# 1Password agent hooks
Source: https://www.1password.dev/agent-hooks
[1Password Agent Hooks ](https://github.com/1Password/agent-hooks/) provide automated validation and verification of 1Password configurations and integrations with supported agents and IDEs. They help make sure that required 1Password resources are properly set up before commands are executed, preventing errors and security issues.
## Available hooks
* [Validate locally mounted .env files from 1Password Environments](/environments/agent-hook-validate)
# Use 1Password to securely provide credentials to AI agents
Source: https://www.1password.dev/agentic-autofill
1Password Agentic Autofill gives you a secure way to provide credentials to AI agents, so they can sign in on your behalf without directly handling your secrets.
Instead of providing credentials to an AI agent using unencrypted methods like plaintext secrets or environment variables, you can tell an agent to sign in to a website using 1Password. When the agent needs to sign in, you'll be prompted to approve or deny the request.
After you approve, the 1Password browser extension in the agent's headless browser autofills your login details over an end-to-end encrypted channel and signs in to the website. In the future, you'll be able to see detailed audit logs that show when, where, and why the agent accessed the item.
During the Early Access, you can use Agentic Autofill with [Browserbase Director ](https://www.director.ai/), Browserbase's no-code AI agent that automates web-based tasks using natural language prompts.
## How the Browserbase integration works
When you set up the Browserbase integration, 1Password validates its pairing partner is director.ai and rejects any untrusted party, then establishes an end-to-end encrypted channel between your 1Password desktop app and Browserbase.
When the agent needs to sign in, it sends a request over the encrypted channel to autofill items that match the login website you specified, triggering an approval prompt from your 1Password desktop app for each autofill request. If you approve the request, the item is sent encrypted to the headless 1Password browser extension, which injects only the minimum required credential data from the approved item into the login form.
1Password protects communication using forward-rotating key material and the Noise framework that protects your data all the way from your approving 1Password device to the remote browser's webpage, ensuring your data cannot be leaked accidentally. 1Password and Browserbase exchange new key material after every autofill to provide post-compromise security for all autofills performed prior.
When Browserbase and 1Password are paired, Browserbase may be able to tell when an item matching an autofill request exists, even if the request is denied.
### What Browserbase can do
When you turn on the integration, Browserbase can:
* Request to autofill items on your behalf
### What Browserbase can't do
Browserbase cannot:
* Access items without your approval
* See a list of your items
* Modify your items
## Before you get started
Before you get started with the integration, you'll need to:
1. Sign up for [Browserbase Director ](https://www.director.ai/) and [1Password](https://1password.com/pricing/password-manager).
2. Install the [1Password desktop app](https://1password.com/downloads).
3. Install the [1Password browser extension](https://1password.com/downloads/browser-extension).
Make sure to turn on [Touch ID](https://support.1password.com/touch-id-mac/), [Windows Hello](https://support.1password.com/windows-hello/), or a Linux [system authentication option](https://support.1password.com/system-authentication-linux/) in the 1Password app for the best authentication experience.
### Administrators: Turn on the agentic autofill policy
If you're using a 1Password Business account, your administrator must turn on the agentic autofill policy for your team before you can use it. To do this, they'll need to:
1. Sign in to their account on 1Password.com.
2. Select **Policies**, then select **Manage** under "Sharing and permissions".
3. Turn on the policy "Allow AI Agents to autofill for users".
## Step 1: Connect 1Password and Browserbase
To set up the integration with Browserbase:
1. Sign in to [Browserbase Director ](https://www.director.ai/).
2. Select ** Connect 1Password** beneath the input field. You'll be redirected to 1Password.com.
3. Sign in to the 1Password account you want to use with Browserbase Director, then select **Continue**. If your 1Password desktop app is locked, you'll be prompted to unlock it.
4. Select **Next** to return to Browserbase Director and complete the pairing flow.
After pairing, you should see a check next to the 1Password icon beneath the input field.
To turn off the integration, select the 1Password icon beneath the input field, then toggle off **1Password Autofill**. You can also select **Disconnect** to unpair 1Password and Browserbase.
You can currently pair Browserbase with 1Password on one device. If you set up the integration on a second device, 1Password de-authorizes the integration on the original device.
## Step 2: Create an item
You can create an item with sample data for a website like [autofill.me ](https://autofill.me/) to test the integration.
1. Open and unlock the [1Password desktop app](https://1password.com/downloads/).
2. Select **+ New Item** to create a new item.
3. Select **Login** for the item category.
4. Select the username field and enter an example username like `hello`.
5. Select the password field, then select **Create a new password** to generate a random password.
6. Select the website field and enter `https://autofill.me`. If you want to test a different Login item, make sure the website is set to the URL where you sign in to the account.
7. Select **Save** to create the item.
## Step 3: Prompt the agent to sign in to a website using 1Password
In the [Browserbase Director ](https://www.director.ai/) input field, instruct the agent to sign in to a website using 1Password and hit enter.
For example, to have the agent sign in to `autofill.me` with the test Login item you created in the previous step, enter the prompt:
```
sign in to https://autofill.me/form/login-simple using 1Password
```
You'll get a prompt from 1Password asking you to authorize or cancel the request from Browserbase. If you have multiple items for the same website, you can select the down arrow next to the suggested login to choose a different item.
Authorize the prompt in the same way you unlock your 1Password account, like with Touch ID, and 1Password will fill your login in the remote browser session.
If you make a second request to sign in using 1Password in the same workflow, you may need to select the **Log in with 1Password** button in Browserbase Director.
## Troubleshooting
### If Browserbase and 1Password don't pair successfully
If you have trouble pairing 1Password and Browserbase, try the following steps:
#### Make sure the 1Password browser extension and your 1Password desktop app are connected
For the pairing process to work successfully, your 1Password browser extension and desktop app must be connected. To check if they're connected:
1. Select in your browser's toolbar, then select your account or collection in the top left > **Settings**.
2. Select **General** and make sure the "Integrate this extension with the 1Password desktop app" setting is toggled on and the integration status is connected.
If your 1Password browser extension and app aren't connected, [turn on the appropriate settings](https://support.1password.com/connect-1password-browser-app/#check-your-settings).
#### Make sure your app is open and unlocked
Before beginning the pairing process, open the 1Password desktop app and unlock it. Then, follow the steps to [connect 1Password and Browserbase](#step-1-connect-1password-and-browserbase).
### If you see a warning that the request is taking longer than expected
If you see a warning from Browserbase that the request is taking longer than expected, your 1Password app may be locked. Open the 1Password desktop app and unlock it, then try the request again.
If you're still having trouble or want to share feedback, [contact 1Password support](mailto:support@1password.com).
## Learn more
* [Closing the credential risk gap for AI agents using a browser](https://blog.1password.com/closing-the-credential-risk-gap-for-browser-use-ai-agents/)
* [The security principles guiding 1Password’s approach to AI](https://blog.1password.com/security-principles-guiding-1passwords-approach-to-ai/)
# Build on 1Password with LLMs
Source: https://www.1password.dev/building-with-llms
1Password developer documentation is optimized for consumption by large language models (LLMs). Whether you're using an AI coding assistant, building an agent, or working with a chatbot, you can point it to our documentation for accurate, up-to-date context about 1Password developer tools.
## Quick start
Give your LLM one of these URLs depending on what you need:
| What you need | URL |
| -------------------------------------------- | ----------------------------------------------------------- |
| **Full index** of all docs with descriptions | [`/llms.txt`](https://www.1password.dev/llms.txt) |
| **All documentation** in a single file | [`/llms-full.txt`](https://www.1password.dev/llms-full.txt) |
| **Any single page** as Markdown | Append `.md` to the URL of any article |
## How it works
### llms.txt
The [`/llms.txt`](https://www.1password.dev/llms.txt) file follows the [llms.txt standard ](https://llmstxt.org/), providing a structured index of all documentation pages with titles, URLs, and descriptions. This is the best place to start for any LLM. It can scan the index to find relevant pages, then retrieve individual pages as needed.
### Full documentation in one file
If your LLM has a large enough context window, [`/llms-full.txt`](https://www.1password.dev/llms-full.txt) contains the complete 1Password developer documentation in a single file — useful when you want full context in one request rather than fetching pages individually.
### Individual pages as Markdown
Every documentation page is available as clean Markdown by appending `.md` to its URL. For example:
* [`https://www.1password.dev/cli/get-started.md`](https://www.1password.dev/cli/get-started.md)
* [`https://www.1password.dev/sdks.md`](https://www.1password.dev/sdks.md)
This is useful for retrieval-augmented generation (RAG) workflows or when you only need context about a specific topic.
You can also use the **Copy page as Markdown** button at the top of any page to copy the Markdown content directly to your clipboard and paste it into your LLM conversation.
## Using 1Password docs with AI tools
### Cursor, Windsurf, and other AI IDEs
Most AI coding assistants let you attach documentation context. To use 1Password developer documentation, do one of the following:
* Paste `https://www.1password.dev/llms-full.txt` when prompted for context, or include it in your prompt.
* In [Cursor](https://cursor.com/) , use the `@Docs` feature to add `https://www.1password.dev/llms.txt` as a documentation source.
### ChatGPT, Claude, and other chatbots
When asking an LLM about 1Password developer tools, do one of the following:
* Share the [`/llms.txt`](https://www.1password.dev/llms.txt) or [`/llms-full.txt`](https://www.1password.dev/llms-full.txt) URL and ask the LLM to read it.
* Use the **Copy page as Markdown** button on any docs page to copy its content, then paste it into your conversation for precise context.
### AI agents and automation
If you're building an agent that needs to interact with 1Password:
1. Use [`/llms.txt`](https://www.1password.dev/llms.txt) as the entry point for your agent to discover available documentation.
2. Fetch individual pages as Markdown by appending `.md` to any URL for RAG (retrieval-augmented generation) workflows.
3. Use [`/llms-full.txt`](https://www.1password.dev/llms-full.txt) when you need full context in a single request.
## What's included
The LLM-friendly files cover all 1Password developer documentation:
* **[1Password CLI](/cli):** Command reference, guides for secrets management, shell plugins, and scripting.
* **[1Password SDKs](/sdks):** Python, JavaScript, and Go SDK guides for programmatic secrets access.
* **[SSH & Git](/ssh):** SSH key management, Git commit signing, and SSH agent configuration.
* **[Secrets Automation](/secrets-automation):** Service accounts, Connect server, CI/CD integrations (GitHub Actions, CircleCI, Jenkins), and Kubernetes operator.
* **[Environments](/environments):** 1Password Environments for managing environment variables.
* **[Events API](/events-api):** Events reporting API reference and integration guides.
* **[Partnership API](/partnership-api/reference):** API for provisioning and managing 1Password accounts programmatically.
## About the llms.txt standard
The [`llms.txt` standard](https://llmstxt.org/) is an open specification for making website content accessible to LLMs. It provides a structured, machine-readable Markdown index at a well-known URL (`/llms.txt`), making it easy for AI systems to discover and consume documentation without parsing complex HTML.
# 1Password CI/CD Integrations
Source: https://www.1password.dev/ci-cd
You can use 1Password integrations to securely access secrets from 1Password in your CI/CD pipeline without exposing any plaintext secrets in code, and rotate secrets without having to update your CI/CD environment.
## Get started
Select the CI/CD tool you use to get started. All integrations support authentication with both [1Password Connect Servers](/connect/) and [1Password Service Accounts](/service-accounts/).
# Load secrets from 1Password into CircleCI
Source: https://www.1password.dev/ci-cd/circle-ci
With the [1Password Secrets orb for CircleCI ](https://circleci.com/developer/orbs/orb/onepassword/secrets), you can securely load secrets from 1Password into CircleCI CI/CD pipelines using [secret references](/cli/secret-reference-syntax). Secret references sync automatically with 1Password and remove the risk of exposing plaintext secrets in code.
[CircleCI orbs ](https://circleci.com/docs/orb-intro/) are packages containing YAML configuration files. Using an orb allows you to refer to these configurations with a single line of code.
The [1Password Secrets orb for CircleCI ](https://github.com/1password/secrets-orb) is officially supported and maintained by 1Password, but community contributions are welcome.
You can use the orb with a [1Password Connect Server](/connect/) or a [1Password Service Account](/service-accounts/). See the video below for a brief introduction to using 1Password Service Accounts with CircleCI and Docker.
## Requirements
The requirements for getting started with the 1Password for CircleCI orb vary depending on whether you use a service account or Connect server.
Before you use 1Password for CircleCI with a service account, you need to:
* [Sign up for 1Password.](https://1password.com/pricing/password-manager)
* [Create a service account.](/service-accounts/)
* Create a [CircleCI ](https://circleci.com/) account.
Before you use 1Password for CircleCI with a Connect server, you need to:
* [Sign up for 1Password.](https://1password.com/pricing/password-manager)
* [Create and deploy a Connect server.](/connect/get-started/#step-1)
* Create a [CircleCI ](https://circleci.com/) account.
Connect credentials take precedence over service account credentials.
If you've set the `OP_CONNECT_HOST` or `OP_CONNECT_TOKEN` environment variables alongside `OP_SERVICE_ACCOUNT_TOKEN`, the Connect credentials take precedence over the provided service account token. You must unset the Connect environment variables to make sure the action uses the service account token.
## Get started
1. Set the service account token environment variable in CircleCI.
On the [CircleCI settings page ](https://circleci.com/docs/introduction-to-the-circleci-web-app/#project-settings), set the `OP_SERVICE_ACCOUNT_TOKEN` environment variable to token of the service account to use to load secrets.
2. Edit the CircleCI configuration file and make the following updates:
* Update the [CircleCI `config.yml` file ](https://circleci.com/docs/config-intro/) to use the 1Password for CircleCI orb.
* Specify the version number or use `volatile` to use the latest version number.
Add the `onepassword/secrets` orb to your `config.yml` file.
```yaml config.yml theme={null}
orbs:
1password: onepassword/secrets@1.0.0
```
To use the *latest* version of 1Password Secrets orb in your project, set `volatile` as the version number.
```yaml config.yml theme={null}
orbs:
1password: onepassword/secrets@volatile
```
3. Install 1Password CLI version **2.18.0 or later** as the first step of a CircleCI job using the `1password/install-cli` [command](#commands). You must install the CLI in the pipeline for the 1Password CircleCI orb to function. Earlier versions of 1Password CLI don't support service accounts.
Find the latest version number in the [1Password CLI release notes](https://releases.1password.com/developers/cli/).
```yaml config.yml theme={null}
steps:
- 1password/install-cli:
version: 2.x.x
```
4. Use 1Password CLI commands in subsequent steps in the pipeline.
See the following example `config.yml` files. Make sure to update `2.x.x` to [1Password CLI version 2.18.0 or later](https://releases.1password.com/developers/cli/).
```yaml config.yml theme={null}
version: 2.1
orbs:
1password: onepassword/secrets@1.0.0
jobs:
deploy:
machine:
image: ubuntu-2204:current
steps:
- 1password/install-cli:
version: 2.x.x
- checkout
- run:
shell: op run -- /bin/bash
environment:
AWS_ACCESS_KEY_ID: op://company/app/aws/access_key_id
AWS_SECRET_ACCESS_KEY: op://company/app/aws/secret_access_key
command: |
echo "This value will be masked: $AWS_ACCESS_KEY_ID"
echo "This value will be masked: $AWS_SECRET_ACCESS_KEY"
./deploy-my-app.sh
workflows:
deploy:
jobs:
- deploy
```
```yaml config.yml theme={null}
'og:description': Install 1Password CLI within a job and make it useable for all the commands following the installation.
usage:
version: 2.1
orbs:
1password: onepassword/secrets@1.0.0
jobs:
deploy:
machine:
image: ubuntu-2204:current
steps:
- 1password/install-cli:
version: 2.x.x
- checkout
- run: |
docker login -u $(op read op://company/docker/username) -p $(op read op://company/docker/password)
docker build -t company/app:${CIRCLE_SHA1:0:7} .
docker push company/app:${CIRCLE_SHA1:0:7}
workflows:
deploy:
jobs:
- deploy
```
1. Set the Connect server environment variables in CircleCI.
On the [CircleCI settings page ](https://circleci.com/docs/introduction-to-the-circleci-web-app/#project-settings), set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` environment variables for the Connect server to use to load secrets:
* Set `OP_CONNECT_TOKEN` to the Connect server token.
* Set `OP_CONNECT_HOST` to the Connect server hostname or IP address.
2. Edit the CircleCI configuration file.
Update the [CircleCI `config.yml` file ](https://circleci.com/docs/config-intro/) to use the 1Password for CircleCI orb. Make sure to specify the version number or use `volatile` to use the latest version number.
Add the `onepassword/secrets` orb to your `config.yml` file.
```yaml config.yml theme={null}
orbs:
1password: onepassword/secrets@1.0.0
```
To use the *latest* version of 1Password Secrets orb in your project, set `volatile` as the version number.
```yaml config.yml theme={null}
orbs:
1password: onepassword/secrets@volatile
```
3. Install 1Password CLI.
You must install [1Password CLI](/cli/) in the pipeline for the 1Password CircleCI orb to function:
* Install the CLI as the first step of a CircleCI job using the `1password/install-cli` [command](#commands).
* Use 1Password CLI commands in subsequent steps in the pipeline.
See the following example `config.yml` files.
```yaml config.yml theme={null}
version: 2.1
orbs:
1password: onepassword/secrets@1.0.0
jobs:
deploy:
machine:
image: ubuntu-2204:current
steps:
- 1password/install-cli
- checkout
- run:
shell: op run -- /bin/bash
environment:
AWS_ACCESS_KEY_ID: op://company/app/aws/access_key_id
AWS_SECRET_ACCESS_KEY: op://company/app/aws/secret_access_key
command: |
echo "This value will be masked: $AWS_ACCESS_KEY_ID"
echo "This value will be masked: $AWS_SECRET_ACCESS_KEY"
./deploy-my-app.sh
workflows:
deploy:
jobs:
- deploy
```
```yaml config.yml theme={null}
'og:description': Install 1Password CLI within a job and make it useable for all the commands following the installation.
usage:
version: 2.1
orbs:
1password: onepassword/secrets@1.0.0
jobs:
deploy:
machine:
image: ubuntu-2204:current
steps:
- 1password/install-cli
- checkout
- run: |
docker login -u $(op read op://company/docker/username) -p $(op read op://company/docker/password)
docker build -t company/app:${CIRCLE_SHA1:0:7} .
docker push company/app:${CIRCLE_SHA1:0:7}
workflows:
deploy:
jobs:
- deploy
```
## Reference
The following sections document the 1Password for CircleCI orb [commands](#commands) and the [secret reference syntax](#secret-reference-syntax).
### Commands
There are three commands to use when you configure your orb: `1password/install-cli`, `1password/exec`, and `1password/export`.
Only some commands mask secrets.
Both the `1password/exec` orb command and the [`op run`](/cli/reference/commands/run/) shell wrapper automatically mask secrets from the CircleCI log output. If secrets accidentally get logged, 1Password replaces them with ``. The `1password/export` command doesn't mask secrets.
| Command | Description | Masks secrets |
| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
| `1password/install-cli` | Installs 1Password CLI. You must use this command as a step to use 1Password CLI commands in subsequent steps. | N/A |
| `1password/exec` | Loads secrets on demand and executes the commands requiring secrets.
See [loading secrets with the `exec` command](#load-exec). | Yes |
| `1password/export` | Loads secrets with references exported in the environment and makes them available to subsequent steps of the job.
See [loading secrets with the `export` command](#load-export). | No |
### Secret reference syntax
You can make secrets available to CircleCI jobs and steps by including references to them in the environment using secret references. Secret reference URIs point to where a secret is saved in your 1Password account using the names (or [unique identifiers](/cli/reference/#unique-identifiers-ids)) of the vault, item, section, and field where the information is stored.
```shell theme={null}
op://vault-name/item-name/[section-name/]field-name
```
Visit the [secret reference syntax](/cli/secret-reference-syntax/) documentation to access examples and learn more about referencing secrets.
## Usage examples
Explore the following sections to learn about specific use case examples for the 1Password CircleCI orb.
* [Load secrets with `exec`](#load-exec)
* [Load secrets with `export`](#load-export)
Load secrets with the `exec` command
To load secrets with the `1password/exec` command:
1. Install 1Password CLI with `1password/install-cli`. If you're using a service account, make sure to set the [1Password CLI version](https://releases.1password.com/developers/cli/) to `2.18.0` or later.
2. Use the `1password/exec` command to load secrets on demand and execute commands that require secrets.
After you add the `1password/exec` command as a step in your job, subsequent steps of the job can access secrets.
The following example shows how to use the `1password/exec` command to resolve variables at the job level. The `exec` command automatically masks any secrets or sensitive values that might be accidentally logged.
