Skip to main content

Documentation Index

Fetch the complete documentation index at: https://www.1password.dev/llms.txt

Use this file to discover all available pages before exploring further.

1Password offers three tools to help you automate administrative tasks: 1Password CLI, 1Password SDKs, and the 1Password Users API (Public Preview).

Choose your workflow

Use the following table to decide which tool best suits your use case:
1Password CLI1Password SDKs1Password Users API
Best forShell scripts, CI/CD pipelines, and infrastructure-as-code workflowsIntegrating directly into applications or services built in Go, JavaScript, or PythonConnecting your 1Password account to a security automation platform for incident response and access remediation
User managementProvision, confirm, suspend, reactivate, edit, delete, list, and get usersNot yet directly supportedList, get, suspend, and reactivate users
Group managementCreate, edit, delete, get, and list groups; add and remove members; manage groups’ access in vaultsGet groups and manage groups’ access in vaultsNot supported
Vault managementCreate, edit, delete, get, and list vaultsCreate, edit, delete, get, and list vaultsNot supported
Vault permissionsGrant and revoke user and group access to vaultsGrant and revoke group access to vaultsNot supported
Item managementCreate, get, edit, delete, list, move, and share itemsCreate, get, edit, delete, list, and share itemsNot supported

1Password CLI

1Password CLI lets you manage your 1Password account from the command line. You can call 1Password CLI commands from shell scripts, CI/CD pipelines, or any process that can run shell commands. Use the CLI when you want to:
  • Write shell scripts that automate repetitive tasks, like onboarding a batch of users or rotating group memberships.
  • Run one-off administrative tasks from the terminal, like provisioning a new user or creating a vault.
  • Run targeted operations on individual user accounts or generate reports about users from the terminal.
  • Automate user and group provisioning as part of your infrastructure workflows.
For example, to provision a new user and add them to a group: 
op user provision --name "Wendy Appleseed" --email wendy.appleseed@agilebits.com
op group user grant --group Engineering --user wendy.appleseed@agilebits.com
To create a vault and grant a group access to view the items in it: 
op vault create "New Project"
op vault group grant --vault "New Project" --group Engineering --permissions view_items
https://mintcdn.com/ab-634991b8/kblVKwG534GVs6ut/static/img/product-icons/light/cli.svg?fit=max&auto=format&n=kblVKwG534GVs6ut&q=85&s=6cc858defdafe9584a48abfd8139136b

Get started with 1Password CLI

Install the CLI and sign in to your account.

CLI command reference

Full reference for all CLI commands and flags.

Example scripts

Item management

Bulk create, read, update, or delete items and related automation examples built on op item.

Scripted provisioning

Invite, suspend, reactivate, or delete users from a CSV using the CLI provisioning workflow.

Reporting

Generate CSV reports of vault access, permissions, and contents using CLI scripts.

User management

Identify users who have not signed in for a chosen number of days for follow-up or bulk actions.

1Password SDKs

1Password SDKs provide native libraries for Go, JavaScript, and Python that let you manage 1Password programmatically from your application code. Use the SDKs when you want to:
  • Build custom admin tooling or internal dashboards that manage groups, vaults, and items.
  • Embed operations like group provisioning into existing applications and workflows.
  • Automate group, vault, and item management as part of a larger programmatic workflow, with native error handling in Go, JavaScript, or Python.
https://mintcdn.com/ab-634991b8/kblVKwG534GVs6ut/static/img/product-icons/light/sdks.svg?fit=max&auto=format&n=kblVKwG534GVs6ut&q=85&s=967806ff5e487d91f20c628285a3ccf3

Get started with 1Password SDKs

Install an SDK and authenticate with the desktop app or a service account.

Supported functionality

See what’s currently supported and what’s in development.

Example projects

Inventory tracker web app

Node.js sample that stores inventory in 1Password items and runs with op run and Docker Compose.

Okta user onboarding script

Python utility that creates an Okta user, saves credentials in 1Password, and generates a secure item share link.

Encrypted vault backup app

Web app to back up and restore vaults with encryption, using the JS SDK and CLI for vault operations the SDK does not cover.

Vault migration web app

Self-hosted tool to migrate vaults between accounts with batch SDK operations, progress streaming, and downloadable logs.

1Password Users API (Public Preview)

Use the 1Password Users API to suspend, reactivate, or look up users programmatically through a server-to-server OAuth integration. The API allows you to connect your 1Password account to a security automation platform, so events flagged by your security tools can trigger user access remediation actions in 1Password. Use the Users API when you want to:
  • Connect your 1Password account to a security automation platform using a pre-built partner integration or a custom integration.
  • Automatically suspend a user in 1Password in response to events from your SIEM or other detection tools.
  • Reactivate a user after an incident is resolved.
  • Programmatically list users or look up a single user’s state to drive other workflows in your security tooling.
For example, after requesting an access token, you can suspend a user in response to a security event: 
curl --request POST \
  --url "https://api.1password.com/v1beta1/accounts/<account_id>/users/<user_id>:suspend" \
  --header "Authorization: Bearer <YOUR_ACCESS_TOKEN>" \
  --header "User-Agent: <CompanyOrProductName>/<version>"
Or list all currently suspended users in the account: 
curl --request GET \
  --url "https://api.1password.com/v1beta1/accounts/<account_id>/users?filter=user.isSuspended()" \
  --header "Authorization: Bearer <YOUR_ACCESS_TOKEN>" \
  --header "User-Agent: <CompanyOrProductName>/<version>"

Get started with the Users API

Create an OAuth application and make your first request.

Users API reference

Endpoint details for OAuth tokens and user actions.

Authentication options

1Password CLI and SDKs support authentication through the 1Password desktop app or a service account. The Users API authenticates through OAuth 2.0 client credentials.

1Password desktop app

Authenticate the CLI or an SDK locally in the same way you unlock your 1Password desktop app, like with biometrics or your 1Password account password. Best for interactive use where a human must be present to approve requests.
Use the 1Password desktop app when managing users’ and groups’ permissions in vaults. Service accounts can only manage access to vaults created by the service account.

1Password service account

Authenticate the CLI or an SDK using a service account token scoped to specific vaults, with no user interaction required. Best for automated workflows like CI/CD pipelines, scheduled scripts, or any process that runs without a human present. Service accounts can’t access your built-in Personal, Private, or Employee vault.

OAuth 2.0 authorization

Authenticate Users API requests using an OAuth 2.0 client credentials flow with scoped permissions, so each integration only has the access it needs. Access tokens are short-lived and can be revoked at any time. Best for server-to-server integrations between your 1Password account and an external system, like a security automation platform.