics platform | Letting a SOAR or security automation platform act on user accounts |
| What you get | Audit log, sign-in attempts, user adoption, device, team, usage, and overview reports | Audit events, item usage events, and sign-in attempts | List users, get user details, suspend users, and reactivate users |
| When to use it | You want quick access to account information and CSV exports without building an integration | You want centralized dashboards, alerts, correlation, or longer-term retention in your own tooling | You want an approved integration to take user access remediation actions in 1Password |
| Setup | Just sign in to your 1Password account — no integration required | Create an Events Reporting integration and issue a bearer token | Create an OAuth application and generate client credentials |
Audit log and reports
Gain visibility into the last 12 months of activities directly in your team’s 1Password Business account without needing to set up an integration.Use the audit log
You can access the audit log from the audit log section in your 1Password account. Use the audit log to:- Search and filter sign-in attempts, item usage, and admin actions.
- Track actions across users, groups, vaults, devices, service accounts, reports, and more to see who did what and when.
- Export the filtered results as a CSV for auditors or further analysis.
Create reports
Generate reports from the Reports section in your 1Password account. You can create reports to help you:- Monitor security issues in your account, like data breaches involving team members or company email addresses.
- Get detailed usage information for individual team members, service accounts, and vaults, including which items were accessed and when.
- See active users, item access patterns, and sign-in attempts across your account.
- Navigate compliance reviews, access audits, and offboarding checks.
Use the audit log
Search activity in your 1Password Business account and export results as CSV.
Create reports
Generate reports for users, service accounts, vault activity, item usage, and more.
1Password Events API
Use the 1Password Events API to retrieve activity from your 1Password Business account and send it to your security and analytics tools, so it can be reviewed and correlated alongside the rest of your environment. The Events API includes detailed information about the following types of account activity:- Audit events for actions performed by team members involving vaults, groups, users, permissions, SSO configuration, service accounts, and more.
- Item usage in shared vaults, like when and where items are viewed, copied, filled, revealed, exported, shared, or edited.
- Sign-in attempts for successful and failed sign-ins, including details about the client app, IP address, geolocation, and the reason for any failures (such as bad credentials, failed MFA, or firewall blocks).
The Events API can access the last 120 days of account activity. For events older than 120 days, you can use the audit log in your 1Password account.
Get started with the Events API
Set up an Events Reporting integration in your 1Password Business account.
Pre-built SIEM connectors
See which platforms have built-in 1Password integrations.
Audit events catalog
Every audit action and object type the API can return, organized by category.
Item usage actions
What each item usage action means and which client triggered it.
Events API reference
Endpoint details for audit events, item usage, and sign-in attempts.
1Password Users API (Public Preview)
Use the 1Password Users API for Partners (public preview) to create an integration between your 1Password Business account and your preferred security automation platform. Then use the integration to take actions on user accounts in response to events reporting data or SIEM-detected events, such as automatically suspending a user directly in 1Password when suspicious sign-in events are flagged. With the Users API, you can:- List users in your account, optionally filtered to active or suspended users, to build inventories or pick targets for action.
- Get a user by ID to retrieve their display name, email, and current state (active or suspended).
- Suspend a user to remove their 1Password account access during offboarding or incident response.
- Reactivate a user after the issue is resolved or onboarding is completed.
Get started with the Users API
Create an OAuth application and make your first request.
Pre-built partner integrations
Security automation platforms that already work with the Users API.
About the Users API
Endpoint paths, request methods, headers, pagination, and rate limits.
Users API reference
Endpoint details for OAuth tokens and user actions.