```yaml config.yml theme={null}
version: 2.1
orbs:
1password: onepassword/secrets@1.0.0
jobs:
deploy:
machine:
image: ubuntu-2204:current
environment:
AWS_ACCESS_KEY_ID: op://company/app/aws/access_key_id
AWS_SECRET_ACCESS_KEY: op://company/app/aws/secret_access_key
steps:
- checkout
- 1password/install-cli:
version: 2.x.x
- 1password/exec:
command: |
echo "This value will be masked: $AWS_ACCESS_KEY_ID"
echo "This value will be masked: $AWS_SECRET_ACCESS_KEY"
./deploy-my-app.sh
workflows:
deploy:
jobs:
- deploy
```
Load secrets with the `export` command
To load secrets with the `1password/export` command:
1. Install 1Password CLI with `1password/install-cli`. If you're using a service account, make sure to set the [1Password CLI version](https://releases.1password.com/developers/cli/) to `2.18.0` or later.
2. Use the `1password/export` command to load the [secret references](#secret-reference-syntax) exported in the environment.
3. Access secrets in subsequent steps of the job.
The following example shows how to use the `1password/export` command to resolve variables at the job level.
```yaml config.yml theme={null}
version: 2.1
orbs:
1password: onepassword/secrets@1.0.0
jobs:
deploy:
machine:
image: ubuntu-2204:current
steps:
- checkout
- 1password/install-cli
version: 2.x.x
- 1password/export:
var-name: AWS_ACCESS_KEY_ID
secret-reference: op://company/app/aws/access_key_id
- 1password/export:
var-name: AWS_SECRET_ACCESS_KEY
secret-reference: op://company/app/aws/secret_access_key
- run:
command: |
echo "This value will not be masked: $AWS_ACCESS_KEY_ID"
echo "This value will not be masked: $AWS_SECRET_ACCESS_KEY"
./deploy-my-app.sh
workflows:
deploy:
jobs:
- deploy
```
# Load secrets from 1Password into GitHub Actions
Source: https://www.1password.dev/ci-cd/github-actions
With the [Load secrets from 1Password GitHub Action ](https://github.com/marketplace/actions/load-secrets-from-1password), you can securely load secrets from 1Password into GitHub Actions using [secret references](/cli/secret-reference-syntax). Secret references sync automatically with 1Password and remove the risk of exposing plaintext secrets in code.
You can authenticate `load-secrets-action` with a [1Password Connect Server](/connect/) or a [1Password Service Account](/service-accounts/). See the video below for a brief introduction to using the GitHub Action with a service account.
Similar to regular [GitHub repository secrets ](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions), 1Password automatically masks sensitive fields that appear in GitHub Actions logs. If one of these values accidentally gets printed, it's replaced with `***`.
## Requirements
You can configure the action to authenticate to 1Password with either a [service account](/service-accounts/) or a [Connect server](/connect/).
Before using the [Load secrets from 1Password GitHub Action ](https://github.com/marketplace/actions/load-secrets-from-1password) with a service account, you must:
* [Sign up for 1Password.](https://1password.com/pricing/password-manager)
* [Create a service account.](/service-accounts/)
* Have the service account token on hand.
Before using the [Load secrets from 1Password GitHub Action ](https://github.com/marketplace/actions/load-secrets-from-1password) with a Connect server, you must:
* [Sign up for 1Password.](https://1password.com/pricing/password-manager)
* [Create and deploy a Connect server](/connect/get-started/#step-1) in your infrastructure.
* Have the Connect server hostname and Connect server token on hand.
The [Load secrets from 1Password GitHub Action ](https://github.com/marketplace/actions/load-secrets-from-1password) only supports Mac and Linux [runners ](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners). It doesn't work with Windows runners.
## Get started
The steps to get started vary depending on whether you use a service account or a Connect server.
1. Add the [Load secrets from 1Password GitHub Action ](https://github.com/marketplace/actions/load-secrets-from-1password) to your workflow.
See [Adding an action to your workflow ](https://docs.github.com/en/actions/learn-github-actions/finding-and-customizing-actions#adding-an-action-to-your-workflow).
2. Add the service account token to your workflow.
Create a secret for your GitHub repository named `OP_SERVICE_ACCOUNT_TOKEN` and set it to the service account token value.
Visit [Using secrets in GitHub Actions ](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions) to learn how.
3. Configure your workflow.
Use the `1password/load-secrets-action/configure` action to specify the token of the service account you plan to get secrets from.
The following example uses the `configure` command to set the `service-account-token` to the `OP_SERVICE_ACCOUNT_TOKEN` secret.
```yaml config.yml theme={null}
uses: 1password/load-secrets-action/configure@v2
with:
service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
```
Setting the `service-account-token` in the `configure` step makes the value available to all subsequent steps. You can limit step access to the service account token by only using the service account token in specific steps.
To use the service account token in a specific step, set it in the `env` variables for that step.
```yaml config.yml theme={null}
env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
```
4. Load a secret.
Use the `1password/load-secrets-action` action to set an environment variable to a [secret reference URI](#secret-reference-syntax) that points to where a secret is stored in your 1Password account.
The following example sets the `SECRET` environment variable to the value of a field titled `secret` within an item titled `hello-world` saved in a vault titled `app-cicd`.
```yaml config.yml theme={null}
uses: 1password/load-secrets-action@v2
env:
SECRET: op://app-cicd/hello-world/secret
```
The action makes the referenced secret available as the `SECRET` environment variable for the next steps.
1. Add the [Load secrets from 1Password GitHub Action ](https://github.com/marketplace/actions/load-secrets-from-1password) (`load-secrets-action`) to your workflow.
See [Adding an action to your workflow ](https://docs.github.com/en/actions/learn-github-actions/finding-and-customizing-actions#adding-an-action-to-your-workflow).
2. Add the Connect server token to your workflow.
Create a secret named `OP_CONNECT_TOKEN` in your repository and set it to the Connect server token value.
Visit [Using secrets in GitHub Actions ](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions) to learn how.
3. Configure your workflow.
Use the `1password/load-secrets-action/configure` action to specify the Connect server environment variable.
The following example uses the configure command to:
* Set the `connect-host` to the Connect server hostname (`OP_CONNECT_HOST`).
* Set the `connect-token` to the `OP_CONNECT_TOKEN` secret.
```yaml config.yml theme={null}
uses: 1password/load-secrets-action/configure@v2
with:
connect-host: OP_CONNECT_HOST
connect-token: ${{ secrets.OP_CONNECT_TOKEN }}
```
Setting the `connect-token` in the configure step makes the value available to all subsequent steps. You can limit step access to the service account token by only using the service account token in specific steps.
To use the service account token in a specific step, set it in the `env` variables for that step.
```yaml config.yml theme={null}
env:
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
```
4. Load a secret.
Use the `1password/load-secrets-action` action to set an environment variable to a [secret reference URI](#secret-reference-syntax) that points to where a secret is stored in your 1Password account.
The following example sets the `SECRET` environment variable to the value of a field titled `secret` within an item titled `hello-world` saved in a vault titled `app-cicd`.
```yaml config.yml theme={null}
uses: 1password/load-secrets-action@v2
env:
SECRET: op://app-cicd/hello-world/secret
```
The action makes the referenced secret available as the `SECRET` environment variable for the next steps.
## Reference
The following sections document the [action inputs](#action-inputs) and [secret reference syntax](#secret-reference-syntax) for the [Load secrets from 1Password GitHub Action ](https://github.com/marketplace/actions/load-secrets-from-1password).
### Action inputs
The following table contains the available `configure` action inputs.
| Action input | Environment variable | Description |
| ----------------------- | -------------------------- | ---------------------------------------------------------- |
| `connect-host` | `OP_CONNECT_HOST` | The Connect server, hostname, IP address, or instance URL. |
| `connect-token` | `OP_CONNECT_TOKEN` | The Connect server token. |
| `service-account-token` | `OP_SERVICE_ACCOUNT_TOKEN` | The service account token. |
### Secret reference syntax
Secret reference URIs point to where a secret is saved in your 1Password account using the names (or [unique identifiers](/cli/reference/#unique-identifiers-ids)) of the vault, item, section, and field where the information is stored.
```shell theme={null}
op://vault-name/item-name/[section-name/]field-name
```
Set an environment variable to a secret reference in your workflow YAML file, and the action will make the referenced secret available as the environment variable for the next steps.
#### Example
The following example shows how to reference the `secret-access-key` field of the `aws` item in the `app-cicd` vault.
```yaml config.yml theme={null}
- name: Load secret
uses: 1password/load-secrets-action@v2
env:
SECRET: op://app-cicd/aws/secret-access-key
```
* **Vault:** `app-cicd`
* **Item:** `aws`
* **Field:** `secret-access-key`
## Usage examples
You can load secrets using the action in two ways:
1. [Use secrets from the action's output](#use-secrets-from-the-actions-output)
2. [Export secrets as environment variables](#export-secrets-as-environment-variables)
Use secrets from the action's output
You can use the [Load secrets from 1Password GitHub Action ](https://github.com/marketplace/actions/load-secrets-from-1password) to access secrets as environment variables.
The following examples show how to load a secret from a service account and print the output when a `push` event occurs.
You need to set an ID for the step to access its outputs. See [`outputs.` ](https://docs.github.com/actions/creating-actions/metadata-syntax-for-github-actions#outputsoutput_id).
The following example shows how to use a service account to load (and print) a secret (as the `SECRET` env variable) from 1Password. When you print a secret, 1Password automatically replaces it with `***`.
```yaml config.yml theme={null}
on: push
jobs:
hello-world:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Load secret
id: op-load-secret
uses: 1password/load-secrets-action@v2
with:
export-env: false
env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
SECRET: op://app-cicd/hello-world/secret
- name: Print masked secret
run: 'echo "Secret: ${{ steps.op-load-secret.outputs.SECRET }}"'
# Prints: Secret: ***
```
The following example shows how to use a service account to load the `username` and `token` fields from the `docker` secret in 1Password (as `DOCKERHUB_USERNAME` and `DOCKERHUB_TOKEN`), then use them to log into Docker Hub.
```yaml config.yml theme={null}
on: push
name: Deploy app
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Configure 1Password Service Account
uses: 1password/load-secrets-action/configure@v2
with:
# Persist the 1Password Service Account Authorization token
# for next steps.
# Keep in mind that every single step in the job is now
# able to access the token.
service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
- name: Load Docker credentials
id: load-docker-credentials
uses: 1password/load-secrets-action@v2
with:
export-env: false
env:
DOCKERHUB_USERNAME: op://app-cicd/docker/username
DOCKERHUB_TOKEN: op://app-cicd/docker/token
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_USERNAME }}
password: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_TOKEN }}
- name: Build and push Docker image
uses: docker/build-push-action@v2
with:
push: true
tags: acme/app:latest
```
The following examples show how to load a secret from a Connect server and print the output when a `push` event occurs.
The following example shows how to use a Connect server to load (and print) a secret (as the `SECRET` env variable) from 1Password. When you print a secret, 1Password automatically replaces it with `***`.
```yaml config.yml theme={null}
on: push
jobs:
hello-world:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Load secret
id: op-load-secret
uses: 1password/load-secrets-action@v2
with:
export-env: false
env:
OP_CONNECT_HOST: connect-host
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
SECRET: op://app-cicd/hello-world/secret
- name: Print masked secret
run: 'echo "Secret: ${{ steps.op-load-secret.outputs.SECRET }}"'
# Prints: Secret: ***
```
The following example shows how to use a Connect server to load the `username` and `token` fields from the `docker` secret in 1Password (as `DOCKERHUB_USERNAME` and `DOCKERHUB_TOKEN`), then use them to log into Docker Hub.
```yaml config.yml theme={null}
on: push
name: Deploy app
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Configure 1Password Connect
uses: 1password/load-secrets-action/configure@v2
with:
# Persist the 1Password Connect URL for next steps. You can also persist
# the Connect token using input `connect-token`, but keep in mind that
# every single step in the job would then be able to access the token.
connect-host: OP_CONNECT_HOST
- name: Load Docker credentials
id: load-docker-credentials
uses: 1password/load-secrets-action@v2
with:
export-env: false
env:
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
DOCKERHUB_USERNAME: op://app-cicd/docker/username
DOCKERHUB_TOKEN: op://app-cicd/docker/token
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_USERNAME }}
password: ${{ steps.load-docker-credentials.outputs.DOCKERHUB_TOKEN }}
- name: Build and push Docker image
uses: docker/build-push-action@v2
with:
push: true
tags: acme/app:latest
```
### Export secrets as environment variables
You can use the [Load secrets from 1Password GitHub Action ](https://github.com/marketplace/actions/load-secrets-from-1password) to use loaded secret outputted from the `steps.step-id.outputs.secret-name`.
The following examples show how to use a service account to load a 1Password secret as an environment variable.
The following example shows how to use a service account to load a secret as an environment variable named `SECRET`. When you print a secret, 1Password automatically replaces it with `***`.
```yaml config.yml theme={null}
on: push
jobs:
hello-world:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Load secret
uses: 1password/load-secrets-action@v2
with:
# Export loaded secrets as environment variables
export-env: true
env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
SECRET: op://app-cicd/hello-world/secret
- name: Print masked secret
run: 'echo "Secret: $SECRET"'
# Prints: Secret: ***
```
The following example shows how to use a service account to load the `username` and `token` fields from the `docker` secret in 1Password as environment variables named `DOCKERHUB_USERNAME` and `DOCKERHUB_TOKEN`, then uses them to log into Docker Hub.
It also loads the `access-key-id` and `secret-access-key` fields from the `aws` secret in 1Password as environment variables named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`, then uses them to deploy to AWS.
```yaml config.yml theme={null}
on: push
name: Deploy app
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Configure 1Password Service Account
uses: 1password/load-secrets-action/configure@v2
with:
# Persist the 1Password Service Account Authorization token
# for next steps.
# Keep in mind that every single step in the job is now able
# to access the token.
service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
- name: Load Docker credentials
uses: 1password/load-secrets-action@v2
with:
# Export loaded secrets as environment variables
export-env: true
env:
DOCKERHUB_USERNAME: op://app-cicd/docker/username
DOCKERHUB_TOKEN: op://app-cicd/docker/token
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ env.DOCKERHUB_USERNAME }}
password: ${{ env.DOCKERHUB_TOKEN }}
- name: Print environment variables with masked secrets
run: printenv
- name: Build and push Docker image
uses: docker/build-push-action@v2
with:
push: true
tags: acme/app:latest
- name: Load AWS credentials
uses: 1password/load-secrets-action@v2
with:
# Export loaded secrets as environment variables
export-env: true
# Remove local copies of the Docker credentials, which are not needed anymore
unset-previous: true
env:
AWS_ACCESS_KEY_ID: op://app-cicd/aws/access-key-id
AWS_SECRET_ACCESS_KEY: op://app-cicd/aws/secret-access-key
- name: Deploy app
# This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set, which was
# done automatically by the step above
run: ./deploy.sh
```
The folowing examples show how to use a Connect server to load a secret from 1Password as an environment variable.
The following example shows how to use a Connect server to load a secret as an environment variable named `SECRET`. When you print a secret, 1Password automatically replaces it with `***`.
```yaml config.yml theme={null}
on: push
jobs:
hello-world:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Load secret
uses: 1password/load-secrets-action@v2
with:
# Export loaded secrets as environment variables
export-env: true
env:
OP_CONNECT_HOST: connect-host
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
SECRET: op://app-cicd/hello-world/secret
- name: Print masked secret
run: 'echo "Secret: $SECRET"'
# Prints: Secret: ***
```
The following example shows how to use a Connect server to load the `username` and `token` fields from the `docker` secret in 1Password as environment variables named `DOCKERHUB_USERNAME` and `DOCKERHUB_TOKEN`, then uses them to log into Docker Hub.
It also loads the `access-key-id` and `secret-access-key` fields from the `aws` secret in 1Password as environment variables named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`, then uses them to deploy to AWS.
```yaml config.yml theme={null}
on: push
name: Deploy app
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Configure 1Password Connect
uses: 1password/load-secrets-action/configure@v2
with:
# Persist the 1Password Connect hostname for next steps.
# You can also persist the Connect token using input
# `connect-token`, but keep in mind that every single
# step in the job would then be able to access the token.
connect-host: OP_CONNECT_HOST
- name: Load Docker credentials
uses: 1password/load-secrets-action@v2
with:
# Export loaded secrets as environment variables
export-env: true
env:
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
DOCKERHUB_USERNAME: op://app-cicd/docker/username
DOCKERHUB_TOKEN: op://app-cicd/docker/token
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ env.DOCKERHUB_USERNAME }}
password: ${{ env.DOCKERHUB_TOKEN }}
- name: Print environment variables with masked secrets
run: printenv
- name: Build and push Docker image
uses: docker/build-push-action@v2
with:
push: true
tags: acme/app:latest
- name: Load AWS credentials
uses: 1password/load-secrets-action@v2
with:
# Export loaded secrets as environment variables
export-env: true
# Remove local copies of the Docker credentials, which are not needed anymore
unset-previous: true
env:
OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }}
AWS_ACCESS_KEY_ID: op://app-cicd/aws/access-key-id
AWS_SECRET_ACCESS_KEY: op://app-cicd/aws/secret-access-key
- name: Deploy app
# This script expects AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to be set, which was
# done automatically by the step above
run: ./deploy.sh
```
## Troubleshooting
If you try to create items using 1Password CLI in your GitHub pipelines (without using `load-secrets-action`), the command fails with the following error:
```text theme={null}
Failed to create item: invalid JSON
```
For example, the following results in an error:
```shell theme={null}
op item create --category=login --title='My Example Item' --vault='Test' \
--url https://www.acme.com/login \
--generate-password=20,letters,digits \
username=jane@acme.com \
'Test Field 1=my test secret' \
'Test Section 1.Test Field2[text]=Jane Doe' \
'Test Section 1.Test Field3[date]=1995-02-23' \
'Test Section 2.Test Field4[text]='$myNotes
```
The pipeline environment is in piped mode. This triggers the CLI's pipe detection, which expects a piped input.
To create items in this environment, use a [JSON template](/cli/item-template-json/) with your item details.
1. Get the template for the category of item you want to create:
```shell theme={null}
op item template get --out-file=new-item.json
```
2. Edit [the template](/cli/item-template-json/) to add your information.
3. Pipe the item content to the command:
```shell theme={null}
cat new-item.json | op item create --vault
```
# Load secrets from 1Password into Jenkins
Source: https://www.1password.dev/ci-cd/jenkins
With the [1Password Secrets plugin for Jenkins ](https://plugins.jenkins.io/onepassword-secrets/), you can securely load secrets from 1Password as environment variables in a Jenkins CI/CD pipeline using [secret references](/cli/secret-reference-syntax/). Secret references sync automatically with 1Password and remove the risk of exposing plaintext secrets in code.
You can authenticate the plugin with a [1Password Service Account](/service-accounts/) or a [1Password Connect Server](/connect/).
The 1Password Jenkins plugin is officially supported and maintained by 1Password. Community contributions are welcome. [View the repository on GitHub. ](https://github.com/jenkinsci/onepassword-secrets-plugin)
## Requirements
You can use the 1Password Secrets plugin for Jenkins with either a [service account](/service-accounts/get-started/) or a [Connect server](/connect/get-started/#step-1). If you configure both a service account and a Connect server, the Connect server takes precedence.
* [Sign up for 1Password.](https://1password.com/pricing/password-manager)
* [Create a service account.](/service-accounts/get-started/)
* [Have a Jenkins instance up and running. ](https://www.jenkins.io/doc/)
* [Sign up for 1Password.](https://1password.com/pricing/password-manager)
* [Create and deploy a Connect server](/connect/get-started/#step-1).
* [Have a Jenkins instance up and running. ](https://www.jenkins.io/doc/)
## Get started
To get started with the 1Password Secrets plugin for Jenkins:
1. [Install the 1Password Secrets plugin for Jenkins.](#install-plugin)
2. [Install 1Password CLI.](#step-2-install-1password-cli)
3. [Configure the 1Password Secrets plugin for Jenkins.](#configure-plugin)
Step 1: Install the 1Password Secrets plugin for Jenkins
You have several available options to install the 1Password Secrets plugin for Jenkins. You can use the Jenkins GUI (graphical user interface), the Jenkins CLI tool, or a direct upload.
To install the 1Password Secrets plugin for Jenkins using the GUI:
1. Sign in to your Jenkins instance.
2. From your Jenkins dashboard, go to **Manage Jenkins** > **Plugins**.
3. Select the **Available plugins** tab.
4. Search for *onepassword-secrets*.
5. Select the 1Password Secrets plugin for Jenkins, then select **Install**.
Refer to [Use the GUI ](https://www.jenkins.io/doc/book/managing/plugins/#from-the-web-ui) for more detailed instructions.
