Skip to main content

Documentation Index

Fetch the complete documentation index at: https://www.1password.dev/llms.txt

Use this file to discover all available pages before exploring further.

Hardcoded plaintext secrets in source code, config files, environment files, and shell profiles are one of the most common causes of credential leaks. 1Password developer tools make it easy to access your secrets where you need them without exposing them in plaintext. Store your credentials in 1Password, then securely load them in your terminal, IDE, app, CI/CD pipelines, or anywhere else in your code.
Want to get started quickly? Create an Environment for a set of project secrets, then create a local .env file to access them directly from 1Password where you need them.
Not sure where to start? Use the configuration tables to find the best tool and authentication method for your specific use case.

Environments (beta)

An authorization prompt is shown when you try to access a mounted `.env` file through your local terminal.
1Password Environments (beta) function like a vault for your developer secrets. You can organize your secrets in 1Password as collections of environment variables for each project or development context, then securely access them when you need them without exposing anything in plaintext. Switching between different sets of secrets for different contexts is as simple as pointing to a different Environment ID. You can use Environments to load sets of secrets into any context where you typically load secrets from the environment. For example:
  • Local development: Use 1Password CLI to pass the variables stored in an Environment to applications or scripts at runtime, or create a locally mounted .env file for tools that expect an environment file on disk.
  • AI-assisted coding: Keep plaintext secrets out of an LLM’s context using a locally mounted .env file that your IDE can read without storing the plaintext contents on your device. Use 1Password hooks to validate your setup before the agent executes shell commands.
  • Containerized apps: Use 1Password SDKs to retrieve Environment variables directly in your application container’s code, or use 1Password CLI to load variables into an init container or sidecar at runtime.
  • CI/CD pipelines: Use 1Password CLI to load the right set of variables into your pipeline for the current development stage by pointing to the Environment your pipeline needs. Authenticate with a service account for automated, least privilege access.
Environments are a great choice for securing your developer secrets when you have environment files that currently use plaintext secrets. You can import your existing .env files directly into 1Password, and you can share your Environments with your team members for quick and secure collaboration.
https://mintcdn.com/ab-634991b8/kblVKwG534GVs6ut/static/img/product-icons/light/environments.svg?fit=max&auto=format&n=kblVKwG534GVs6ut&q=85&s=40fd45ddb1099154832a332c40c46c9a

Get started

Create and manage Environments.

Access secrets through local .env files

Sync an Environment to a local .env file.

Programmatically read Environments

Fetch variables from Environments with 1Password CLI or SDKs.

Sync secrets to AWS Secrets Manager

Centralize secrets management and simplify your AWS Secrets Manager workflow.
You can also replace hardcoded secrets in your code using secret references.

Shell plugins

With our open source shell plugin ecosystem, you can use 1Password to bring secure biometric authentication to all your command-line tools. When you configure a shell plugin for a CLI, you authenticate the CLI in the same way you unlock the 1Password desktop app, like with Touch ID, Apple Watch, or Linux system authentication. Shell plugins make authenticating all the CLI tools you use secure and easy, without ever needing to enter your credentials manually in your terminal. For example:
  • Cloud provider CLIs: Authenticate aws and other cloud provider CLIs with 1Password instead of storing access keys in ~/.aws/credentials or shell profiles.
  • Version control: Use the GitHub or GitLab shell plugins to authenticate gh or glab without storing plaintext tokens in your environment.
  • Local development tools: Authenticate package managers and development CLIs like Homebrew without storing credentials in config files.
Shell plugins allow you to configure different credentials in different project directories, so you can seamlessly switch between different contexts without needing to take the time to sign out and in again. Get started with one of our most popular shell plugins:

Choose your configuration

Use the tables below to find the best tools and authentication method for your specific use case. Every scenario includes a recommended tool and authentication method.

