Skip to main content

Documentation Index

Fetch the complete documentation index at: https://www.1password.dev/llms.txt

Use this file to discover all available pages before exploring further.

Your developers use secrets like API keys, database credentials, SSH keys, and other tokens across their local machines, CI/CD pipelines, and AI-assisted workflows. Without an effective approach to securing these credentials, secrets end up exposed in plaintext .env files, shell profiles, config files, and version control, creating risk that’s hard to discover and fix. 1Password gives you the tools to make sure your team is using secure workflows without slowing down their development work. This guide walks you through the policies to configure, resources to set up, and developer tools to roll out so your team can work quickly and securely from day one.

Configure team policies

With 1Password Business, you can set policies for how people in your organization sign in to and use their 1Password accounts, including how they use developer tools. To manage developer policies, sign in to your account on 1Password.com, select Policies in the sidebar, then select Manage under the “Sharing and permissions” policy.
You can set team member policies if you’re an owner, administrator, or part of a group with the Manage Settings permission.

SSH

Turn on Allow automatic creation of SSH configuration file to allow your team to easily connect to hosts using SSH Bookmarks with SSH keys stored in 1Password.

Agentic permissions

Turn on Allow AI Agents to autofill for users to let your team use Agentic Autofill (early access) to securely provide credentials to AI agents. Agentic Autofill currently supports Browserbase Director. By default, team members can see developer tools and integrations in the sidebar when they sign in to their account on 1Password.com. If you choose to hide these tabs, people outside the Owners and Administrators groups won’t be able to see them in the sidebar, and will only be able to access existing active tools or integrations with a link. For ease of use, we recommend keeping these tabs visible for your team.

1Password browser extension

Turn on Require team members to add the extension during account setup to require your team to install the 1Password browser extension. They can use the browser extension to autofill SSH public keys, which makes it easier to set up Git commit signing and SSH. The browser extension also provides automatic prompts to save certain developer credentials in 1Password, like when you create an AWS access key. Under Autofill access, make sure SSH items are selected as an item type team members can autofill with 1Password. This allows your team to autofill SSH public keys.

Biometrics and unlock settings

Many 1Password developer tools have the option to authenticate using the 1Password desktop app with biometrics. Make sure your unlock and auto-lock policy allows biometric unlock (Touch ID, Windows Hello, or Linux system authentication) so your developers can use these tools without friction. You can configure this under Authentication > Unlock and auto-lock in your team policies.

Manage team policies

Full list of configurable policies.

Set up shared resources

With policies in place, set up the shared resources you’ll need to effectively roll out 1Password developer tools to your engineering team.

Environments

1Password Environments (beta) let you organize project secrets as collections of environment variables that your team can share and access directly in their code. Instead of each developer maintaining their own .env files, which can easily get out of date, you can create an Environment in 1Password and share it with the appropriate people on your team. Then when you update the Environment, the change is reflected for everyone who needs it. Create shared Environments for your organization’s shared developer credentials, like API keys, database credentials, service account tokens, and other infrastructure secrets. Organize your Environments by access boundary for each project, not credential type, so that each Environment reflects a separate context. If your team works with development, staging, and production environments for a project, create a corresponding 1Password Environment for each. For example, Website Production, iOS App Beta, or Payment Services Production. Developers can switch between targets by changing an Environment ID rather than managing separate sets of credentials.

Shared vaults

Create shared vaults for the other credentials your developers need access to. Organize vaults by a shared context like team or project. Follow the principle of least privilege in deciding who has access to each shared vault.

Groups

You can create custom groups to manage access to shared vaults. Using groups to assign access makes onboarding and offboarding simpler and makes sure permissions stay consistent as your team evolves.

Service accounts

Create 1Password Service Accounts for your team’s automated workflows, including CI/CD pipelines, deployment scripts, scheduled jobs, and other processes that need to access secrets without a human present. Each service account token is scoped to specific vaults and Environments with defined permissions. Follow the principle of least privilege when you create service accounts: give each service account access only to the vaults and Environments it needs, with the minimum permissions required. Create one service account per purpose, so you can easily revoke a token if needed, and for a better audit trail. For example, create separate service accounts for your CI/CD pipeline, your production deployment, your staging environment, and any other distinct use case.
By default, only owners and administrators can create service accounts. If you want to allow other groups to create service accounts, sign in on 1Password.com and navigate to Developer > Permissions > Service Account.
Review your organization’s service accounts periodically. Are any scoped too broadly? Are any still active for inactive projects? You can list and manage service accounts on 1Password.com under Developer > Service accounts. And you can generate reports about service accounts by creating a usage report.

Business security practices

Best practices for securing your 1Password Business account across settings, access, integrations, and team lifecycle.

Roll out developer tools

Now that you have your policies and shared resources set up, you’re ready to get your engineering team using 1Password developer tools. Here are some tips to help you get started:

Share the developer quickstart

Share the developer quickstart to help your engineering team set up 1Password’s main developer tools. Make sure to add the quickstart to your organization’s onboarding documentation to help new hires get started from day one.

Developer quickstart

Install the 1Password desktop app, CLI, SSH agent, and learn how to securely load secrets from Environments.

Require signed commits

Adjust your GitHub or GitLab repository rules to require signed commits, then help them configure Git commit signing with 1Password.

GitHub

Learn how to require signed commits in GitHub.

GitLab

Learn how to require signed commits in GitLab.

Secure plaintext credentials

Encourage your team to audit their local machines for secrets that can be migrated to 1Password, so they can remove plaintext secrets from their code. Common places to look include:
  • .env files in project directories.
  • Shell profiles like .bashrc or .zshrc.
  • Config files like ~/.aws/credentials or ~/.ssh/config.
  • Hardcoded values in scripts and source code.
If your developers use VS Code, 1Password for VS Code is a convenient way to quickly detect secrets and secure them in 1Password.
Then have them follow the guide to securing developer credentials to load these secrets securely from 1Password instead.

Promote Developer Watchtower

After your team sets up 1Password for SSH, encourage developers to turn on Developer Watchtower to audit their machines for SSH key security issues, like keys that are stored in plaintext or use outdated cryptography.