To install the 1Password Secrets plugin for Jenkins using the CLI tool:
1. Follow the [Use the CLI tool ](https://github.com/jenkinsci/plugin-installation-manager-tool) instructions.
2. Run the following command. Make sure to replace `1.0.0` with the correct version.
```sh theme={null}
jenkins-plugin-cli --plugins onepassword-secrets:1.0.0
```
To install the 1Password Secrets plugin for Jenkins using a direct upload:
1. Download one of the [releases ](https://plugins.jenkins.io/onepassword-secrets/#releases).
2. From your Jenkins dashboard, go to **Manage Jenkins** > **Plugins**.
3. Select the **Advanced** tab.
4. Select the `.hpi` file you downloaded from the release.
5. Select **Deploy**.
Refer to [Use direct upload ](https://www.jenkins.io/doc/book/managing/plugins/#advanced-installation) for more detailed instructions.
### Step 2: Install 1Password CLI
The 1Password Secrets plugin for Jenkins relies on 1Password CLI. You must install 1Password CLI on the same machine that runs the Jenkins CI/CD pipeline.
You can install 1Password CLI using a [Jenkinsfile ](https://www.jenkins.io/doc/book/pipeline/jenkinsfile/) or using a Freestyle job. Either of these methods can install 1Password CLI in the same pipeline as the 1Password Secrets plugin for Jenkins or in a separate pipeline.
If you install 1Password CLI in the same pipeline, you will need to add the 1Password CLI installation script before you make any calls to the plugin.
If you install 1Password CLI in a separate pipeline, you will need to set the **1Password CLI path** to the workspace where you performed the installation in your [configuration](#configuration).
To install 1Password CLI using a Jenkinsfile:
1. Sign in to your Jenkins instance.
2. Select **New Item**.
3. Enter the job details, then select **Pipeline**.
4. Configure the job details.
5. Scroll to **Advanced Project Options** > **Pipeline**.
6. Select **Pipeline script**.
7. Add the code to install 1Password CLI to the **Script** field.
You can install 1Password CLI with a Jenkinsfile using declarative or scripted [Jenkins pipeline syntax ](https://www.jenkins.io/doc/book/pipeline/syntax/).
The following examples show how to install 1Password CLI version 2.24 on a Linux amd64 machine. Make sure to change the example scripts to match your platform and use the [latest release of 1Password CLI](https://app-updates.agilebits.com/product_history/CLI2).
```groovy Declarative Jenkinsfile theme={null}
pipeline {
agent any
stages {
stage('Install 1Password CLI') {
steps {
sh 'curl -sSfLo op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/v2.24.0/op_linux_amd64_v2.24.0.zip"'
sh 'unzip -o op.zip -d op-dir'
sh 'mv -f op-dir/op /usr/local/bin'
sh 'rm -r op.zip op-dir'
}
}
}
}
# code-result
[Pipeline] Start of Pipeline
[Pipeline] node
Running on Jenkins in /config/workspace/Example
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Install 1Password CLI)
[Pipeline] sh
+ curl -sSfLo op.zip https://cache.agilebits.com/dist/1P/op2/pkg/v2.24.0/op_linux_amd64_v2.24.0.zip
[Pipeline] sh
+ unzip -o op.zip -d op-dir
Archive: op.zip
extracting: op-dir/op.sig
inflating: op-dir/op
[Pipeline] sh
+ mv -f op-dir/op /usr/local/bin
[Pipeline] sh
+ rm -r op.zip op-dir
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS
```
```groovy Scripted Jenkinsfile theme={null}
node {
stage('Install 1Password CLI') {
sh '''
ARCH="amd64"
curl -sSfLo op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/v2.24.0/op_linux_${ARCH}_v2.24.0.zip"
unzip -o op.zip -d op-dir
mv -f op-dir/op /usr/local/bin
rm -r op.zip op-dir
'''
}
}
# code-result
[Pipeline] Start of Pipeline
[Pipeline] node
Running on Jenkins in /config/workspace/Test 1Password Secrets
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Install 1Password CLI)
[Pipeline] sh
+ ARCH=amd64
+ curl -sSfLo op.zip https://cache.agilebits.com/dist/1P/op2/pkg/v2.24.0/op_linux_amd64_v2.24.0.zip
+ unzip -o op.zip -d op-dir
Archive: op.zip
extracting: op-dir/op.sig
inflating: op-dir/op
+ mv -f op-dir/op /usr/local/bin
+ rm -r op.zip op-dir
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS
```
8. Save the build.
Freestyle jobs don't let you set both the configuration and secrets at the job level. 1Password recommends using a Jenkinsfile rather than a Freestyle job. See [Migrating from chained Freestyle jobs to Pipelines ](https://www.jenkins.io/blog/2016/06/29/from-freestyle-to-pipeline/).
To install 1Password CLI using a Freestyle job:
1. Sign in to your Jenkins instance.
2. Select **New Item**.
3. Enter the job name, then select **Freestyle project**.
4. Configure the job details.
5. Scroll to **Build Steps**, then select **Add build step** > **Execute shell**.
6. Add the following commands to the **Execute shell** build step.
```shell theme={null}
ARCH="amd64"
curl -sSfLo op.zip "https://cache.agilebits.com/dist/1P/op2/pkg/v2.24.0/op_linux_${ARCH}_v2.24.0.zip"
unzip -o op.zip -d op-dir
mv -f op-dir/op /usr/local/bin
rm -r op.zip op-dir
# code-result
Running as SYSTEM
Building in workspace /config/workspace/Example
[Test 1Password Secrets Freestyle] $ /bin/sh -xe /tmp/jenkins14763651031574634007.sh
+ ARCH=amd64
+ curl -sSfLo op.zip https://cache.agilebits.com/dist/1P/op2/pkg/v2.24.0/op_linux_amd64_v2.24.0.zip
+ unzip -o op.zip -d op-dir
Archive: op.zip
extracting: op-dir/op.sig
inflating: op-dir/op
+ mv -f op-dir/op /usr/local/bin
+ rm -r op.zip op-dir
Finished: SUCCESS
```
7. Save the build.
Step 3: Configure the 1Password Secrets plugin for Jenkins
You can configure the 1Password Secrets plugin for Jenkins from the Jenkins dashboard:
1. Login to your Jenkins instance.
2. Select **Manage Jenkins** > **System**.
3. Scroll to **1Password Secrets**.
4. Set the **1Password CLI path** to the location of the 1Password CLI executable. The example script uses `/usr/local/bin/op`.
The remaining configuration steps depend on whether you use a service account or a Connect server.
You must add at least one Service Account Credential to use a service account with the 1Password Secrets plugin for Jenkins.
1. Select **Add** > **Jenkins** under the Service Account Credential.
2. Set the **Domain**.
3. Set the **Kind** to **Secret text**. The plugin only supports [secret text ](https://www.jenkins.io/doc/book/pipeline/jenkinsfile/#secret-text).
4. Set the **Scope**.
5. Set the **Secret** to the service account token.
6. You can leave the **ID** and **Description** empty.
7. Select **Add**.
You must specify the Connect Host value and add at least one Connect Credential to use a service account with the 1Password Secrets plugin for Jenkins.
1. Set **Connect Host** to the IP address, hostname, or URL of the Connect server.
2. Select **Add** > **Jenkins** under the Connect Credential.
3. Set the **Domain**.
4. Set the **Kind** to **Secret text**. The plugin only supports [secret text ](https://www.jenkins.io/doc/book/pipeline/jenkinsfile/#secret-text).
5. Set the **Scope**.
6. Set the **Secret** to the Connect server token.
7. You can leave the **ID** and **Description** empty.
8. Select **Add**.
For example configurations and pipeline scripts, go to [Usage examples](#usage-examples).
If you configure both a Connect server and a service account, the Connect server takes precedence.
## Configuration
The following sections document the available [configuration options](#configuration-options) and [configuration scopes](#configuration-scope).
If you install 1Password CLI in the same pipeline, you will need to add the 1Password CLI installation script before you make any calls to the plugin.
If you install 1Password CLI in a separate pipeline, you will need to set the **1Password CLI path** to the workspace where you performed the installation in your [configuration](#configuration).
### Configuration options
The 1Password Secrets plugin for Jenkins has configuration options for 1Password CLI, Connect servers, and service accounts.
| Setting | Description |
| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Connect Host** | The hostname, IP address, or URL of the Connect server. |
| **Connect Credential** | The [Connect server token](/connect/security#connect-server-access-tokens) to authenticate with the Connect server. This setting is a [Jenkins secret text credential ](https://www.jenkins.io/doc/book/using/using-credentials/). |
| **Service Account Credential** | The [service account token](/service-accounts/security/#service-accounts-and-token-generation) to authenticate with the service account. This setting is a [Jenkins secret text credential ](https://www.jenkins.io/doc/book/using/using-credentials). |
| **1Password CLI path** | The path to the 1Password CLI executable. The default location is `/usr/local/bin/op` |
### Configuration scope
You can configure the 1Password Secrets plugin for Jenkins globally, per folder, or per job.
| Level | Description |
| ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Global | Global-level configurations impact all jobs in all folders. To configure the 1Password Secrets plugin for Jenkins globally, add it to your global configuration. |
| Folder | Folder-level configurations impact all jobs within the folder. To configure the 1Password Secrets plugin for Jenkins for a specific folder, add it to the folder configuration. |
| Job | Job-level configurations only impact the jobs you configure. To configure the 1Password Secrets plugin for Jenkins for a single job, configure the plugin in the Jenkinsfile or Freestyle job. |
The configuration priority is highest for job-level configurations and lowest for global configurations. The more specific the level, the higher the priority. This means you can have a default configuration at a broader level and override it at more specific levels.
For example, if you configure a service account (service account A) globally, but override it with a different service account (service account B) in a job-level configuration, the job will use the second service account (service account B).
If you configure both a Connect server and a service account, the Connect server takes precedence.
## Usage examples
The following sections cover several use case examples for the 1Password Secrets plugin for Jenkins:
* [Use with a Jenkinsfile](#use-with-a-jenkinsfile)
* [Use with environment variables](#use-with-environment-variables)
* [Use in a Freestyle job](#use-in-a-freestyle-job)
### Use with a Jenkinsfile
You can access secrets within the Jenkins pipeline using [secret references](/cli/secret-reference-syntax/) with the `withSecrets` function. This function receives the configuration and list of 1Password secrets and loads them as parameters. Explore the following examples to learn how to use the `withSecrets` function in various contexts.
The configuration at the beginning of the Jenkinsfile to configure the service account and 1Password CLI is optional. If you don't provide a configuration, the 1Password Secrets plugin uses a [more broadly scoped configuration](#configuration-scope).
Make sure to replace `service-account-token` with the service account token and `op-cli-path` with the path you installed the 1Password CLI to (if you used a custom location). See [Configuration](#configuration).
```groovy theme={null}
def config = [
serviceAccountCredentialId: 'service-account-token',
opCLIPath: 'op-cli-path'
]
```
The configuration at the beginning of the Jenkinsfile to configure the Connect server and 1Password CLI is optional. If you don't provide a configuration, the 1Password Secrets plugin uses a [more broadly scoped configuration](#configuration-scope).
Make sure to replace `connect-server-token` with the Connect server token, `connect-host` with the Connect server IP address, and `op-cli-path` with the path you installed the 1Password CLI to (if you used a custom location). See [Configuration](#configuration).
```groovy theme={null}
def config = [
connectHost: 'connect-host',
connectCredentialId: 'connect-server-token',
opCLIPath: 'op-cli-path'
]
```
The following examples show how to use the `withSecrets` function in a Jenkinsfile with a 1Password Service Account.
The following [declarative Jenkinsfile ](https://www.jenkins.io/doc/book/pipeline/syntax/#declarative-pipeline) shows how to use the `withSecrets` function with a service account. It first defines environment variables to hold the secret values, then uses the `withSecrets` function to access and assign the values.
```groovy Declarative Jenkinsfile theme={null}
// Configure 1Password CLI and the service account.
def config = [
serviceAccountCredentialId: 'service-account-token',
opCLIPath: 'op-cli-path'
]
// Define the environment variables for the values of the secrets.
// Use the secret reference syntax: `op:///[/section]/`.
def secrets = [
[envVar: 'DOCKER_USERNAME', secretRef: 'op://vault/item/username'],
[envVar: 'DOCKER_PASSWORD', secretRef: 'op://vault/item/password']
]
pipeline {
agent any
stages{
stage('Push latest docker image') {
steps {
// Use the `withSecrets` function to access secrets.
withSecrets(config: config, secrets: secrets) {
docker.withRegistry('http://somehost:5100') {
sh 'docker login -u ${DOCKER_USERNAME} -p ${DOCKER_PASSWORD} http://somehost:5100'
def image = docker.build('somebuild')
image.push 'latest'
}
}
}
}
}
}
```
The following [scripted Jenkinsfile ](https://www.jenkins.io/doc/book/pipeline/syntax/#scripted-pipeline) shows how to use the `withSecrets` function with a service account. It first defines environment variables to hold the secret values, then uses the `withSecrets` function to access and assign the values.
```groovy Scripted Jenkinsfile theme={null}
node {
// Configure 1Password CLI and the service account
def config = [
serviceAccountCredentialId: 'service-account-token',
opCLIPath: 'op-cli-path'
]
// Define the environment variables for the values of the secrets.
// Use the secret reference syntax: `op:///[/section]/`.
def secrets = [
[envVar: 'DOCKER_USERNAME', secretRef: 'op://vault/item/username'],
[envVar: 'DOCKER_PASSWORD', secretRef: 'op://vault/item/password']
]
stage('Push latest docker image') {
// Use the `withSecrets` function to access secrets.
withSecrets(config: config, secrets: secrets) {
docker.withRegistry('http://somehost:5100') {
sh 'docker login -u ${DOCKER_USERNAME} -p ${DOCKER_PASSWORD} http://somehost:5100'
def image = docker.build('somebuild')
image.push 'latest'
}
}
}
}
```
The following examples show how to use the `withSecrets` function in a Jenkinsfile with a 1Password Connect Server.
The following [declarative Jenkinsfile ](https://www.jenkins.io/doc/book/pipeline/syntax/#declarative-pipeline) shows how to use the `withSecrets` function with a Connect server. It first defines environment variables to hold the secret values, then uses the `withSecrets` function to access and assign the values.
```groovy Declarative Jenkinsfile theme={null}
// Configure 1Password CLI and the Connect server.
def config = [
connectHost: 'connect-host',
connectCredentialId: 'connect-server-token',
opCLIPath: 'op-cli-path'
]
// Define the environment variables for the values of the secrets.
// Use the secret reference syntax: `op:///[/section]/`.
def secrets = [
[envVar: 'DOCKER_USERNAME', secretRef: 'op://vault/item/username'],
[envVar: 'DOCKER_PASSWORD', secretRef: 'op://vault/item/password']
]
pipeline {
agent any
stages{
stage('Push latest docker image') {
steps {
// Use the `withSecrets` function to access secrets.
withSecrets(config: config, secrets: secrets) {
docker.withRegistry('http://somehost:5100') {
sh 'docker login -u ${DOCKER_USERNAME} -p ${DOCKER_PASSWORD} http://somehost:5100'
def image = docker.build('somebuild')
image.push 'latest'
}
}
}
}
}
}
```
The following [scripted Jenkinsfile ](https://www.jenkins.io/doc/book/pipeline/syntax/#scripted-pipeline) shows how to use the `withSecrets` function with a Connect server. It first defines environment variables to hold the secret values, then uses the `withSecrets` function to access and assign the values.
```groovy Scripted Jenkinsfile theme={null}
node {
// Configure 1Password CLI and the Connect server.
def config = [
connectHost: 'connect-host',
connectCredentialId: 'connect-server-token',
opCLIPath: 'op-cli-path'
]
// Define the environment variables for the values of the secrets.
// Use the secret reference syntax: `op:///[/section]/`.
def secrets = [
[envVar: 'DOCKER_USERNAME', secretRef: 'op://vault/item/username'],
[envVar: 'DOCKER_PASSWORD', secretRef: 'op://vault/item/password']
]
stage('Push latest docker image') {
// Use the `withSecrets` function to access secrets.
withSecrets(config: config, secrets: secrets) {
docker.withRegistry('http://somehost:5100') {
sh 'docker login -u ${DOCKER_USERNAME} -p ${DOCKER_PASSWORD} http://somehost:5100'
def image = docker.build('somebuild')
image.push 'latest'
}
}
}
}
```
**Jenkins Pipeline Syntax helper**
You can also use the [Jenkins Pipeline Syntax helper](#use-in-a-freestyle-job) to create a pipeline script.
### Use with environment variables
The 1Password Secrets plugin for Jenkins lets you use [environment variables ](https://www.jenkins.io/doc/pipeline/tour/environment/#using-environment-variables) to get configuration and secrets. The following examples show how to use environment variables with the 1Password Secrets plugin for Jenkins.
You must set the environment variables in the `environment` block. The following table describes each environment variable.
| Variable | Required | Description |
| -------------------------- | ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `OP_CLI_PATH` | Always required. | The path where you installed the 1Password CLI. If you followed the 1Password CLI installation instruction, set this value to `/usr/local/bin`.
The example scripts on this page set this value to `op-cli-path`. |
| `OP_SERVICE_ACCOUNT_TOKEN` | Required if using a service account. | The service account token of the service account to use.
The example scripts on this page set this value to `service-account-token` variable. |
| `OP_CONNECT_HOST` | Required if using a Connect server. | The IP address, hostname, or URL of the Connect server to use.
The example scripts on this page set this value to `connect-server-host`. |
| `OP_CONNECT_TOKEN` | Required if using a Connect server. | The Connect server token of the Connect server to use.
The example scripts on this page set this value to `connect-server-token`. |
If you don't configure these environment variables, the 1Password Secrets plugin uses a [more broadly scoped configuration](#configuration-scope).
The following examples show how to use a service account with environment variables in a Jenkinsfile.
```groovy Declarative Jenkinsfile theme={null}
pipeline {
agent any
environment {
// Configure 1Password CLI and the service account.
OP_SERVICE_ACCOUNT_TOKEN = credentials('service-account-token')
OP_CLI_PATH = 'op-cli-path'
// Define the environment variables using the secret reference `op:///[/section]/`.
DOCKER_USERNAME = 'op://vault/item/username'
DOCKER_PASSWORD = 'op://vault/item/password'
}
stages{
stage('Push latest docker image') {
steps {
// Access 1Password secrets.
withSecrets() {
docker.withRegistry('http://somehost:5100') {
sh 'docker login -u ${DOCKER_USERNAME} -p ${DOCKER_PASSWORD} http://somehost:5100'
def image = docker.build('somebuild')
image.push 'latest'
}
}
}
}
}
}
```
```groovy Scripted Jenkinsfile theme={null}
node {
def environment = [
// Configure 1Password CLI.
'OP_CLI_PATH = op-cli-path',
// Define the environment variables for the values of the secrets.
// Use the secret reference syntax: `op:///[/section]/`.
'DOCKER_USERNAME=op://vault/item/username',
'DOCKER_PASSWORD=op://vault/item/password'
]
// Define the service account token.
def credentials = [
string(credentialsId: 'service-account-token', variable: 'OP_SERVICE_ACCOUNT_TOKEN')
]
withEnv(environment) {
withCredentials(credentials) {
stage('Push latest docker image') {
// Use the `withSecrets` function to access secrets.
withSecrets() {
docker.withRegistry('http://somehost:5100') {
sh 'docker login -u ${DOCKER_USERNAME} -p ${DOCKER_PASSWORD} http://somehost:5100'
def image = docker.build('somebuild')
image.push 'latest'
}
}
}
}
}
}
```
The following examples show how to use a Connect server with environment variables in a Jenkinsfile.
```groovy Declarative Jenkinsfile theme={null}
pipeline {
agent any
environment {
// Configure 1Password CLI and the Connect server.
OP_CONNECT_HOST = 'connect-host'
OP_CONNECT_TOKEN = credentials('connect-server-token')
OP_CLI_PATH = 'op-cli-path'
// Define the environment variables for the values of the secrets.
// Use the secret reference syntax: `op:///[/section]/`.
DOCKER_USERNAME = 'op://vault/item/username'
DOCKER_PASSWORD = 'op://vault/item/password'
}
stages{
stage('Push latest docker image') {
steps {
// Use the `withSecrets` function to access secrets.
withSecrets() {
docker.withRegistry('http://somehost:5100') {
sh 'docker login -u ${DOCKER_USERNAME} -p ${DOCKER_PASSWORD} http://somehost:5100'
def image = docker.build('somebuild')
image.push 'latest'
}
}
}
}
}
}
```
```groovy Scripted Jenkinsfile theme={null}
node {
def environment = [
// Configure 1Password CLI and the Connect server.
