> ## Documentation Index
> Fetch the complete documentation index at: https://www.1password.dev/llms.txt
> Use this file to discover all available pages before exploring further.
# Programmatically manage your organization
> Use 1Password CLI, SDKs, and the Users API to provision users, organize groups, control vault access, and integrate with security automation platforms in 1Password Business accounts.
1Password offers three tools to help you automate administrative tasks: [1Password CLI](#1password-cli), [1Password SDKs](#1password-sdks), and the [1Password Users API (Public Preview)](#1password-users-api-public-preview).
## Choose your workflow
Use the following table to decide which tool best suits your use case:
| | [1Password CLI](#1password-cli) | [1Password SDKs](#1password-sdks) | [1Password Users API](#1password-users-api-public-preview) |
| --------------------- | --------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------- |
| **Best for** | Shell scripts, CI/CD pipelines, and infrastructure-as-code workflows | Integrating directly into applications or services built in Go, JavaScript, or Python | Connecting your 1Password account to a security automation platform for incident response and access remediation |
| **User management** | Provision, confirm, suspend, reactivate, edit, delete, list, and get users | Not yet directly supported | List, get, suspend, and reactivate users |
| **Group management** | Create, edit, delete, get, and list groups; add and remove members; manage groups' access in vaults | Get groups and manage groups' access in vaults | Not supported |
| **Vault management** | Create, edit, delete, get, and list vaults | Create, edit, delete, get, and list vaults | Not supported |
| **Vault permissions** | Grant and revoke user and group access to vaults | Grant and revoke group access to vaults | Not supported |
| **Item management** | Create, get, edit, delete, list, move, and share items | Create, get, edit, delete, list, and share items | Not supported |
## 1Password CLI
[1Password CLI](/cli) lets you manage your 1Password account from the command line. You can call 1Password CLI commands from shell scripts, CI/CD pipelines, or any process that can run shell commands.
Use the CLI when you want to:
* Write shell scripts that automate repetitive tasks, like onboarding a batch of users or rotating group memberships.
* Run one-off administrative tasks from the terminal, like provisioning a new user or creating a vault.
* Run targeted operations on individual user accounts or generate reports about users from the terminal.
* Automate user and group provisioning as part of your infrastructure workflows.
For example, to provision a new user and add them to a group:
```shell theme={null}
op user provision --name "Wendy Appleseed" --email wendy.appleseed@agilebits.com
op group user grant --group Engineering --user wendy.appleseed@agilebits.com
```
To create a vault and grant a group access to view the items in it:
```shell theme={null}
op vault create "New Project"
op vault group grant --vault "New Project" --group Engineering --permissions view_items
```
Install the CLI and sign in to your account.
Full reference for all CLI commands and flags.
### Example scripts
Bulk create, read, update, or delete items and related automation examples built on `op item`.
Invite, suspend, reactivate, or delete users from a CSV using the CLI provisioning workflow.
Generate CSV reports of vault access, permissions, and contents using CLI scripts.
Identify users who have not signed in for a chosen number of days for follow-up or bulk actions.
## 1Password SDKs
[1Password SDKs](/sdks) provide native libraries for Go, JavaScript, and Python that let you manage 1Password programmatically from your application code.
Use the SDKs when you want to:
* Build custom admin tooling or internal dashboards that manage groups, vaults, and items.
* Embed operations like group provisioning into existing applications and workflows.
* Automate group, vault, and item management as part of a larger programmatic workflow, with native error handling in Go, JavaScript, or Python.
Install an SDK and authenticate with the desktop app or a service account.
See what's currently supported and what's in development.
### Example projects
Node.js sample that stores inventory in 1Password items and runs with `op run` and Docker Compose.
Python utility that creates an Okta user, saves credentials in 1Password, and generates a secure item share link.
Web app to back up and restore vaults with encryption, using the JS SDK and CLI for vault operations the SDK does not cover.
Self-hosted tool to migrate vaults between accounts with batch SDK operations, progress streaming, and downloadable logs.
## 1Password Users API (Public Preview)
Use the [1Password Users API](/users-api) to suspend, reactivate, or look up users programmatically through a server-to-server OAuth integration. The API allows you to connect your 1Password account to a security automation platform, so events flagged by your security tools can trigger user access remediation actions in 1Password.
Use the Users API when you want to:
* Connect your 1Password account to a security automation platform using a [pre-built partner integration](https://support.1password.com/security-automation/) or a custom integration.
* Automatically suspend a user in 1Password in response to events from your SIEM or other detection tools.
* Reactivate a user after an incident is resolved.
* Programmatically list users or look up a single user's state to drive other workflows in your security tooling.
For example, after [requesting an access token](/users-api/request-access-token), you can suspend a user in response to a security event:
```shell theme={null}
curl --request POST \
--url "https://api.1password.com/v1beta1/accounts//users/:suspend" \
--header "Authorization: Bearer " \
--header "User-Agent: /"
```
Or list all currently suspended users in the account:
```shell theme={null}
curl --request GET \
--url "https://api.1password.com/v1beta1/accounts//users?filter=user.isSuspended()" \
--header "Authorization: Bearer " \
--header "User-Agent: /"
```
Create an OAuth application and make your first request.
Endpoint details for OAuth tokens and user actions.
## Authentication options
1Password CLI and SDKs support authentication through the [1Password desktop app](#1password-desktop-app) or a [service account](#1password-service-account). The Users API authenticates through [OAuth 2.0 client credentials](#oauth-2-0-authorization).
### 1Password desktop app
Authenticate the CLI or an SDK locally in the same way you unlock your 1Password desktop app, like with biometrics or your 1Password account password. Best for interactive use where a human must be present to approve requests.
Use the 1Password desktop app when managing users' and groups' permissions in vaults. Service accounts can only manage access to vaults created by the service account.
### 1Password service account
Authenticate the CLI or an SDK using a [service account](/service-accounts) token scoped to specific vaults, with no user interaction required. Best for automated workflows like CI/CD pipelines, scheduled scripts, or any process that runs without a human present. Service accounts can't access your built-in [Personal](https://support.1password.com/1password-glossary#personal-vault), [Private](https://support.1password.com/1password-glossary#private-vault), or [Employee](https://support.1password.com/1password-glossary#employee-vault) vault.
### OAuth 2.0 authorization
Authenticate Users API requests using an [OAuth 2.0 client credentials flow](/users-api/authorization) with [scoped permissions](/users-api/authorization#scopes), so each integration only has the access it needs. Access tokens are short-lived and can be [revoked](/users-api/revoke-access-token) at any time. Best for server-to-server integrations between your 1Password account and an external system, like a security automation platform.