Tool options

  • 1Password Environments: Best for managing project secrets in 1Password and eliminating plaintext secrets in code.
  • 1Password CLI: Best for quick testing, shell scripts, CI/CD pipelines, Infrastructure as Code, build tools and task runners. Environments require the latest CLI beta.
  • 1Password SDKs: Best for native integrations with Go, Python, or JavaScript applications. Environments require the latest SDK beta.
  • 1Password Shell Plugins: Best for securing command-line tools and adding convenient biometric authentication to any CLI.
  • 1Password Connect server: Securely access secrets in your company’s apps and cloud infrastructure using a private REST API.

Authentication options

  • 1Password desktop app: Authenticate locally in the same way you unlock your 1Password desktop app, like with biometrics or your 1Password account password. Requires minimal setup with no token management and enables human-in-the-loop approval for sensitive workflows.
  • 1Password Service Accounts: Authenticate using a token scoped to specific vaults or Environments, with no user interaction required. Best for headless servers, automated workflows, and shared building. Service accounts can’t access your built-in Personal, Private, or Employee vault.
  • Connect server token: Authenticate with your Connect server host and token.

Scenarios

Local development

Use caseRecommended toolAuthentication methodWhy this approach
Local development on your machineEnvironments + CLI/SDK or local .env fileDesktop appUse 1Password CLI or SDKs to load your project secrets from an Environment directly into your application at runtime, or use a locally mounted .env file if your app expects an environment file. Authenticate with the 1Password desktop app for quick setup with no token management required.
AI-assisted codingEnvironments + Local .env fileDesktop appUse locally mounted .env files to provide secrets to your IDE without storing them on disk, keeping them out of LLM context. Then use 1Password hooks to validate your setup before the agent executes commands.
Build tools and task runnersEnvironments + CLIDesktop app or Service account1Password CLI integrates easily with build tools like make, gradle, or npm scripts. Use the 1Password desktop app for interactive developer builds, or service accounts for shared builds.
Replacing hardcoded secrets in existing config files or scriptsEnvironments + CLIDesktop app or Service accountTemplate your config file with environment variables instead of plaintext secrets, then use 1Password CLI to load the secrets from an Environment at runtime. Authenticate with the 1Password desktop app for personal scripts. Use service accounts for CI/CD, shared builds, or automated access.
Securing third-party CLI toolsShell pluginsDesktop appShell plugins bring the biometric unlock options available in the 1Password desktop app to dozens of command-line tools, so there are no tokens to manage and credentials are never stored in shell profiles or config files.
Using a CLI tool with multiple accounts or environmentsShell pluginsDesktop appShell plugins allow you to seamlessly switch between different credentials for different accounts and development contexts.

Production environments

Use caseRecommended toolAuthentication methodWhy this approach
CI/CD pipelines
(GitHub Actions, GitLab CI, etc.)		Environments + CLI or CI/CD integrationsService accountUse Environments to pass project variables into CI/CD pipelines that support shell commands. This allows you to organize and switch between secrets by development context. Use CI/CD integrations to load secrets into your pipeline using secret references. Service accounts provide non-interactive authentication for automated workflows and can be scoped to only the Environments or vaults your pipeline needs.
Application runtime or server-side applicationsEnvironments + SDKsService account1Password SDKs offer native language integration with better error handling and type safety. Service accounts enable secure, automated access without user interaction and headless server authentication.
Docker containers and KubernetesEnvironments + SDK or CLIService accountService accounts work well in containerized environments. Choose 1Password SDKs for application containers, or choose 1Password CLI for init containers or sidecars.
Infrastructure as CodeEnvironments + CLI or Terraform/Pulumi integrationsService account1Password CLI can be easily invoked from IaC tools. Service accounts enable automated infrastructure provisioning.

Secrets management

Use caseRecommended toolAuthentication methodWhy this approach
Secrets rotationEnvironments + CLI/SDKService accountWhen you update an Environment, the change is automatically reflected in your code at runtime. Use a service account for automated or scheduled rotation workflows.
Accessing secrets in company apps and cloud infrastructureCLI or Connect SDKConnect serverConnect server hosts a private REST API in your own infrastructure, enabling unlimited re-requests after the initial fetch and reducing dependency on the availability of the 1Password API.

Get help

To get help, join the discussion in our Developer community or join our Developer Slack workspace.