'OP_CONNECT_HOST=connect-host',
'OP_CLI_PATH = op-cli-path',
// Define the environment variables for the values of the secrets.
// Use the secret reference syntax: `op:///[/section]/`.
'DOCKER_USERNAME=op://vault/item/username',
'DOCKER_PASSWORD=op://vault/item/password'
]
def credentials = [
string(credentialsId: 'connect-server-token', variable: 'OP_CONNECT_TOKEN')
]
withEnv(environment) {
withCredentials(credentials) {
stage('Push latest docker image') {
// Use the `withSecrets` function to access secrets.
withSecrets() {
docker.withRegistry('http://somehost:5100') {
sh 'docker login -u ${DOCKER_USERNAME} -p ${DOCKER_PASSWORD} http://somehost:5100'
def image = docker.build('somebuild')
image.push 'latest'
}
}
}
}
}
}
```
### Use in a Freestyle Job
You can use the Jenkins Pipeline Syntax helper to set [environment variables ](https://www.jenkins.io/doc/pipeline/tour/environment/#using-environment-variables) and access secrets in a Freestyle job.
Use the Jenkins Pipeline Syntax helper to use a service account in a Freestyle job:
1. From the Freestyle job in Jenkins, go to the **Steps** section.
2. Set **1Password CLI path** to the location where you installed 1Password CLI. The example script uses `/usr/local/bin/op`.
3. Set **Service Account Credential** to the service account token.
4. Select **Add a 1Password secret**.
5. Set the **Environment variable** for the secret.
6. Set **Secret reference**. Use the [secret reference syntax](/cli/secret-reference-syntax/) to point to the 1Password secret.
7. Select **Generate Pipeline Script**.
Use the Jenkins Pipeline Syntax helper to use a Connect server in a Freestyle job:
1. From the Freestyle job in Jenkins, go to the **Steps** section.
2. Set **1Password CLI path** to the location where you installed 1Password CLI. The example script uses `/usr/local/bin/op`.
3. Set **Connect Host** to the Connect server IP address or hostname.
4. Set **Connect Credential** to the Connect server token.
5. Select **Add a 1Password secret**.
6. Set the **Environment variable** for the secret.
7. Set **Secret reference**. Use [secret references](/cli/secret-reference-syntax/) to point to the 1Password secret.
8. Select **Generate Pipeline Script**.
# 1Password CLI
Source: https://www.1password.dev/cli
1Password CLI brings 1Password to your terminal. Sign in to 1Password CLI with your fingerprint, and securely access everything you need during development.
## Use cases
Inject secrets from 1Password anywhere you need them.
Use scripts to manage items and provision team members at scale.
Store API keys for your favorite CLIs in 1Password.
## Quick start
If you're installing 1Password CLI for the first time, [start here](/cli/get-started/).
## Guides
### Manage items and users
* [Create and retrieve items](/cli/item-create/).
* [Add and remove team members](/cli/provision-users/).
* [Manage your team members' vault permissions](/cli/grant-revoke-vault-permissions/).
* [Manage your team members' group permissions](/cli/reference/management-commands/group/).
### Provision secrets
* [Securely load environment variables from 1Password Environments into your applications](/cli/secrets-environment-variables/).
* [Access secrets in your code with secret references](/cli/secret-references/) instead of plaintext secrets. Secret references are replaced with the actual secrets they reference in 1Password at runtime.
* [Securely load secrets from the environment into your applications](/cli/secrets-environment-variables/) using secret references.
* [Securely inject secrets into configuration files](/cli/secrets-config-files/) using secret references.
### Authenticate with biometrics
* [Use shell plugins to securely authenticate third-party CLIs](/cli/shell-plugins/) with biometrics.
* [Build your own shell plugin](/cli/shell-plugins/contribute/) if the CLI you want to authenticate isn't already supported.
### Use 1Password CLI with other tools
* Use [1Password for VS Code](/vscode/) to bring 1Password CLI functionality to VS Code.
* Use [1Password Service Accounts](/service-accounts/get-started/#create-a-service-account) to limit the vaults 1Password CLI can access or run automated scripts if your personal account uses SSO or MFA.
* Use with [1Password Environments](/environments) to quickly load your project secrets from 1Password.
* Use a [1Password Connect Server](/connect/cli/) with 1Password CLI to securely access your items in your company's apps and cloud infrastructure using a private REST API.
* Use [1Password CI/CD Integrations](/ci-cd/) with 1Password CLI to allow jobs in your pipeline to securely access secrets stored in 1Password.
* Use the [1Password Events API](/events-api/generic-scripts#usage) with 1Password CLI to provision bearer tokens at runtime using [secret references](/cli/secret-references/).
## Reference documentation
* Read the full [command reference](/cli/reference/) to learn about all 1Password CLI commands and how they can be used.
* Learn about [CLI best practices](/cli/best-practices).
* Learn about the [1Password app integration](/cli/app-integration/).
* Learn about the [shell plugins security model](/cli/shell-plugins/security/).
# Use the 1Password desktop app to sign in to 1Password CLI
Source: https://www.1password.dev/cli/app-integration
You can use the [1Password desktop app](https://1password.com/downloads) integration to quickly and securely sign in to [1Password CLI](/cli/get-started/). The app integration allows you to:
* Seamlessly sign to the 1Password accounts you've added to the app in your terminal.
* Authenticate 1Password CLI the same way you unlock your device, like with your fingerprint, face, Apple Watch, Windows Hello PIN, or device user password.
* Track recent 1Password CLI activity from your 1Password app.
## Requirements
* [1Password subscription](https://1password.com/pricing/password-manager)
* [1Password for Mac](https://1password.com/downloads/mac)
* [1Password subscription](https://1password.com/pricing/password-manager)
* [1Password for Windows](https://1password.com/downloads/windows)
* [1Password subscription](https://1password.com/pricing/password-manager)
* [1Password for Linux](https://1password.com/downloads/linux)
* [PolKit](https://gitlab.freedesktop.org/polkit/polkit) (included in many popular distributions)
* A PolKit authentication agent running
## Set up the app integration
### Step 1: Turn on the app integration
1. Open and unlock the [1Password app](https://1password.com/downloads/).
2. Select your account or collection at the top of the sidebar.
3. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**.
4. Select **Integrate with 1Password CLI**.
5. If you want to authenticate 1Password CLI with your fingerprint, turn on **[Touch ID](https://support.1password.com/touch-id-mac/)** in the app.
1. Open and unlock the [1Password app](https://1password.com/downloads/).
2. Select your account or collection at the top of the sidebar.
3. Turn on **[Windows Hello](https://support.1password.com/windows-hello/)** in the app.
4. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**.
5. Select **Integrate with 1Password CLI**.
1. Open and unlock the [1Password app](https://1password.com/downloads/).
2. Select your account or collection at the top of the sidebar.
3. Navigate to **Settings** > **[Security](onepassword://settings/security)**.
4. Turn on **[Unlock using system authentication](https://support.1password.com/system-authentication-linux/)**.
5. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**.
6. Select **Integrate with 1Password CLI**.
### Step 2: Enter any command to sign in
After you've turned on the app integration, enter any command and you'll be prompted to authenticate. For example, run this command to see all the vaults in your account:
```shell theme={null}
op vault list
```
#### If you have multiple accounts
If you've added multiple 1Password accounts to your desktop app, you can use [`op signin`](/cli/reference/commands/signin/) to select an account to sign in to with 1Password CLI. Use the arrow keys to choose from the list of all accounts added to your 1Password app.
```shell highlight={2} theme={null}
op signin
#code-result
Select account [Use arrows to move, type to filter]
> ACME Corp (acme.1password.com)
AgileBits (agilebits.1password.com)
Add another account
```
You can also [select an account on a per-command basis using the `--account` flag](/cli/use-multiple-accounts/#specify-an-account-per-command-with-the-account-flag) with your account's sign-in address or ID.
```shell theme={null}
op vault ls --account my.1password.com
```
If you're signed in to multiple accounts in the app but only want to use a specific account with 1Password CLI, you can [set the `OP_ACCOUNT` environment variable](/cli/use-multiple-accounts/#set-an-account-with-the-op_account-environment-variable) to your account's sign-in address or ID.
### Optional: Remove previously added account details
Make sure you have access to your Secret Key and account password before removing account details from your configuration file.
If you previously [added an account to 1Password CLI manually](/cli/sign-in-manually/) and now want to exclusively use the 1Password app to sign in, you can remove your account details from your configuration file.
Your configuration file is in one of the following locations:
* `~/.op/config`
* `~/.config/op/config`
* `~/.config/.op/config`
Use the [account forget](/cli/reference/management-commands/account/#account-forget) command to remove all existing account information from your configuration file. This won't impact the accounts added to your 1Password app.
```shell theme={null}
op account forget --all
```
### Optional: Set the biometric unlock environment variable
You can use the `OP_BIOMETRIC_UNLOCK_ENABLED` environment variable to temporarily toggle the app integration on or off.
To turn on the integration:
To turn off the integration:
**Set a default account to use with the 1Password app integration** Beta
Run `op account use` to set a default 1Password account to use with the 1Password app integration in your current terminal session. 1Password CLI will prompt you to select an account.
```shell theme={null}
op account use --account my.1password.com
```
## Track 1Password CLI activity
You can track 1Password CLI activity authenticated with the 1Password app, including the command, when it was run, the application where it was run, and the name of the account accessed.
To see your 1Password CLI activity log:
1. Open and unlock the 1Password desktop app.
2. Select your account or collection at the top of the sidebar and choose **Settings** > [**Developer**](onepassword://settings/developers).
3. Turn on **Show 1Password Developer in Sidebar**.
4. Close the settings window, then select **Developer** in the sidebar.
5. Select **View CLI**.
You'll see a table with your recent 1Password CLI activity.
Learn more about [1Password Developer](https://support.1password.com/developer/).
## Troubleshooting
### If `op signin` doesn't list your account
`op signin` returns a list of all accounts you've added to the 1Password desktop app. To sign in to 1Password CLI with a new 1Password account, you'll need to [add the account to the app](https://support.1password.com/add-account/).
### If you see a connection error
If you see a `connectionreset` error, or an error that 1Password CLI couldn't connect to the 1Password desktop app, try the following:
Open **System Settings** > **General** > **Login Items** and make sure **Allow in background** is turned on for 1Password.
If you still see an error, try the following:
1. Make sure you're using the latest version of the 1Password desktop app.
2. Restart the app.
If you're using 1Password for Mac version 8.10.12 or earlier, the 1Password CLI binary must be located in the `/usr/local/bin/` directory.
1. Make sure you're using the latest version of the 1Password desktop app.
2. Restart the app.
1. Make sure you're using the latest version of the 1Password desktop app.
2. Restart the app.
If you see a `LostConnectionToApp` error when you try to authenticate:
Make sure the option to keep 1Password in the menu bar is turned on:
1. Open and unlock the 1Password desktop app.
2. Select your account or collection at the top of the sidebar.
3. Select **Settings** > **General**.
4. Make sure "Keep 1Password in the menu bar" is selected.
Make sure the option to keep 1Password in the notification area is turned on:
1. Open and unlock the 1Password desktop app.
2. Select your account or collection at the top of the sidebar.
3. Select **Settings** > **General**.
4. Make sure "Keep 1Password in the notification area" is selected.
Make sure the option to keep 1Password in the system tray is turned on:
1. Open and unlock the 1Password desktop app.
2. Select your account or collection at the top of the sidebar.
3. Select **Settings** > **General**.
4. Make sure "Keep 1Password in the system tray" is selected.
### If you aren't prompted to authenticate with your preferred method
If you've turned on the app integration, but aren't prompted to sign in to 1Password CLI with your expected authentication method:
Make sure you've set up [Touch ID](https://support.1password.com/touch-id-mac/) or an [Apple Watch](https://support.1password.com/apple-watch-mac/) to unlock 1Password on your Mac.
Make sure you've set up [Windows Hello](https://support.1password.com/windows-hello/) to unlock 1Password on your Windows PC.
1. Make sure you've set up [system authentication](https://support.1password.com/system-authentication-linux/) to unlock 1Password on your Linux computer.
2. Update the authentication method in your Linux settings to use a [fingerprint](https://help.ubuntu.com/stable/ubuntu-help/session-fingerprint.html.en) or other biometrics instead of your Linux user password.
## Learn more
* [Use multiple 1Password accounts with 1Password CLI](/cli/use-multiple-accounts/)
* [Add accounts to the 1Password app](https://support.1password.com/add-account/)
* [1Password app integration security](/cli/app-integration-security/)
# 1Password app integration security
Source: https://www.1password.dev/cli/app-integration-security
## Security model
[Integrating 1Password CLI with the 1Password app](/cli/app-integration/) allows you to use accounts you've added to the 1Password desktop app with 1Password CLI. Every time you use 1Password CLI in a new terminal window or tab, you'll be asked to authorize with biometrics. This authorization establishes a 10-minute session that automatically refreshes on each use.
1Password accounts can only be accessed through 1Password CLI after the user provides explicit biometric authorization and authorization is limited to an single account at a time. The user is shown a prompt containing the 1Password account display name (for example, `AgileBits` or `Wendy Appleseed's Family`) and the process being authorized (for example, `iTerm2` or `Terminal`). The user must confirm the prompt for 1Password CLI to be granted access to the requested account details.
Authorizing use of 1Password CLI while the 1Password app is locked will result in the 1Password app unlocking. When the 1Password app is locked, all prior authorization is revoked. Any new invocation of 1Password CLI will require new authorization. If a process is running at the moment authorization is revoked or expires, it will be able to finish its task and exit.
## Authorization model
Authorization in 1Password CLI occurs on a per-account basis. If you sign in to multiple accounts, each account must be authorized separately.
Authorization expires after 10 minutes of inactivity in the terminal session. There's a hard limit of 12 hours, after which you must reauthorize.
Each time you use a 1Password CLI command in a new terminal window or tab, you'll need to authorize your account again:
* On macOS and Linux, authorization is confined to a terminal session but extends to sub-shell processes in that window.
* On Windows, commands executed in a sub-shell require separate authorization.
## Accepted risks
* A user or application with root/administrator level privileges on the same system may be able to circumvent one or more security measures and could obtain access to 1Password accounts through 1Password CLI without authorization if (and only if) the 1Password app is unlocked.
* Applications that are granted accessibility permissions on macOS may be able to circumvent the authorization prompt.
## Technical design
### Session credentials
Session credentials are used to identify the terminal window or application where 1Password CLI is invoked. The goal is to restrict the granted authorization to a single terminal. If a user authorizes `account X` in one terminal window, using `account y` in another terminal window requires another approval from the user. These credentials don't consist of any sensitive or secret information.
The session credential for macOS is an ID that's based on the current `tty`, plus the start time. This way every session credential is unique, even after an ID gets reused.
The session credential for Linux is an ID that's based on the current `tty`, plus the start time. This way every session credential is unique, even after an ID gets reused.
The session credential for Windows is an ID that's based on the PID of the process that invokes 1Password CLI, plus the start time. This way every session credential is unique, even after an ID gets reused.
### How does 1Password CLI communicate with the 1Password app?
1Password CLI uses inter-process communication to reach out to the 1Password app to obtain access to the accounts stored in the app.
The NSXPCConnection XPC API is used for IPC. The 1Password app sets up a service (1Password Browser Helper) that acts as an XPC server. Both 1Password CLI and the 1Password app connect to this server. Authenticity of both is confirmed by verifying the code signature. The 1Password Browser Helper acts as a message relay between the 1Password app and 1Password CLI.
1Password CLI connects to a Unix socket opened by the 1Password app. The socket is owned by the current user/group, allowing any process started by this user to connect to it. 1Password CLI is owned by the onepassword-cli group and has the set-gid bit set on Linux. The 1Password app verifies the authenticity of 1Password CLI by checking if the GID of the process connecting on the unix socket is equal to that of the onepassword-cli group. If the GID doesn't match, the connection is reset before any messages are accepted.
1Password CLI connects to a named pipe opened by the 1Password app. The app verifies the authenticity of the process connecting on the named pipe by verifying the Authenticode signature of the process's executable. 1Password CLI verifies the 1Password app's authenticity in the same way.
### Authorization prompts
The user is prompted for authorization to confirm that they actually want to allow an account to be accessible through 1Password CLI.
On macOS the OS's default biometrics prompt is used to request authorization, if available. Either TouchID or an Apple Watch can be used to confirm this prompt. If biometrics are not available a prompt confirming the user's device password is used instead.
On Linux, PolKit is used to spawn a prompt that includes an authentication challenge for the user (commonly fingerprint or the user's OS password).
On Windows, Windows Hello is used to spawn a prompt that includes an authentication challenge for the user (commonly fingerprint, face, or the user's OS password). Without Windows Hello, biometrics cannot be used with 1Password CLI.
# 1Password CLI best practices
Source: https://www.1password.dev/cli/best-practices
1Password CLI brings 1Password to your terminal. The following are best practices we recommend when using 1Password CLI.
### Use the latest version of 1Password CLI
Practice good software update hygiene and regularly update to the [latest version of the 1Password CLI](https://app-updates.agilebits.com/product_history/CLI2).
You can check for available updates with [`op update`](/cli/reference/commands/update).
### Apply the principle of least privilege to your infrastructure secrets
You can follow the [principle of least privilege ](https://csrc.nist.gov/glossary/term/least_privilege) with [1Password Service Accounts](/service-accounts), which support restricting 1Password CLI access to only the items required for a given purpose.
Use dedicated vaults with service accounts that are properly scoped for secrets management use cases. Do not grant access to more vaults than needed.
Learn more about [managing group and vault permissions using the principle of least privilege](https://support.1password.com/business-security-practices/#access-management-and-the-principle-of-least-privilege).
### Use template files when creating items that contain sensitive values
When creating items with [`op item create`](/cli/reference/management-commands/item#item-create) we recommend using a [JSON template](/cli/item-create#with-an-item-json-template) to enter any sensitive values.
# How 1Password CLI detects configuration directories
Source: https://www.1password.dev/cli/config-directories
1Password CLI configuration directories default to:
* `${XDG_CONFIG_HOME}/op` when `${XDG_CONFIG_HOME}` is set
* `~/.config/op` when `${XDG_CONFIG_HOME}` is not set
1Password CLI detects the configuration directory to read or write to in this order of precedence:
1. A directory specified with `--config`
2. A directory set with the `OP_CONFIG_DIR` environment variable.
3. `~/.op` (following [go-homedir ](https://github.com/mitchellh/go-homedir) to determine the home directory)
4. `${XDG_CONFIG_HOME}/.op`
5. `~/.config/op` (following [go-homedir ](https://github.com/mitchellh/go-homedir) to determine the home directory)
6. `${XDG_CONFIG_HOME}/op`
# Use with Connect
Source: https://www.1password.dev/cli/connect
# 1Password CLI environment variables
Source: https://www.1password.dev/cli/environment-variables
You can use the following environment variables with 1Password CLI:
| Environment variable | Description |
| ----------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `OP_ACCOUNT` | Specifies a default 1Password account to execute commands. Accepts an [account sign-in address or ID](/cli/use-multiple-accounts/#find-an-account-sign-in-address-or-id). An account specified with the `--account` flag takes precedence. |
| `OP_BIOMETRIC_UNLOCK_ENABLED` | Toggles the [1Password app integration](/cli/app-integration#optional-set-the-biometric-unlock-environment-variable) on or off. Options: `true`, `false`. |
| `OP_CACHE` | Toggles the option to [store and use cached information](/cli/reference#cache-item-and-vault-information) on or off. Options: `true`, `false`. Default: `true`. |
| `OP_CONFIG_DIR` | Specifies a [configuration directory](/cli/config-directories) to read and write to. A directory specified with the `--config` flag takes precedence. |
| `OP_CONNECT_HOST` | Sets a [Connect server instance host URL](/connect/cli/) to use with 1Password CLI. |
| `OP_CONNECT_TOKEN` | Sets a [Connect server token](/connect/cli/) to use with 1Password CLI. |
| `OP_DEBUG` | Toggles debug mode on or off. Options: `true`, `false`. Default: `false`. |
| `OP_FORMAT` | Sets the output format for 1Password CLI commands. Options: `human-readable`, `json`. Default: `human-readable`. |
| `OP_INCLUDE_ARCHIVE` | Allows items in the archive to be retrieved with [`op item get`](/cli/reference/management-commands/item#item-get) and [`op document get`](/cli/reference/management-commands/document#document-get) commands. Options: `true`, `false`. Default: `false`. |
| `OP_ISO_TIMESTAMPS` | Toggles the option to format timestamps according to ISO 8601 and RFC 3339 standards on or off. Options: `true`, `false`. Default: `false`. |
| `OP_RUN_NO_MASKING` | Toggles masking off for the output of [`op run`](/cli/reference/commands/run). |
| `OP_SESSION` | Stores a session token when you [sign in to 1Password CLI manually](/cli/sign-in-manually). |
| `OP_SERVICE_ACCOUNT_TOKEN` | Configures 1Password CLI to [authenticate with a service account](/service-accounts/use-with-1password-cli). |
# Get started with 1Password CLI
Source: https://www.1password.dev/cli/get-started
1Password CLI brings 1Password to your terminal. Learn how to install the CLI, then integrate it with your 1Password app and sign in with Touch ID, Windows Hello, or another system authentication option.
## Step 1: Install 1Password CLI
* [1Password subscription](https://1password.com/pricing/password-manager)
* [1Password for Mac](https://1password.com/downloads/mac)\*
* macOS Big Sur 11.0.0 or later
Supported shells: Bash, Zsh, sh, fish
\*Required to integrate 1Password CLI with the 1Password app.
* [1Password subscription](https://1password.com/pricing/password-manager)
* [1Password for Windows](https://1password.com/downloads/windows)
Supported shells: PowerShell
* [1Password subscription](https://1password.com/pricing/password-manager)
* [1Password for Linux](https://1password.com/downloads/linux)\*
* [PolKit](https://github.com/polkit-org/polkit)\*
* A PolKit authentication agent running\*
Supported shells: Bash, Zsh, sh, fish
\*Required to integrate 1Password CLI with the 1Password app.
1. To install 1Password CLI with [homebrew](https://brew.sh/):
```shell theme={null}
brew install 1password-cli
```
2. Check that 1Password CLI installed successfully:
```shell theme={null}
op --version
```
The 1Password Homebrew cask is maintained by both Homebrew and 1Password developers in the open-source [Homebrew Cask repository. ](https://github.com/Homebrew/homebrew-cask) 1Password CLI downloads from our CDN on agilebits.net/.com domains.
To manually install 1Password CLI on macOS:
1. Download [the latest release of 1Password CLI](https://app-updates.agilebits.com/product_history/CLI2). Learn how to [verify its authenticity](/cli/verify/).
2. * **Package file**: Open `op.pkg` and install 1Password CLI in the default location (`usr/local/bin`).
* **ZIP file**: Open `op.zip` and unzip the file, then move `op` to `usr/local/bin`.
3. Check that 1Password CLI was installed successfully:
```shell theme={null}
op --version
```
1. To install 1Password CLI with winget:
```powershell theme={null}
winget install 1password-cli
```
2. Check that 1Password CLI installed successfully:
```powershell theme={null}
op --version
```
To manually install 1Password CLI on Windows:
1. Download [the latest release of 1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) and extract `op.exe`. Learn how to [verify its authenticity](/cli/verify/).
2. Open PowerShell **as an administrator**.
3. Create a folder to move `op.exe` into. For example, `C:\Program Files\1Password CLI`.
```powershell theme={null}
mkdir "C:\Program Files\1Password CLI"
```
4. Move the `op.exe` file to the new folder.
```powershell theme={null}
mv ".\op.exe" "C:\Program Files\1Password CLI"
```
5.
**Windows 10 and later**
Search for Advanced System Settings in the Start menu.
Select Environment Variables.
In the System Variables section, select the PATH environment variable and select Edit.
In the prompt, select New and add the directory where op.exe is located.
Sign out and back in to Windows for the change to take effect.
6. Check that 1Password CLI installed successfully:
```shell theme={null}
op --version
```
If you'd rather install 1Password CLI with a single block of commands, run the following in PowerShell as administrator:
```powershell theme={null}
$arch = (Get-CimInstance Win32_OperatingSystem).OSArchitecture
switch ($arch) {
'64-bit' { $opArch = 'amd64'; break }
'32-bit' { $opArch = '386'; break }
Default { Write-Error "Sorry, your operating system architecture '$arch' is unsupported" -ErrorAction Stop }
}
$installDir = Join-Path -Path $env:ProgramFiles -ChildPath '1Password CLI'
Invoke-WebRequest -Uri "https://cache.agilebits.com/dist/1P/op2/pkg/v2.33.1/op_windows_$($opArch)_v2.33.1.zip" -OutFile op.zip
Expand-Archive -Path op.zip -DestinationPath $installDir -Force
$envMachinePath = [System.Environment]::GetEnvironmentVariable('PATH','machine')
if ($envMachinePath -split ';' -notcontains $installDir){
[Environment]::SetEnvironmentVariable('PATH', "$envMachinePath;$installDir", 'Machine')
}
Remove-Item -Path op.zip
```
If your Windows operating system uses a language other than English, you'll need to manually set \$arch in the first line. To do this, replace \$arch = (Get-CimInstance Win32\_OperatingSystem).OSArchitecture with \$arch = "64-bit" or \$arch = "32-bit".
To install 1Password CLI using APT on Debian- and Ubuntu-based distributions:
1. Run the following command:
```shell theme={null}
curl -sS https://downloads.1password.com/linux/keys/1password.asc | \
sudo gpg --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpg && \
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/1password-archive-keyring.gpg] https://downloads.1password.com/linux/debian/$(dpkg --print-architecture) stable main" | \
sudo tee /etc/apt/sources.list.d/1password.list && \
sudo mkdir -p /etc/debsig/policies/AC2D62742012EA22/ && \
curl -sS https://downloads.1password.com/linux/debian/debsig/1password.pol | \
sudo tee /etc/debsig/policies/AC2D62742012EA22/1password.pol && \
sudo mkdir -p /usr/share/debsig/keyrings/AC2D62742012EA22 && \
curl -sS https://downloads.1password.com/linux/keys/1password.asc | \
sudo gpg --dearmor --output /usr/share/debsig/keyrings/AC2D62742012EA22/debsig.gpg && \
sudo apt update && sudo apt install 1password-cli
```
1. Add the key for the 1Password `apt` repository:
```shell theme={null}
curl -sS https://downloads.1password.com/linux/keys/1password.asc | \
sudo gpg --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpg
```
2. Add the 1Password `apt` repository:
```shell theme={null}
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/1password-archive-keyring.gpg] https://downloads.1password.com/linux/debian/$(dpkg --print-architecture) stable main" |
sudo tee /etc/apt/sources.list.d/1password.list
```
3. Add the debsig-verify policy:
```shell theme={null}
sudo mkdir -p /etc/debsig/policies/AC2D62742012EA22/
curl -sS https://downloads.1password.com/linux/debian/debsig/1password.pol | \
sudo tee /etc/debsig/policies/AC2D62742012EA22/1password.pol && \
sudo mkdir -p /usr/share/debsig/keyrings/AC2D62742012EA22 && \
curl -sS https://downloads.1password.com/linux/keys/1password.asc | \
sudo gpg --dearmor --output /usr/share/debsig/keyrings/AC2D62742012EA22/debsig.gpg
```
4. Install 1Password CLI:
```shell theme={null}
sudo apt update && sudo apt install 1password-cli
```
2. Check that 1Password CLI installed successfully:
```shell theme={null}
op --version
```
Alternatively, download the latest 1Password CLI `.deb` package directly from one of the following links:
* [amd64](https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb)
* [386](https://downloads.1password.com/linux/debian/386/stable/1password-cli-386-latest.deb)
* [arm](https://downloads.1password.com/linux/debian/arm/stable/1password-cli-arm-latest.deb)
* [arm64](https://downloads.1password.com/linux/debian/arm64/stable/1password-cli-arm64-latest.deb)
To install 1Password CLI using YUM on RPM-based distributions:
1. Run the following commands:
```shell theme={null}
sudo rpm --import https://downloads.1password.com/linux/keys/1password.asc
sudo sh -c 'echo -e "[1password]\nname=1Password Stable Channel\nbaseurl=https://downloads.1password.com/linux/rpm/stable/\$basearch\nenabled=1\ngpgcheck=1\nrepo_gpgcheck=1\ngpgkey=\"https://downloads.1password.com/linux/keys/1password.asc\"" > /etc/yum.repos.d/1password.repo'
sudo dnf check-update -y 1password-cli && sudo dnf install 1password-cli
```
1. Import the public key:
```shell theme={null}
sudo rpm --import https://downloads.1password.com/linux/keys/1password.asc
```
2. Configure the repository information:
```shell theme={null}
sudo sh -c 'echo -e "[1password]\nname=1Password Stable Channel\nbaseurl=https://downloads.1password.com/linux/rpm/stable/\$basearch\nenabled=1\ngpgcheck=1\nrepo_gpgcheck=1\ngpgkey=\"https://downloads.1password.com/linux/keys/1password.asc\"" > /etc/yum.repos.d/1password.repo'
```
3. Install 1Password CLI:
```shell theme={null}
sudo dnf check-update -y 1password-cli && sudo dnf install 1password-cli
```
2. Check that 1Password CLI installed successfully:
```shell theme={null}
op --version
```
Alternatively, download the latest 1Password CLI `.rpm` package directly from one of the following links:
* [x86\_64](https://downloads.1password.com/linux/rpm/stable/x86_64/1password-cli-latest.x86_64.rpm)
* [i386](https://downloads.1password.com/linux/rpm/stable/i386/1password-cli-latest.i386.rpm)
* [aarch64](https://downloads.1password.com/linux/rpm/stable/aarch64/1password-cli-latest.aarch64.rpm)
* [armv7l](https://downloads.1password.com/linux/rpm/stable/armv7l/1password-cli-latest.armv7l.rpm)
To install 1Password CLI on Alpine x86\_64 distributions:
1. Run the following commands:
```shell theme={null}
echo https://downloads.1password.com/linux/alpinelinux/stable/ >> /etc/apk/repositories
wget https://downloads.1password.com/linux/keys/alpinelinux/support@1password.com-61ddfc31.rsa.pub -P /etc/apk/keys
apk update && apk add 1password-cli
```
1. Add Password CLI to your list of repositories:
```shell theme={null}
echo https://downloads.1password.com/linux/alpinelinux/stable/ >> /etc/apk/repositories
```
2. Add the public key to validate the APK to your keys directory:
```shell theme={null}
wget https://downloads.1password.com/linux/keys/alpinelinux/support@1password.com-61ddfc31.rsa.pub -P /etc/apk/keys
```
3. Install 1Password CLI:
```shell theme={null}
apk update && apk add 1password-cli
```
2. Check that 1Password CLI installed successfully:
```shell theme={null}
op --version
```
The Nix package is available from the NixOS open source community.
To install 1Password CLI on your NixOS system:
1. Add 1Password to your `/etc/nixos/configuration.nix` file, or `flake.nix` if you're using a flake. For example, the following snippet includes 1Password CLI and the 1Password app:
```nix theme={null}
# NixOS has built-in modules to enable 1Password
# along with some pre-packaged configuration to make
# it work nicely. You can search what options exist
# in NixOS at https://search.nixos.org/options
# Enables the 1Password CLI
programs._1password = { enable = true; };
# Enables the 1Password desktop app
programs._1password-gui = {
enable = true;
# this makes system auth etc. work properly
polkitPolicyOwners = [ "" ];
};
```
2. After you make changes to your configuration file, apply them:
* If you added 1Password to `/etc.nixos/configuration.nix`, run:
```shell theme={null}
sudo nixos-rebuild switch
```
* If you added 1Password to `flake.nix`, replace `` with the directory your flake is in and `` with the name of the flake output containing your system configuration, then run the command.
```shell theme={null}
sudo nixos-rebuild switch --flake .#
```
3. Check that 1Password CLI installed successfully:
```shell theme={null}
op --version
```
Learn more about [using 1Password on NixOS. ](https://nixos.wiki/wiki/1Password)
To install 1Password CLI on Linux without a package manager:
```shell theme={null}
ARCH="" && \
wget "https://cache.agilebits.com/dist/1P/op2/pkg/v2.33.1/op_linux_${ARCH}_v2.33.1.zip" -O op.zip && \
unzip -d op op.zip && \
sudo mv op/op /usr/local/bin/ && \
rm -r op.zip op && \
sudo groupadd -f onepassword-cli && \
sudo chgrp onepassword-cli /usr/local/bin/op && \
sudo chmod g+s /usr/local/bin/op
```
1. Download the [latest release of 1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) and extract it. To verify its authenticity:
```shell theme={null}
gpg --keyserver keyserver.ubuntu.com --receive-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
gpg --verify op.sig op
```
2. Move `op` to `/usr/local/bin`, or another directory in your `$PATH`.
3. Check that 1Password CLI installed successfully:
```shell theme={null}
op --version
```
4. Create the `onepassword-cli` group if it doesn't yet exist:
```shell theme={null}
sudo groupadd onepassword-cli
```
5. Set the correct permissions on the `op` binary:
```shell theme={null}
sudo chgrp onepassword-cli /usr/local/bin/op && \
sudo chmod g+s /usr/local/bin/op
```
## Step 2: Turn on the 1Password desktop app integration
1. Open and unlock the [1Password app](https://1password.com/downloads/).
2. Select your account or collection at the top of the sidebar.
3. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**.
4. Select **Integrate with 1Password CLI**.
5. If you want to authenticate 1Password CLI with your fingerprint, turn on **[Touch ID](https://support.1password.com/touch-id-mac/)** in the app.
1. Open and unlock the [1Password app](https://1password.com/downloads/).
2. Select your account or collection at the top of the sidebar.
3. Turn on **[Windows Hello](https://support.1password.com/windows-hello/)** in the app.
4. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**.
5. Select **Integrate with 1Password CLI**.
1. Open and unlock the [1Password app](https://1password.com/downloads/).
2. Select your account or collection at the top of the sidebar.
3. Navigate to **Settings** > **[Security](onepassword://settings/security)**.
4. Turn on **[Unlock using system authentication](https://support.1password.com/system-authentication-linux/)**.
5. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**.
6. Select **Integrate with 1Password CLI**.
[Learn more about the 1Password desktop app integration.](/cli/app-integration/)
## Step 3: Enter any command to sign in
After you've turned on the app integration, enter any command and you'll be prompted to authenticate. For example, run this command to see all the vaults in your account:
```shell theme={null}
op vault list
```
#### If you have multiple accounts
If you've added multiple 1Password accounts to your desktop app, you can use [`op signin`](/cli/reference/commands/signin/) to select an account to sign in to with 1Password CLI. Use the arrow keys to choose from the list of all accounts added to your 1Password app.
```shell highlight={2} theme={null}
op signin
#code-result
Select account [Use arrows to move, type to filter]
> ACME Corp (acme.1password.com)
AgileBits (agilebits.1password.com)
Add another account
```
[Learn more about using multiple accounts with 1Password CLI.](/cli/use-multiple-accounts/)
## Next steps
1. [Get started with basic 1Password CLI commands.](/cli/reference/)
2. [Set up 1Password Shell Plugins to handle authentication for your other command-line tools.](/cli/shell-plugins/)
3. [Learn how to securely load secrets from your 1Password account without putting any plaintext secrets in code.](/cli/secret-references/)
## Learn more
* [1Password app integration troubleshooting](/cli/app-integration/#troubleshooting)
* [1Password app integration security](/cli/app-integration-security/)
* [How 1Password CLI detects configuration directories](/cli/config-directories)
# Grant and revoke vault permissions
Source: https://www.1password.dev/cli/grant-revoke-vault-permissions
With 1Password CLI, you can manage the permissions each [user](/cli/reference/management-commands/vault/#vault-user) or [group](/cli/reference/management-commands/vault/#vault-group) has in each vault, so that everyone has access to the items they need.
Some permissions require [dependent permissions](/cli/vault-permissions/). On interactive shells, you can specify any permission, and 1Password CLI will ask you whether you want to add or revoke dependent permissions. If you're using scripts, or your shell isn't interactive, you must [include dependent permissions](#scripting) in the command.
[Learn what permissions are available for your account type.](/cli/vault-permissions/)
## Requirements
Before you can use 1Password CLI to , you'll need to:
* Sign up for 1Password
* Install 1Password CLI
You can manage vault permissions if you're an owner, administrator, or if you have the `manage_vault` permission in a vault.
## Grant permissions in vaults
### Users
Use [`op vault user grant`](/cli/reference/management-commands/vault/#vault-user-grant) to grant a user permissions in a vault.
For example, to grant the user Wendy Appleseed permission to edit items and manage vault permissions in the Prod vault:
```shell theme={null}
op vault user grant --user wendy.appleseed@agilebits.com --vault Prod --permissions allow_editing,allow_managing
```
If the permissions you want to grant require dependent permissions to be granted alongside them, 1Password CLI will prompt you to grant those permissions:
```
In order to grant [allow_editing,allow_managing], the permission(s) [allow_viewing] are also required.
Would you like to grant them as well? [Y/n]
```
To confirm which users have access to a vault and their current permissions:
```shell theme={null}
op vault user list
```
### Groups
Use [`op vault group grant`](/cli/reference/management-commands/vault/#vault-group-grant) to grant a group permissions in a vault.
For example, to grant the group IT permission to edit items and manage vault permissions in the Prod vault:
```shell theme={null}
op vault group grant --group "IT" --vault Prod --permissions allow_editing,allow_managing
```
If the permissions you want to grant require dependent permissions to be granted alongside them, 1Password CLI will prompt you to grant those permissions:
```
In order to grant [allow_editing,allow_managing], the permission(s) [allow_viewing] are also required.
Would you like to grant them as well? [Y/n]
```
To confirm which groups have access to a vault and their current permissions:
```shell theme={null}
op vault group list
```
## Revoke permissions in vaults
### Users
Use [`op vault user revoke`](/cli/reference/management-commands/vault/#vault-user-revoke) to revoke a user's permissions in a vault.
For example, to revoke the user Wendy Appleseed's permission to view items in the Prod vault:
```shell theme={null}
op vault user revoke --user wendy.appleseed@agilebits.com --vault Prod --permissions allow_viewing
```
If the permission you want to revoke requires dependent permissions to be revoked alongside it, 1Password CLI will prompt you to revoke those permissions:
```
In order to revoke [allow_viewing], the permission(s) [allow_editing,allow_managing] are also required.
Would you like to revoke them as well? [Y/n]
```
To confirm that the user's permissions have been revoked:
```shell theme={null}
op vault user list
```
### Groups
Use [`op vault group revoke`](/cli/reference/management-commands/vault/#vault-group-grant) to revoke a group's permissions in a vault.
For example, to revoke the group IT's permission to view items in the Prod vault:
```shell theme={null}
op vault group revoke --group "IT" --vault Prod --permissions allow_viewing
```
If the permission you want to revoke requires dependent permissions to be revoked alongside it, 1Password CLI will prompt you to revoke those permissions:
```
In order to revoke [allow_viewing], the permission(s) [allow_editing,allow_managing] are also required.
Would you like to revoke them as well? [Y/n]
```
To confirm the group's permissions have been revoked:
```shell theme={null}
op vault group list
```
## Scripting
If you're using scripts to grant and revoke vault permissions, or if your shell isn't interactive, you'll need to include the `--no-input` flag and specify all [dependent permissions](/cli/vault-permissions/) in a comma-separated list after the `--permissions` flag.
For example, the `allow_managing` permission requires the `allow_editing` and `allow_viewing` permission. To grant the user Wendy Appleseed permission to manage vault permissions in the Prod vault:
```shell theme={null}
op vault user grant --no-input --user wendy.appleseed@agilebits.com --vault Prod --permissions allow_managing,allow_editing,allow_viewing
```
To revoke `allow_editing` from a group that currently also has `allow_managing` granted in a vault:
```shell theme={null}
op vault group revoke --no-input --group "IT" --vault Prod --permissions allow_managing,allow_editing
```
## Learn more
* [Vault permission dependencies](/cli/vault-permissions/)
# Install 1Password CLI on a server
Source: https://www.1password.dev/cli/install-server
There are several different ways to install 1Password CLI on a server.
To install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) on a Linux `amd64` host, you can use this one-line command:
```shell theme={null}
ARCH="amd64"; \
OP_VERSION="v$(curl https://app-updates.agilebits.com/check/1/0/CLI2/en/2.0.0/N -s | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')"; \
curl -sSfo op.zip \
https://cache.agilebits.com/dist/1P/op2/pkg/"$OP_VERSION"/op_linux_"$ARCH"_"$OP_VERSION".zip \
&& unzip -od /usr/local/bin/ op.zip \
&& rm op.zip
```
To install with Docker, you can use the [1Password CLI 2 Docker image](https://hub.docker.com/r/1password/op/tags):
```shell theme={null}
docker pull 1password/op:2
```
If you want to add the CLI installation to your Dockerfile, then add this line:
```docker Dockerfile theme={null}
COPY --from=1password/op:2 /usr/local/bin/op /usr/local/bin/op
```
## Learn more
* [Install 1Password CLI on your machine](/cli/get-started/#step-1-install-1password-cli)
# Create items
Source: https://www.1password.dev/cli/item-create
To create a new item in your 1Password account and assign information to it, use the [`op item create`](/cli/reference/management-commands/item/#item-create) command.
You can [specify basic information about the item](#create-an-item) with flags and use assignment statements to [assign built-in and custom fields](#create-a-customized-item). To assign sensitive values, [use a JSON template](#with-an-item-json-template).
## Requirements
Before you can use 1Password CLI to create items, you'll need to:
* [Sign up for 1Password](https://1password.com/pricing/password-manager)
* [Install 1Password CLI](/cli/get-started/#step-1-install-1password-cli)
**Follow along**
If you want to follow along with the examples in this guide, [sign in to your account](/cli/get-started/#step-3-enter-any-command-to-sign-in) then create a new vault named `Tutorial` where the example items will be saved:
```shell theme={null}
op vault create Tutorial
```
## Create an item
To create a new item, use [`op item create`](/cli/reference/management-commands/item/#item-create) and specify basic information about the item with flags.
For example, to create a Login item named `Netflix` in the `Tutorial` vault:
```shell theme={null}
op item create \
--category login \
--title "Netflix" \
--vault Tutorial \
--url 'https://www.netflix.com/login' \
--generate-password='letters,digits,symbols,32' \
--tags tutorial,entertainment
```
```powershell theme={null}
op item create `
--category login `
--title "Netflix" `
--vault Tutorial `
--url 'https://www.netflix.com/login' `
--generate-password='letters,digits,symbols,32' `
--tags tutorial,entertainment
```
Here's what each of the above flags does:
`--category` Sets the item category, in this case a Login item. Use op item template list to get a list of available categories. The category value is case-insensitive and ignores whitespace characters. For example, the Social Security Number category can also be specified as socialsecuritynumber.
`--title` Gives the item a name so that you can easily identify it. If unspecified, 1Password CLI selects a default name. For example, Untitled Login item.
`--vault` Specifies which vault the item should be created in. If unspecified, the item will be created in your built-in Personal, Private, or Employee vault. The name of this vault varies depending on your account type.
`--url` Sets the website where 1Password suggests and fills a Login, Password, or API Credential item.
`--generate-password` Generates a strong password for Login and Password category items. You can specify a password recipe, as shown in the example. If left unspecified, a default recipe will be used to generate a 32-character password consisting of letters, digits, and symbols.
`--tags` Adds tags to the item using a comma-separated list.
## Create a customized item
Each item category has its own set of built-in fields that you can use to save more information to the item. You can also create custom fields to save additional details about the item.
Learn more about [built-in and custom fields](/cli/item-fields/).
You can assign built-in and custom fields to your item in two ways:
* [With assignment statements](#with-assignment-statements)
* [With an item JSON template](#with-an-item-json-template)
### With assignment statements
Command arguments can be visible to other processes on your machine. If you're assigning sensitive values, use [an item JSON template](#with-an-item-json-template) instead.
The [`op item create`](/cli/reference/management-commands/item/#item-create) command can take a list of assignment statements as arguments to create fields on an item.
Assignment statements are formatted like this:
```shell theme={null}
[.][[]]=
```
* `section` (Optional) The name of the section where you want to create the field.
* `field` The name of the field you want to create.
* `fieldType` The type of field you want to create. If unspecified, fieldType will default to password.
* `value` The information you want to save in the field.
For built-in fields, the `field` name should match the [built-in field `id`](/cli/item-fields/#built-in-fields) in the item category template. Don't include a `fieldType` for built-in fields.
For custom fields, the `fieldType` should match the [custom field `type`](/cli/item-fields/#custom-fields) you want to create. The `field` name can be anything you want.
If you need to use periods, equal signs, or backslashes in the name of a section or field, use a backslash character to escape them. Don't use backslashes to escape the `value`.
Here's an example of an assignment statement for the built-in field `username` on a Login item, set to `john.doe@acme.org`:
```shell theme={null}
'username=john.doe@acme.org'
```
And here's an example of an assignment statement for a custom field type titled `date`, which is set to `2022-12-31`, in a field named `Renewal Date` within a section titled `Subscription Info`:
```shell theme={null}
'Subscription Info.Renewal Date[date]=2022-12-31'
```
To add both of the above assignment statements to a new item, `HBO Max`, in the `Tutorial` vault:
```shell theme={null}
op item create \
--category login \
--title "HBO Max" \
--vault Tutorial \
--url 'https://www.hbomax.com' \
--generate-password='letters,digits,symbols,32' \
--tags tutorial,entertainment \
'username=john.doe@acme.org' \
'Subscription Info.Renewal Date[date]=2022-12-31'
```
```powershell theme={null}
op item create `
--category login `
--title "HBO Max" `
--vault Tutorial `
--url 'https://www.hbomax.com' `
--generate-password='letters,digits,symbols,32' `
--tags tutorial,entertainment `
'username=john.doe@acme.org' `
'Subscription Info.Renewal Date[date]=2022-12-31'
```
### With an item JSON template
To assign sensitive values, fill out an item JSON template for the category of item you want to create. If you combine field assignment statements with a template, the assignment statements overwrite the template's values.
To see a list of available templates, run [`op item template list`](/cli/reference/management-commands/item#item-template-list). To get a template for a category, run [`op item template get `](/cli/reference/management-commands/item#item-template-get).
For example, to create a new Login item using a template:
1. Get the template for a Login item and save it in your current directory:
```shell theme={null}
op item template get --out-file=login.json "Login"
```
2. Edit [the template file](/cli/item-template-json/) to add your information.
3. Create the item using the `--template` flag to specify the path to the template file:
```shell theme={null}
op item create --template=login.json
```
This example template file creates a Login item named `Hulu` in a vault [specified by its ID](/cli/reference/#unique-identifiers-ids). It specifies values for built-in `username`, `password`, and `notesPlain` fields. It also adds a custom `date` field.
```json login.json theme={null}
{
"title": "Hulu",
"vault": {
"id": "sor33rgjjcg2xykftymcmqm5am"
},
"category": "LOGIN",
"fields": [
{
"id": "username",
"type": "STRING",
"purpose": "USERNAME",
"label": "username",
"value": "wendy.appleseed@gmail.com"
},
{
"id": "password",
"type": "CONCEALED",
"purpose": "PASSWORD",
"label": "password",
"password_details": {
"strength": ""
},
"value": "Dp2WxXfwN7VFJojENfEHLEBJmAGAxup@"
},
{
"id": "notesPlain",
"type": "STRING",
"purpose": "NOTES",
"label": "notesPlain",
"value": "This is Wendy's Hulu account."
},
{
"id": "date",
"type": "date",
"label": "Subscription renewal date",
"value": "2023-04-05"
}
]
}
```
4. Delete the edited template file from your computer.
You can also create an item from standard input using a template:
```shell theme={null}
op item template get Login | op item create --vault Tutorial -
```
## Create an item from an existing item
You can create a new item from an existing item by piping the item JSON from standard input.
For example, to create a new item based on the `HBO Max` item you created in the assignment statement section, with a new title, username, and password:
```shell theme={null}
op item get "HBO Max" --format json | op item create --vault Tutorial --title "Wendy's HBO Max" - 'username=wendy.appleseed@acme.org' 'password=Dp2WxXfwN7VFJojENfEHLEBJmAGAxup@'
```
## Add a one-time password to an item
You can attach a [one-time password](https://support.1password.com/one-time-passwords/) to an item using a custom field [assignment statement](#with-assignment-statements). The `fieldType` should be `otp` and the `value` should be the [otpauth:// URI](https://github.com/google/google-authenticator/wiki/Key-Uri-Format) for the one-time password.
```shell theme={null}
op item create \
--category login \
--title='My OTP Example' \
--vault Tutorial \
--url 'https://www.acme.com/login' \
--generate-password='letters,digits,symbols,32' \
--tags tutorial,entertainment \
'Test Section 1.Test Field3[otp]=otpauth://totp/:?secret=&issuer='
```
```powershell theme={null}
op item create `
--category login `
--title='My OTP Example' `
--vault Tutorial `
--url 'https://www.acme.com/login' `
--generate-password='letters,digits,symbols,32' `
--tags tutorial,entertainment `
'Test Section 1.Test Field3[otp]=otpauth://totp/:?secret=&issuer='
```
## Attach a file to an item
You can attach a file to an item using a custom field [assignment statement](#with-assignment-statements). The `field` should be the name the file will have in 1Password, the `fieldType` should be `file`, and the `value` should be the path to the file.
```shell theme={null}
myFileName[file]=/path/to/your/file
```
The file in the above example will be named `myFileName`. To preserve the original file name, you can omit the `field`:
```shell theme={null}
[file]=/path/to/your/file
```
Here's what an example `PlayStation Store` login would look like with the file `/wendyappleseed/documents/receipt.png` attached, named `JanuaryReceipt`.
```shell theme={null}
op item create \
--category login \
--title "PlayStation Store" \
--vault Tutorial \
--url 'https://store.playstation.com/' \
--generate-password='letters,digits,symbols,32' \
--tags tutorial,entertainment \
'JanuaryReceipt[file]=/wendyappleseed/documents/receipt.png'
```
```powershell theme={null}
op item create `
--category login `
--title "PlayStation Store" `
--vault Tutorial `
--url 'https://store.playstation.com/' `
--generate-password='letters,digits,symbols,32' `
--tags tutorial,entertainment `
'JanuaryReceipt[file]=/wendyappleseed/documents/receipt.png'
```
## Next steps
If you want to continue learning about item management, keep the example items you created and move on to the [edit items](/cli/item-edit) tutorial.
If you created a Tutorial vault and don't want to continue on, you can delete the vault and the examples items you created by running:
```shell theme={null}
op vault delete "Tutorial"
```
## Learn more
* [`op item create` reference documentation](/cli/reference/management-commands/item#item-create)
* [Built-in and custom item fields](/cli/item-fields)
* [Item JSON template](/cli/item-template-json)
# Edit items
Source: https://www.1password.dev/cli/item-edit
To edit an existing item in your 1Password account, use the [`op item edit`](/cli/reference/management-commands/item#item-edit) command.
You can [edit basic information about the item](#edit-an-item’s-basic-information) with flags and use assignment statements to [edit an item's built-in and custom fields](#edit-built-in-and-custom-fields). To edit sensitive values, [use a JSON template](#edit-an-item-using-a-json-template).
You can't use op item edit to edit SSH keys. Learn more about managing SSH keys with 1Password CLI.
## Requirements
Before you can use 1Password CLI to edit items, you'll need to:
* [Sign up for 1Password](https://1password.com/pricing/password-manager)
* [Install 1Password CLI](/cli/get-started#step-1-install-1password-cli)
**Follow along**
If you want to follow along with the examples in this guide, [create the example items in the guide to creating items](/cli/item-create) first.
## Edit an item's basic information
To edit an item, use [`op item edit`](/cli/reference/management-commands/item#item-edit) and specify the item by name, [unique identifier (ID)](/cli/reference#unique-identifiers-ids), or sharing link.
You can use flags to generate a new password and edit an item's title, vault, or tags. You can also change the website where 1Password suggests and fills a Login, Password, or API Credential item.
For example, to change the name of the example item `Netflix`, move it from the `Tutorial` vault to the `Private` vault, update its tags, edit its website, and generate a new random password:
```shell theme={null}
op item edit "Netflix" \
--title "Edited Netflix" \
--vault Private \
--tags tutorial \
--url https://www.netflix.com \
--generate-password='letters,digits,symbols,32'
```
```powershell theme={null}
op item edit "Netflix" `
--title "Edited Netflix" `
--vault Private `
--tags tutorial `
--url https://www.netflix.com `
--generate-password='letters,digits,symbols,32'
```
To change the example item name back to `Netflix` and move it back to the `Tutorial` vault:
```shell theme={null}
op item edit "Edited Netflix" \
--title "Netflix" \
--vault Tutorial
```
```powershell theme={null}
op item edit "Edited Netflix" `
--title "Netflix" `
--vault Tutorial
```
## Edit built-in and custom fields
Command arguments can be visible to other processes on your machine. To edit sensitive values, use [an item JSON template](#edit-an-item-using-a-json-template) instead.
The `op item edit` command can take a list of assignment statements as arguments to edit an item's [built-in and custom fields](/cli/item-fields).
```shell theme={null}
[.][[]]=
```
* `section` (Optional) The name of the section where the field is saved.
* `field` The name of the field.
* `fieldType` The type of field. If unspecified, the fieldType stays the same.
* `value` The information you want to save in the field. If unspecified, the value stays the same.
For example, to change the subscription renewal date on the `HBO Max` item:
```shell theme={null}
op item edit "HBO Max" \
'Renewal Date=2023-5-15'
```
```powershell theme={null}
op item edit "HBO Max" `
'Renewal Date=2023-5-15'
```
### Delete a custom field
To delete a custom field, specify `[delete]` in place of the fieldType. If you remove all the fields in a section, the section is also removed. You can't delete empty fields, but you can set them to empty strings.
To use an assignment statement to delete the subscription renewal date on the example `HBO Max` item:
```shell theme={null}
op item edit "HBO Max" \
'Renewal Date[delete]=2023-5-15'
```
```powershell theme={null}
op item edit "HBO Max" `
'Renewal Date[delete]=2023-5-15'
```
## Edit an item using a JSON template
JSON item templates do not support passkeys. If you use a JSON template to update an item that contains a passkey, the passkey will be overwritten. To fix this, you can [restore a previous version of the item](https://support.1password.com/item-history/).
To edit sensitive values on an item, use an [item JSON template](/cli/item-template-json).
1. Get the JSON output for the item you want to edit and save it to a file.
```shell theme={null}
op item get --format json > newItem.json
```
If you prefer to start over, you can get a blank template for the item's category with op item template get.
2. Edit the file.
3. Use the `--template` flag to specify the path to the edited file and apply the changes to the item:
```shell theme={null}
op item edit --template=newItem.json
```
4. Delete the file.
You can also edit an item using piped input:
```shell theme={null}
cat newItem.json | op item edit
```
To avoid collisions, you can't combine piped input and the `--template` flag in the same command.
## Next steps
If you created a Tutorial vault, you can delete the vault and the examples items you created:
```shell theme={null}
op vault delete "Tutorial"
```
## Learn more
* [`op item` reference documentation](/cli/reference/management-commands/item)
* [Built-in and custom item fields](/cli/item-fields)
* [Item JSON template](/cli/item-template-json)
# Item fields
Source: https://www.1password.dev/cli/item-fields
When you [use 1Password CLI to create items](/cli/item-create/), you can customize your items with [built-in](#built-in-fields) and [custom](#custom-fields) fields.
Learn how to [add built-in and custom fields to your items](/cli/item-create/#create-a-customized-item) with either assignment statements or a JSON template.
## Built-in fields
Each item category includes a set of default fields, some of which may be specific to the category. You can identify available built-in fields by looking at the [JSON template](/cli/item-template-json/) for the item category:
```
op item template get
```
* API Credential
* Bank Account
* Credit Card
* Crypto Wallet
* Database
* Document
* Driver License
* Email Account
* Identity
* Login
* Medical Record
* Membership
* Outdoor License
* Passport
* Password
* Reward Program
* Secure Note
* Server
* Social Security Number
* Software License
* SSH Key
* Wireless Router
For example, the built-in fields available on a Login item are `username`, `password`, and `notesPlain`.
```shell highlight={6,13,23} theme={null}
{
"title": "",
"category": "LOGIN",
"fields": [
{
"id": "username",
"type": "STRING",
"purpose": "USERNAME",
"label": "username",
"value": ""
},
{
"id": "password",
"type": "CONCEALED",
"purpose": "PASSWORD",
"label": "password",
"password_details": {
"strength": "TERRIBLE"
},
"value": ""
},
{
"id": "notesPlain",
"type": "STRING",
"purpose": "NOTES",
"label": "notesPlain",
"value": ""
}
]
}
```
When you use [assignment statements](/cli/item-create/#with-assignment-statements) to assign built-in fields, use the `id` from the JSON template as the `field` in the assignment statement. Don't include a fieldType for built-in fields.
For example, to add a note to a Login item using an assignment statement:
```shell theme={null}
'notesPlain=This is a note.'
```
## Custom fields
Custom fields can be added to any item, regardless of the item's category. Use the `fieldType` with [assignment statements](/cli/item-create/#with-assignment-statements) and the `type` with an [item JSON template](/cli/item-create/#with-an-item-json-template). Available custom field types are:
| `fieldType` | `type` | description |
| ----------- | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `password` | `CONCEALED` | A concealed password. |
| `text` | `STRING` | A text string. |
| `email` | `EMAIL` | An email address. |
| `url` | `URL` | A web address to copy or open in your default web browser, not used for autofill behavior. Use the `--url` flag to set the website where 1Password suggests and fills a Login, Password, or API Credential item. |
| `date` | `DATE` | A date with the format YYYY-MM-DD. |
| `monthYear` | `MONTH_YEAR` | A date with the format YYYYMM or YYYY/MM. |
| `phone` | `PHONE` | A phone number. |
| `otp` | `OTP` | A one-time password. Accepts an [otpauth:// URI](https://github.com/google/google-authenticator/wiki/Key-Uri-Format) as the value. |
| `file` | N/A | A file attachment. Accepts the path to the file as the value. Can only be added with [assignment statements](/cli/item-create/#with-assignment-statements). |
## Learn more
* [`op item` reference documentation](/cli/reference/management-commands/item/)
* [Create an item](/cli/item-create/)
* [Item JSON template](/cli/item-template-json/)
# Item JSON template
Source: https://www.1password.dev/cli/item-template-json
1Password CLI supports item JSON templates that you can use to take control of how you create items in 1Password. Item JSON templates allow you to [create an item with all of its details specified](/cli/item-create/#with-an-item-json-template), including custom sections and fields.
Item templates are formatted similarly to the JSON output for [`op item get`](/cli/reference/management-commands/item/#item-get), so you can easily create new items based on existing items.
Each item category has its own template. You can get a list of all item categories with [`op item template list`](/cli/reference/management-commands/item/#item-template-list). And you can retrieve the template for an item category with [`op item template get `](/cli/reference/management-commands/item/#item-template-get).
## Item template keys
Item JSON templates have common language keys that allow you to identify how the fields in the template correspond to the item in 1Password.
```json theme={null}
{
"title": " ",
"category": " ",
"sections": [
{
"id": " ",
"label": " "
},
],
"fields": [
{
"id": " ",
"section": {
"id": " "
},
"type": " ",
"label": " ",
"value": " "
}
]
}
```
**Item**
| Name | Description |
| ---------- | -------------------------------------------- |
| `title` | The name of the item displayed in 1Password. |
| `category` | The item's category. |
**Section**
| Name | Description |
| ------- | ------------------------------------------------------------------------------------------ |
| `id` | The identifier for the section. If the item has multiple sections, each ID must be unique. |
| `label` | The name of the section displayed in 1Password. |
To add a custom section, insert a section JSON object into the `sections` array.
```json theme={null}
{
"id": " ",
"label": " "
}
```
**Field**
| Name | Description |
| ------------ | ------------------------------------------------------------------------------------------------------------- |
| `id` | The field's ID. Each ID should be unique. If left empty, 1Password will generate a random ID. |
| `section id` | The ID of the section where the field is located. Only required if located in a custom section. |
| `type` | The field's type. [Learn more about custom field types.](/cli/item-fields/#custom-fields) |
| `label` | The name of the field displayed in 1Password. |
| `value` | The information saved in the field. Depending on its type, it can be a string, a secret, a number, or a date. |
To add a custom field to the template, insert a new field JSON object into the `fields` array.
```json theme={null}
{
"id": " ",
"section": {
"id": " "
},
"type": " ",
"label": " ",
"value": " "
}
```
## Example JSON representation
This is an item `mysql` in the 1Password app, and the same item represented in an item JSON template.
```json theme={null}
{
"id": "4l3udxihvvuhszh2kxyjbblxl4",
"title": "mysql",
"version": 3,
"vault": {
"id": "uteieiwkhgv6hau7xkorejyvru"
},
"category": "DATABASE",
"last_edited_by": "IU2OKUBKAFGQPFPFZEG7X3NQ4U",
"created_at": "2021-11-25T14:50:14Z",
"updated_at": "2022-02-25T18:12:12Z",
"sections": [
{
"id": "g52gfotnw7nhnkgq477si2hmmi",
"label": "Database Owner"
}
],
"fields": [
{
"id": "notesPlain",
"type": "STRING",
"purpose": "NOTES",
"label": "notesPlain"
},
{
"id": "database_type",
"type": "MENU",
"label": "type",
"value": "mysql"
},
{
"id": "hostname",
"type": "STRING",
"label": "server",
"value": "http://localhost"
},
{
"id": "port",
"type": "STRING",
"label": "port",
"value": "5432"
},
{
"id": "database",
"type": "STRING",
"label": "database",
"value": "app-database"
},
{
"id": "username",
"type": "STRING",
"label": "username",
"value": "mysql-user"
},
{
"id": "password",
"type": "CONCEALED",
"label": "password",
"value": "T4Kn7np2bLJXAFoYPoVC"
},
{
"id": "sid",
"type": "STRING",
"label": "SID"
},
{
"id": "alias",
"type": "STRING",
"label": "alias"
},
{
"id": "options",
"type": "STRING",
"label": "connection options"
},
{
"id": "tpcs7jrjikehw5o4tzbe5pklca",
"section": {
"id": "g52gfotnw7nhnkgq477si2hmmi",
"label": "Database Owner"
},
"type": "STRING",
"label": "admin",
"value": "Wendy Appleseed"
},
{
"id": "sdqueijyulxryvu5ceuwktjkiq",
"section": {
"id": "g52gfotnw7nhnkgq477si2hmmi",
"label": "Database Owner"
},
"type": "EMAIL",
"label": "email",
"value": "appleseed.wendy@gmail.com"
}
]
}
```
## Learn more
* [Create an item](/cli/item-create/)
* [Work with items](/cli/reference/management-commands/item/)
* [Work with vaults](/cli/reference/management-commands/vault/)
# Add and remove team members
Source: https://www.1password.dev/cli/provision-users
## Requirements
Before you can use 1Password CLI to add and remove team members, you'll need to:
1. [Sign up for 1Password Business](https://1password.com/pricing/password-manager).
2. [Install 1Password CLI](/cli/get-started/#step-1-install-1password-cli).
If you use [automated provisioning hosted by 1Password](https://support.1password.com/provisioning/), you won't be able to manage users with the CLI. We're working to add support for this in the future.
## Turn on 1Password CLI provisioning
To get started, an owner or administrator must visit the [Provisioning settings page on 1Password.com](https://start.1password.com/settings/provisioning/cli) and select **Turn On CLI Provisioning**. This will create a [Provision Managers](https://support.1password.com/groups/#provision-managers) group with the permissions needed to provision and confirm team members, as well as recover accounts. The person who created the group will be added to it.
## Manage who can provision team members
By default, the owner or administrator who created the [Provision Managers](https://support.1password.com/groups/#provision-managers) group is the only person added to it. If other team members need to be able to provision users, use [`op group user grant`](/cli/reference/management-commands/group/#group-user-grant) to add them to the group.
For example, to add Wendy Appleseed to the Provision Managers group:
```shell theme={null}
op group user grant --group "Provision Managers" --user "wendy.appleseed@agilebits.com"
```
To see a list of everyone in the Provision Managers group:
```shell theme={null}
op group user list "Provision Managers"
```
## Add team members
To invite people to your team, use [`op user provision`](/cli/reference/management-commands/user/#user-provision) with the team member's name and email address.
For example, to invite Wendy Appleseed to join your 1Password account:
```shell theme={null}
op user provision --name "Wendy Appleseed" --email "wendy.appleseed@agilebits.com"
```
The person will receive an email invitation to join the team. After they've accepted the invitation, a member of the Provision Managers group can confirm them.
## Confirm team members
Anyone who belongs to the [Provision Managers](https://support.1password.com/groups/#provision-managers) group can confirm new team members with [`op user confirm`](#with-op-user-confirm) or [on 1Password.com](#on-1password-com).
### With `op user confirm`
To confirm a team member on the command line, use [`op user confirm`](/cli/reference/management-commands/user/#user-confirm) with their name or email address. To confirm all unconfirmed team members, include the `--all` flag.
For example, to confirm Wendy Appleseed:
```shell theme={null}
op user confirm "wendy.appleseed@agilebits.com"
```
To confirm all pending users:
```shell theme={null}
op user confirm --all
```
### On 1Password.com
To confirm a team member on 1Password.com:
1. [Sign in](https://start.1password.com/signin) to your account on 1Password.com.
2. Select **[People](https://start.1password.com/people)** in the sidebar.
3. Select the name of any team member with the Pending Provision status.
4. Select **Confirm** or **Reject**.
If you don't see the option to confirm or reject a team member, ask your administrator to [add you to the Provision Managers group](#manage-who-can-provision-team-members).
## Remove team members
To remove someone's access to vaults and items, you can suspend or delete their account.
### Suspend an account temporarily
Use [`op user suspend`](/cli/reference/management-commands/user/#user-suspend) to suspend a team member temporarily.
Include the `--deauthorize-devices-after` flag, followed by the number of seconds, minutes, or hours (for example, `600s`, `10m`, or `1h`) to set the time after suspension to deauthorize the suspended team member's devices. The maximum time permitted is 24 hours. If unspecified, their devices will be deauthorized immediately.
For example, to suspend Wendy Appleseed temporarily and deauthorize her devices after 10 minutes:
```shell theme={null}
op user suspend "wendy.appleseed@agilebits.com --deauthorize-devices-after 10m"
```
You can reactivate a suspended user with [`op user reactivate`](/cli/reference/management-commands/user/#user-reactivate).
### Remove an account permanently
Use [`op user delete`](/cli/reference/management-commands/user/#user-delete) to permanently remove a team member's access to vaults and items and delete all of their data from the account.
For example, to remove Wendy Appleseed:
```shell theme={null}
op user delete "wendy.appleseed@agilebits.com"
```
## Learn more
* [Add and remove team members on 1Password.com](https://support.1password.com/add-remove-team-members/)
* [Automate provisioning in 1Password Business using SCIM](https://support.1password.com/scim/)
# Recover accounts using 1Password CLI
Source: https://www.1password.dev/cli/recover-users
You can use 1Password CLI to begin the account recovery process for a family or team member if they can't sign in to or unlock 1Password. When you recover an account for someone:
* They'll receive a new Secret Key and create a new 1Password account password.
If your team uses Unlock with SSO, they'll be able to link a new app or browser to their account again.
* They'll be able to access all the data they had before.
* They'll need to sign in again on all their devices once recovery is complete.
* Their two-factor authentication will be reset.
## Requirements
* [Sign up for 1Password](https://1password.com/pricing/password-manager).
* [Install 1Password CLI](/cli/get-started#step-1-install-1password-cli) version `2.32.0` or later.
You can recover accounts for other people if:
* You're a team [administrator](https://support.1password.com/groups/#administrators) or [owner](https://support.1password.com/groups/#owners).
* You belong to a [custom group](https://support.1password.com/custom-groups/) that has the "Recover Accounts" permission.
* You're a [family organizer](https://support.1password.com/family-organizer/).
## Begin recovery
Use the command `op user recovery begin` with a person's name, email address, or [unique identifier (ID)](/cli/reference/#unique-identifiers-ids) to begin the account recovery process. You can recover up to ten accounts with each command.
```shell theme={null}
op user recovery begin { | | }
```
For example, to begin recovery for multiple accounts using each person's ID:
```shell theme={null}
op user recovery begin ZMAE4RTRONHN7LGELNYYO373KM WHPOFIMMYFFITBVTOTZUR3R324 FGH76DFS89FYCU6342CSDWIFJU
```
The person whose account you're recovering will get an email from 1Password. When they select **Recover my account** in the email, a page will open in their browser and they'll be asked to confirm their email address. Then they'll get a new Secret Key and create a new account password.
## Complete recovery
After the person whose account you recovered creates a new account password, you'll need to complete the recovery process before they can access their account.
Learn how to [complete account recovery for one or more people](https://support.1password.com/recovery/#complete-recovery).
## Learn more
* [Add and remove team members](/cli/provision-users)
* [Grant and revoke vault permissions](/cli/grant-revoke-vault-permissions)
* [Sign back in to 1Password after your account has been recovered](https://support.1password.com/after-recovery/)
# 1Password CLI reference
Source: https://www.1password.dev/cli/reference
**Get started**
If you're new to 1Password CLI, [learn how to set it up and sign in to your account](/cli/get-started/).
## Command structure
```
op [command]
```
1Password CLI uses a noun-verb command structure that groups commands by topic rather than by operation.
The basic structure of a command starts with the 1Password program `op`, then the `command name (noun)`, often followed by a `subcommand (verb)`, then `flags` (which include additional information that gets passed to the command).
For example, to retrieve a list of all the items in your Private vault:
```shell theme={null}
op item list --vault Private
```
To get a list of all global commands and flags, run the following:
```shell theme={null}
op --help
```
## Command reference
* [account](/cli/reference/management-commands/account): Manage your locally configured 1Password accounts
* [completion](/cli/reference/commands/completion): Generate shell completion information
* [connect](/cli/reference/management-commands/connect): Manage Connect server instances and tokens in your 1Password account
* [document](/cli/reference/management-commands/document): Perform CRUD operations on Document items in your vaults
* [environment](/cli/reference/management-commands/environment): Manage your 1Password Environments and their variables (Beta)
* [events-api](/cli/reference/management-commands/events-api): Manage Events API integrations in your 1Password account
* [group](/cli/reference/management-commands/group): Manage the groups in your 1Password account
* [inject](/cli/reference/commands/inject): Inject secrets into a config file
* [item](/cli/reference/management-commands/item): Perform CRUD operations on the 1Password items in your vaults
* [plugin](/cli/reference/management-commands/plugin): Manage the shell plugins you use to authenticate third-party CLIs
* [read](/cli/reference/commands/read): Read a secret reference
* [run](/cli/reference/commands/run): Pass secrets as environment variables to a process
* [service-account](/cli/reference/management-commands/service-account): Manage service accounts
* [signin](/cli/reference/commands/signin): Sign in to a 1Password account
* [signout](/cli/reference/commands/signout): Sign out of a 1Password account
* [update](/cli/reference/commands/update): Check for and download updates
* [user](/cli/reference/management-commands/user): Manage users within this 1Password account
* [vault](/cli/reference/management-commands/vault): Manage permissions and perform CRUD operations on your 1Password vaults
* [whoami](/cli/reference/commands/whoami): Get information about a signed-in account
## Global flags
```
--account string Select the account to execute the command by account shorthand, sign-in address, account ID, or user ID. For a list of available accounts, run 'op account list'. Can be set as the OP_ACCOUNT environment variable.
--cache Store and use cached information. Caching is enabled by default on UNIX-like systems. Caching is not available on Windows. Options: true, false. Can also be set with the OP_CACHE environment variable. (default true)
--config directory Use this configuration directory.
--debug Enable debug mode. Can also be enabled by setting the OP_DEBUG environment variable to true.
--encoding type Use this character encoding type. Default: UTF-8. Supported: SHIFT_JIS, gbk.
--format string Use this output format. Can be 'human-readable' or 'json'. Can be set as the OP_FORMAT environment variable. (default "human-readable")
-h, --help Get help for op.
--iso-timestamps Format timestamps according to ISO 8601 / RFC 3339. Can be set as the OP_ISO_TIMESTAMPS environment variable.
--no-color Print output without color.
--session token Authenticate with this session token. 1Password CLI outputs session tokens for successful `op signin` commands when 1Password app integration is not enabled.
```
## Unique identifiers (IDs)
When you retrieve information about an object using the `get` and `list` subcommands, you'll see a string of 26 numbers and letters that make up the object's unique identifier (ID).
You can use names or IDs in commands that take any [account](/cli/reference/management-commands/account/#account-get), [user](/cli/reference/management-commands/user/#user-get), [vault](/cli/reference/management-commands/vault/#vault-get), or [item](/cli/reference/management-commands/item/#item-get) as an argument.
IDs are the most stable way to reference an item. An item's ID only changes when you move the item to a different vault. Commands provided with an ID are also faster and more efficient.
You can get information about an item, including the item's ID and the ID for the vault where it's stored, with [`op item get`](/cli/reference/management-commands/item#item-get).
```shell theme={null}
op item get Netflix
#code-result
ID: t2Vz6kMDjByzEAcq6peKnHL4k3
Title: Netflix
Vault: Private (sdfsdf7werjgdf8gdfgjdfgkj)
Created: 6 months ago
Updated: 1 month ago by Wendy Appleseed
Favorite: false
Version: 1
Category: LOGIN
```
To only fetch the item ID, use the same command with the format set to JSON, then use [jq ](https://jqlang.github.io/jq/) to parse the output.
```shell theme={null}
op item get Netflix --format json | jq .id
#code-result
"t2Vz6kMDjByzEAcq6peKnHL4k3"
```
To get the IDs for all vaults in an account:
```shell theme={null}
op vault list
#code-result
ID NAME
cfqtakqiutfhiewomztljx4woy Development
rr3ggvrlr6opoete23q7c22ahi Personal
2gq6v6vzorl7jfxdurns4hl66e Work
```
## Shell completion
You can add shell completion so that 1Password CLI automatically completes your commands.
With shell completion enabled, start typing an `op` command, then press Tab to see the available commands and options.
To enable shell completion with Bash:
1. Install the bash-completion package
2. Add this line to your `.bashrc` file:
```
source <(op completion bash)
```
To enable shell completion with Zsh, add this line to your `.zshrc` file:
```
eval "$(op completion zsh)"; compdef _op op
```
To enable shell completion with fish, add this to your `.fish` file:
```
op completion fish | source
```
To enable shell completion with PowerShell, add this to your `.ps1` file:
```powershell theme={null}
op completion powershell | Out-String | Invoke-Expression
```
You'll need to enable script execution in PowerShell to start using shell completion. To do that, start a PowerShell window as an administrator and enter:
```powershell theme={null}
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
```
## Cache item and vault information
1Password CLI can use its daemon process to cache items, vault information, and the keys to access information in an account.
The daemon stores encrypted information in memory using the same encryption methods as on 1Password.com. It can read the information to pass to 1Password CLI, but can’t decrypt it.
On UNIX-like systems, caching between commands is enabled by default. This helps maximize performance and reduce the number of API calls.
If you use 1Password CLI in an environment where caching is not possible, you can turn it off by appending the `--cache=false` flag to your commands, or by setting the `OP_CACHE` environment variable to false.
Caching is not currently available on Windows.
## Alternative character encoding
By default, 1Password CLI processes input and output with UTF-8 encoding.
You can use an alternative character encoding with the `--encoding` option.
Supported alternative character encoding types:
* `gbk`
* `shift-jis`
## Parse JSON output with jq
You can use the `--format` flag or the `OP_FORMAT` environment variable to set your 1Password CLI command output to `json`.
To parse JSON output, we recommend using the command-line tool [jq. ](https://jqlang.github.io/jq/)
For example, to use jq to retrieve a secret reference for the password saved on an item named `GitHub`:
```shell theme={null}
op item get GitHub --format json --fields password | jq .reference
#code-result
"op://development/GitHub/password"
```
## Beta builds
To download 1Password CLI beta builds, navigate to the [1Password CLI downloads page](https://app-updates.agilebits.com/product_history/CLI2#beta) with the **Show betas** option selected. On Linux, you can switch the channel from "stable" to "beta" when adding the 1Password repository in your package manager.
## Example commands
### Items
To get information about an item:
```shell theme={null}
op item get
```
You'll see the item's [ID](#unique-identifiers-ids), title, vault, when it was created, when it was last modified, the item's version, if it's marked as a favorite, the type of item it is, and the item's fields.
If an item name includes spaces or special characters, enclose it in quotes. For example:
```shell theme={null}
op item get "work email"
#code-result
ID: a5w3is43ohs25qonzajrqaqx4q
Title: work email
Vault: Work (2gq6v6vzorl7jfxdurns4hl66e)
Created: 6 years ago
Updated: 9 months ago by Wendy Appleseed
Favorite: true
Version: 1
Category: LOGIN
Fields:
username: wendy.c.appleseed@agilebits.com
password: NLuXcEtg27JMjGmiBHXZMGCgce
URLs:
website: https://www.gmail.com (primary)
```
To use `op item get` to retrieve specific fields, include the `--fields` flag followed by a comma-separated list, with the prefix `label=` before each field name. For example, to only retrieve the username and password for the item `work email`:
```shell theme={null}
op item get "work email" --fields label=username,label=password
#code-result
wendy.c.appleseed@agilebits.com,NLuXcEtg27JMjGmiBHXZMGCgce
```
Learn more about working with [items](/cli/reference/management-commands/item/).
### Users and groups
To get details about a user:
```shell theme={null}
op user get "Wendy Appleseed"
#code-result
ID: SPRXJFTDHTA2DDTPE5F7DA64RQ
Name: Wendy Appleseed
Email: wendy.c.appleseed@agilebits.com
State: ACTIVE
Type: MEMBER
Created: 6 years ago
Updated: 4 months ago
Last Authentication: 1 month ago
```
To list the users who belong to a group:
```
op group user list "Provision Managers"
#code-result
ID NAME EMAIL STATE TYPE ROLE
7YEOODASGJE6VAEIOHYWGP33II Wendy Appleseed wendy.c.appleseed@agilebits.com ACTIVE MEMBER
UKCYFVOJSFEXLKKZREG7M2MZWM Johnny Appleseed johnny.appleseed@agilebits.com RECOVERY_STARTED MEMBER
```
Learn more about working with [users](/cli/reference/management-commands/user/) and [groups](/cli/reference/management-commands/group/).
### Vaults
To create a new vault named `Test`:
```shell theme={null}
op vault create Test
```
To get details about an existing vault:
```shell theme={null}
op vault get Work
#code-result
ID: jAeq2tfunmifZfG4WkuWvsaGGj
Name: Work
Type: USER_CREATED
Attribute version: 3
Content version: 241
Items: 25
Created: 1 year ago
Updated: 1 month ago
```
To list the vaults in an account:
```shell theme={null}
op vault list
#code-result
ID NAME
vw8qjYEvsdCcZoULJRCqopy7Rv Development
2RNjh43dpHB9sDqZXEHiiw7zTe Personal
cGxbZbV2pxKBmVJe9oWja4K8km Work
```
Learn more about working with [vaults](/cli/reference/management-commands/vault/).
### Secrets
To insert a secret into an environment variable, config file, or script without putting the plaintext secret in code, use a [secret reference](/cli/secret-reference-syntax/) that specifies where the secret is stored in your 1Password account:
```
op://vault-name/item-name/[section-name/]field-name
```
Then, you can use [`op read`](/cli/reference/commands/read/), [`op run`](/cli/reference/commands/run/), or [`op inject`](/cli/reference/commands/inject/) to replace the secret reference with the actual secret at runtime.
To resolve a secret reference and confirm it outputs correctly:
```shell theme={null}
op read "op://Work/work email/username"
#code-result
wendy.c.appleseed@agilebits.com
```
Learn more about [loading secrets](/cli/secret-references/).
## Get help
For help with any command, use the `--help` option:
```
op [subcommand] --help
```
# completion
Source: https://www.1password.dev/cli/reference/commands/completion
Generate shell completion information for 1Password CLI.
```shell theme={null}
op completion [flags]
```
If you use Bash, Zsh, fish, or PowerShell, you can add shell completion for 1Password CLI.
With completions loaded, after you start typing a command,
press Tab to see available commands and options.
#### Load shell completion information for Bash
To always load the completion information for Bash, add this to your
`.bashrc` file:
```shell theme={null}
source <(op completion bash)
```
To use shell completion in Bash, you’ll need the `bash-completion` package.
#### Load shell completion information for Zsh
To always load the completion information for Zsh, add this to your
`.zshrc` file:
```shell theme={null}
eval "$(op completion zsh)"; compdef _op op
```
#### Load shell completion information for fish
To always load the completion information for fish, add this to your
`.fish` file:
```shell theme={null}
op completion fish | source
```
#### Load shell completion information for PowerShell
To always load the completion information for PowerShell, add this
to your `.ps1` file:
```powershell theme={null}
op completion powershell | Out-String | Invoke-Expression
```
To use shell completion in PowerShell, you need to enable
execution of scripts. To do that, start a PowerShell window as
administrator and run the following command:
```powershell theme={null}
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
```
# inject
Source: https://www.1password.dev/cli/reference/commands/inject
Inject secrets into a file templated with secret references.
```
op inject [flags]
```
### Flags
```
--file-mode filemode Set filemode for the output file. It is ignored without the --out-file flag. (default 0600)
-f, --force Do not prompt for confirmation.
-i, --in-file string The filename of a template file to inject.
-o, --out-file string Write the injected template to a file instead of stdout.
```
[Learn more about secret references.](/cli/secret-references)
You can pass in a config file templated with secret references and receive a
config file with the actual secrets substituted. Make sure to delete the
resolved file when you no longer need it.
[Learn more about loading secrets into config files.](/cli/secrets-config-files)
### Examples
Inject secrets into a config template from stdin:
```
echo "db_password: {{ op://app-prod/db/password }}" | op inject
db_password: fX6nWkhANeyGE27SQGhYQ
```
Inject secrets into a config template file:
```
cat config.yml.tpl
db_password: {{ op://app-prod/db/password }}
```
```
op inject -i config.yml.tpl -o config.yml && cat config.yml
db_password: fX6nWkhANeyGE27SQGhYQ
```
Multiple secrets can be concatenated:
```
echo "db_url: postgres://{{ op://lcl/db/user }}:{{ op://lcl/db/pw }}@{{ op://lcl/db/host }}:{{ op://lcl/db/port }}/{{ op://my-app-prd/db/db }}" | op inject
db_url: postgres://admin:admin@127.0.0.1:5432/my-app"
```
Use variables in secret references to switch between different sets of
secrets for different environments:
```
echo "db_password: op://$env/db/password" | env=prod op inject
db_password: fX6nWkhANeyGE27SQGhYQ
```
# read
Source: https://www.1password.dev/cli/reference/commands/read
Read the value of the field in 1Password specified by a secret reference.
[Learn more about secret references and query parameters.](/cli/secret-reference-syntax/)
```
op read [flags]
```
### Flags
```
--file-mode filemode Set filemode for the output file. It is ignored without the --out-file flag. (default 0600)
-f, --force Do not prompt for confirmation.
-n, --no-newline Do not print a new line after the secret.
-o, --out-file string Write the secret to a file instead of stdout.
```
### Examples
Print the secret saved in the field `password`, on the item `db`, in the vault
`app-prod`:
```shell theme={null}
op read op://app-prod/db/password
```
Use a secret reference with a query parameter to retrieve a one-time
password:
```shell theme={null}
op read "op://app-prod/db/one-time password?attribute=otp"
```
Use a secret reference with a query parameter to get an SSH key's private
key in the OpenSSH format:
```shell theme={null}
op read "op://app-prod/ssh key/private key?ssh-format=openssh"
```
Save the SSH key found on the item `ssh` in the `server` vault
as a new file `key.pem` on your computer:
```shell theme={null}
op read --out-file ./key.pem op://app-prod/server/ssh/key.pem
```
Use `op read` in a command with secret references in place of plaintext
secrets:
```shell theme={null}
docker login -u $(op read op://prod/docker/username) -p $(op read op://prod/docker/password)
```
# run
Source: https://www.1password.dev/cli/reference/commands/run
Pass secrets as environment variables to an application or script.
```
op run -- ... [flags]
```
### Flags
```
--env-file stringArray Enable Dotenv integration with specific Dotenv files to
parse. For example: --env-file=.env.
--no-masking Disable masking of secrets on stdout and stderr.
```
Use `op run` to securely load project secrets from 1Password, then run a
provided command in a subprocess with the secrets made available as environment
variables only for the duration of the subprocess.
To limit which 1Password items processes in your authorized terminal session
can access, make sure to authenticate 1Password CLI with a service account that
only has access to the required secrets. You can scope service accounts to
specific vaults and 1Password Environments.
[Learn more about service accounts.](/service-accounts/)
[Learn more about loading secrets with `op run`.](/cli/secrets-environment-variables)
#### Load secrets using secret references
`op run` can scan environment variables and files for secret
references, then load the provided command with the referenced secrets
made available as environment variables.
Secret references are URIs that point to the ID or name of the vault, item,
section, and field where a secret is stored in 1Password. You can export
environment variables to secret references on the command line or using an
.env file.
Secrets printed to stdout or stderr are concealed by default. Include the
`--no-masking` flag to turn off masking.
When referencing an environment variable assigned to a secret reference within a
command, `op run` must replace the reference with the actual secret value before
the variable expands. To make sure this order of operations is followed, run the
command that expands the variable in a subshell.
#### Load variables from Environments (beta)
The `--environments` flag is available in [the latest beta build of 1Password CLI](https://app-updates.agilebits.com/product_history/CLI2#beta), version `2.33.0-beta.02` or later.
Use `op run` with the `--environments` flag and an Environment's ID to load
variables from a 1Password Environment.
To find an Environment's ID, open the 1Password app, navigate to Developer >
View Environments > then select View environment > Manage environment > Copy
environment ID.
Load variables from a 1Password Environment:
```shell theme={null}
op run --environment -- printenv
```
#### Environment variable precedence
If the same environment variable name exists in multiple sources, the source
with higher precedence takes effect. Precedence from highest to lowest:
1. 1Password Environments (--environment)
2. Environment files (--env-file)
3. Shell environment variables
If the same environment variable name exists in multiple environment files,
the last environment file takes precedence.
If the same environment variable name exists in multiple 1Password Environments,
the last Environment specified takes precedence.
### Examples
Print secret value:
```
export DB_PASSWORD="op://app-prod/db/password"
```
```
op run -- printenv DB_PASSWORD
```
```
op run --no-masking -- printenv DB_PASSWORD
fX6nWkhANeyGE27SQGhYQ
```
Specify an environment file and use it:
```
echo "DB_PASSWORD=op://app-dev/db/password" > .env
```
```
op run --env-file="./.env" -- printenv DB_PASSWORD
password
```
Use variables in secret references to switch between different sets of
secrets for different environments:
```
cat .env
DB_USERNAME = op://$APP_ENV/db/username
DB_PASSWORD = op://$APP_ENV/db/password
```
```
export APP_ENV="dev"
op run --env-file="./.env" -- printenv DB_PASSWORD
dev
```
```
export APP_ENV="prod"
op run --env-file="./.env" -- printenv DB_PASSWORD
prod
```
# signin
Source: https://www.1password.dev/cli/reference/commands/signin
Sign in to 1Password CLI using the 1Password desktop app.
```shell theme={null}
op signin [flags]
```
### Flags
```
-f, --force Ignore warnings and print raw output from this command.
--raw Only return the session token.
```
To turn on the 1Password app integration:
1. Open the 1Password app.
2. Navigate to **Settings** > **Security** and turn on Touch ID, Windows Hello, or a
Linux system authentication option.
3. Navigate to **Developer** > **Settings** and select **Integrate with 1Password CLI**.
[Learn more about the app integration.](/cli/app-integration/)
If you add multiple 1Password accounts to the 1Password app, 1Password CLI
determines which to use in this order:
1. The account specified with the `--account` flag.
2. The account specified by the `OP_ACCOUNT` environment variable.
3. The account you most recently signed in to with `op signin` in
any terminal window.
`op signin` is idempotent. It only prompts for authentication if you
aren't already authenticated.
### Examples
Sign in and set the environment variable in one step:
```shell theme={null}
eval $(op signin --account acme.1password.com)
```
# signout
Source: https://www.1password.dev/cli/reference/commands/signout
Sign out of a 1Password account.
```
op signout [flags]
```
### Flags
```
--all Sign out of all signed-in accounts.
--forget Remove the details for a 1Password account from this device.
```
Signs out of the most recently used account by default.
# update
Source: https://www.1password.dev/cli/reference/commands/update
Check for updates to `op` and download an updated version, if available.
```
op update [flags]
```
### Flags
```
--directory path Download the update to this path.
--channel string Look for updates from a specific channel. allowed: stable, beta
```
# whoami
Source: https://www.1password.dev/cli/reference/commands/whoami
Get information about a signed-in account.
```
op whoami [flags]
```
Returns the currently active account or service account. The command returns an error if no accounts are currently authenticated.
Get information about a specific account with the `--account `
flag.
# account
Source: https://www.1password.dev/cli/reference/management-commands/account
Manage your locally configured 1Password accounts.
### Subcommands
* [account add](#account-add): Add an account to sign in to for the first time
* [account forget](#account-forget): Remove a 1Password account from this device
* [account get](#account-get): Get details about your account
* [account list](#account-list): List users and accounts set up on this device
## account add
Add a new 1Password account to 1Password CLI manually with your account password
and Secret Key, instead of [signing in using your 1Password app](/cli/app-integration/).
```shell theme={null}
op account add [flags]
```
### Flags
```
--address string The sign-in address for your account.
--email string The email address associated with your account.
--raw Only return the session token.
--shorthand string Set a custom account shorthand for your account.
--signin Immediately sign in to the added account.
```
To sign in to manually-added accounts:
```shell theme={null}
eval $(op signin)
```
```powershell theme={null}
Invoke-Expression $(op signin)
```
[Learn more about signing in manually.](/cli/sign-in-manually/)
When you sign in manually, 1Password CLI creates a session token and
sets the `OP_SESSION` environment variable to it. Session tokens expire
after 30 minutes of inactivity, after which you’ll need to sign in again.
If you add multiple 1Password accounts, 1Password CLI determines which
to use in this order:
1. An account specified with the `--account` flag.
2. An account specified with the `OP_ACCOUNT` environment variable.
3. The account most recently signed in to with `op signin` in the current
terminal window.
### Examples
Add an account using flags to specify account details:
```shell theme={null}
op account add --address my.1password.com --email user@example.org
```
Add an account and immediately sign in to it:
```shell theme={null}
eval $(op account add --signin)
```
```powershell theme={null}
Invoke-Expression $(op account add --signin)
```
Sign in to a specific account:
```shell theme={null}
eval $(op signin --account my)
```
```powershell theme={null}
Invoke-Expression $(op signin --account my)
```
## account forget
Remove a 1Password account from this device.
```
op account forget [ ] [flags]
```
### Flags
```
--all Forget all authenticated accounts.
```
## account get
Get details about your account.
```
op account get [flags]
```
## account list
List users and accounts set up on this device.
```
op account list [flags]
```
# connect
Source: https://www.1password.dev/cli/reference/management-commands/connect
Manage Connect server instances and tokens in your 1Password account.
Looking up a Connect server by its [ID](/cli/reference#unique-identifiers-ids) is more efficient than using the Connect server's name.
### Subcommands
* [connect group](#connect-group): Manage group access to Secrets Automation
* [connect server](#connect-server): Manage Connect servers
* [connect token](#connect-token): Manage Connect server tokens
* [connect vault](#connect-vault): Manage Connect server vault access
## connect group
### Subcommands
* [connect group grant](#connect-group-grant): Grant a group access to manage Secrets Automation
* [connect group revoke](#connect-group-revoke): Revoke a group's access to manage Secrets Automation
## connect group grant
Grant a group access to manage Secrets Automation.
```
op connect group grant [flags]
```
### Flags
```
--all-servers Grant access to all current and future servers in the authenticated
account.
--group group The group to receive access.
--server server The server to grant access to.
```
If you don't specify a server, it adds the group to the list of Secrets
Automation managers.
## connect group revoke
Revoke a group's access to manage Secrets Automation.
```
op connect group revoke [flags]
```
### Flags
```
--all-servers Revoke access to all current and future servers in the
authenticated account.
--group group The group to revoke access from.
--server server The server to revoke access to.
```
## connect server
### Subcommands
* [connect server create](#connect-server-create): Set up a Connect server
* [connect server delete](#connect-server-delete): Remove a Connect server
* [connect server edit](#connect-server-edit): Rename a Connect server
* [connect server get](#connect-server-get): Get a Connect server
* [connect server list](#connect-server-list): List Connect servers
## connect server create
Add a 1Password Connect server to your account and generate a credentials file
for it. 1Password CLI saves the `1password-credentials.json` file in the
current directory.
Note: You can't grant a Connect server access to your built-in [Personal](https://support.1password.com/1password-glossary/#personal-vault), [Private](https://support.1password.com/1password-glossary/#private-vault), or [Employee](https://support.1password.com/1password-glossary/#employee-vault) vault.
```
op connect server create [flags]
```
### Flags
```
-f, --force Do not prompt for confirmation when overwriting credential files.
--vaults strings Grant the Connect server access to these vaults.
```
1Password CLI saves the `1password-credentials.json` file in the
current directory.
## connect server delete
Remove a Connect server. Specify the server by name or ID.
```
op connect server delete [{ | | - }] [flags]
```
The credentials file and all the tokens for the server will no longer be valid.
## connect server edit
Rename a Connect server. Specify the server by name or ID.
```
op connect server edit { | } [flags]
```
### Flags
```
--name name Change the server's name.
```
## connect server get
Get details about a Connect server. Specify the server by name or ID.
```
op connect server get [{ | | - }] [flags]
```
## connect server list
Get a list of Connect servers.
```
op connect server list [flags]
```
## connect token
### Subcommands
* [connect token create](#connect-token-create): Issue a token for a 1Password Connect server
* [connect token delete](#connect-token-delete): Revoke a token for a Connect server
* [connect token edit](#connect-token-edit): Rename a Connect server token
* [connect token list](#connect-token-list): Get a list of tokens
## connect token create
Issue a new token for a Connect server.
```
op connect token create [flags]
```
### Flags
```
--expires-in duration Set how long the Connect token is valid for in (s)econds,
(m)inutes, (h)ours, (d)ays, and/or (w)eeks.
--server string Issue a token for this server.
--vault stringArray Issue a token on these vaults.
```
Returns a token.
You can only provision Connect server tokens to vaults that the Connect server
has access to. Use `op connect vault grant` to grant access to vaults.
Note: You can't grant a Connect server access to your built-in [Personal](https://support.1password.com/1password-glossary/#personal-vault), [Private](https://support.1password.com/1password-glossary/#private-vault), or [Employee](https://support.1password.com/1password-glossary/#employee-vault) vault.
By default, the `--vaults` option grants the same permissions as the server.
To further limit the permissions a token has to read-only or write-only, add a
comma and `r` or `w` after the vault specification. For example:
```
op connect token create "Dev k8s token" --server Dev --vaults Kubernetes,r \
--expires-in=30d
```
```
op connect token create "Prod: Customer details" --server Prod --vault "Customers,w" \
--vault "Vendors,r"
```
## connect token delete
Revoke a token for a Connect server.
```
op connect token delete [ ] [flags]
```
### Flags
```
--server string Only look for tokens for this 1Password Connect server.
```
## connect token edit
Rename a Connect server token.
```
op connect token edit [flags]
```
### Flags
```
--name string Change the token's name.
--server string Only look for tokens for this 1Password Connect server.
```
## connect token list
List tokens for Connect servers.
```
op connect token list [flags]
```
### Flags
```
--server server Only list tokens for this Connect server.
```
Returns both active and revoked tokens.
The `integrationId` is the ID for the Connect server the token belongs to.
## connect vault
### Subcommands
* [connect vault grant](#connect-vault-grant): Grant a Connect server access to a vault
* [connect vault revoke](#connect-vault-revoke): Revoke a Connect server's access to a vault
## connect vault grant
Grant a Connect server access to a vault.
```
op connect vault grant [flags]
```
Note: You can't grant a Connect server access to your built-in [Personal](https://support.1password.com/1password-glossary/#personal-vault), [Private](https://support.1password.com/1password-glossary/#private-vault), or [Employee](https://support.1password.com/1password-glossary/#employee-vault) vault.
### Flags
```
--server string The server to be granted access.
--vault string The vault to grant access to.
```
## connect vault revoke
Revoke a Connect server's access to a vault.
```
op connect vault revoke [flags]
```
### Flags
```
--server server The server to revoke access from.
--vault vault The vault to revoke a server's access to.
```
# document
Source: https://www.1password.dev/cli/reference/management-commands/document
Perform CRUD operations on Document items in your vaults.
### Subcommands
* [document create](#document-create): Create a document item
* [document delete](#document-delete): Delete or archive a document item
* [document edit](#document-edit): Edit a document item
* [document get](#document-get): Download a document
* [document list](#document-list): Get a list of documents
## document create
Create a document item and receive a JSON object that contains the item's ID.
```
op document create [{ | - }] [flags]
```
### Flags
```
--file-name name Set the file's name.
--tags tags Set the tags to the specified (comma-separated) values.
--title title Set the document item's title.
--vault vault Save the document in this vault. Default: Private.
```
By default, the document is saved in your built-in [Personal](https://support.1password.com/1password-glossary/#personal-vault), [Private](https://support.1password.com/1password-glossary/#private-vault), or [Employee](https://support.1password.com/1password-glossary/#employee-vault) vault. Specify a different vault with the `--vault` option.
#### Create a file from standard input
To create the file contents from standard input (stdin), enter a
hyphen (`-`) instead of a path. You can use the `--file-name` option to
change the name of the file.
### Examples
Create a document by specifying the file path:
```
op document create "../demos/videos/demo.mkv" --title "2020-06-21 Demo Video"
```
Create a document from standard input:
```
cat auth.log.* | op document create - --title "Authlogs 2020-06" --file-name "auth.log.2020.06"
```
## document delete
Permanently delete a document. Specify the document to delete by its name or ID.
Use the `--archive` option to move it to the Archive instead.
```
op document delete [{ | | - }] [flags]
```
### Flags
```
--archive Move the document to the Archive.
--vault vault Delete the document in this vault.
```
#### Specify items on standard input
The command treats each line of information on standard input (stdin) as
an object specifier. Run `op help` to learn more about how to specify
objects.
You can also input a list or array of JSON objects. The command will
get an item for any object that has an ID. This is useful for
passing information from one `op` command to another.
### Examples
Permanently delete a document:
```
op document delete "2019 Contracts"
```
Move a document to the Archive:
```
op document delete "2019 Contracts" --archive
```
## document edit
Edit a document item. Specify the document item to edit by its name or ID.
```
op document edit { | } [{ | - }] [flags]
```
### Flags
```
--file-name name Set the file's name.
--tags tags Set the tags to the specified (comma-separated) values. An empty
value removes all tags.
--title title Set the document item's title.
--vault vault Look up document in this vault.
```
Replaces the file contents of a Document item with the provided file
or with the information on standard input (stdin).
#### Update a file from standard input
To update the file contents from standard input (stdin), enter a
hyphen (`-`) instead of a path. You can use the `--file-name` option to
change the name of the file.
## document get
Download a document and print the contents. Specify the document by its name
or ID.
```
op document get { | } [flags]
```
### Flags
```
--file-mode filemode Set filemode for the output file. It is ignored without the --out-file flag. (default 0600)
--force Forcibly print an unintelligible document to an interactive terminal. If --out-file is specified, save the document to a file without prompting for confirmation.
--include-archive Include document items in the Archive. Can also be set using OP_INCLUDE_ARCHIVE environment variable.
-o, --out-file path Save the document to the file path instead of stdout.
--vault vault Look for the document in this vault.
```
Prints to standard output (stdout) by default. To print to a file, use the
`--out-file path/to/file.ext` flag.
#### Save to a file
Use the `--out-file` option to have `op` save the document. This may
be useful in some shells as a way to preserve the file's original
encoding.
The `--out-file` option won't overwrite an existing file. The
destination path must be an empty file or not exist.
### Examples
Save a document to a file called `secret-plans.text`:
```
op document get "Top Secret Plan B" --out-file=../documents/secret-plans.text
```
## document list
List documents.
```
op document list [flags]
```
### Flags
```
--include-archive Include document items in the Archive. Can also be set using
OP_INCLUDE_ARCHIVE environment variable.
--vault vault Only list documents in this vault.
```
Returns a list of all documents the account has read access to
by default. Excludes items in the Archive by default.
# environment
Source: https://www.1password.dev/cli/reference/management-commands/environment
Beta
The `--environments` flag is available in [the latest beta build of 1Password CLI](https://app-updates.agilebits.com/product_history/CLI2#beta), version `2.33.0-beta.02` or later.
[1Password Environments](/environments) allow you to organize and manage your project's environment variables, separately from the rest of the items in your 1Password vaults. You can create an Environment for each project or development stage, then securely access your variables directly from 1Password when you need them.
### Subcommands
* [environment read](#environment-read): Read environment variables from a 1Password Environment
## environment read
Read environment variables from a 1Password Environment.
```shell theme={null}
op environment read [flags]
```
Specify the 1Password Environment by its ID. To find an Environment's ID, open the 1Password app, navigate to **Developer** > **View Environments** > then select **View environment** > **Manage environment** > **Copy environment ID**.
### Examples
Read variables from a 1Password Environment:
```shell theme={null}
op environment read
```
# events-api
Source: https://www.1password.dev/cli/reference/management-commands/events-api
Manage Events API integrations in your 1Password account. Requires a business account.
### Subcommands
* [events-api create](#events-api-create): Set up an integration with the Events API
## events-api create
Create an Events API integration token.
```
op events-api create [flags]
```
### Flags
```
--expires-in duration Set how the long the events-api token is valid for in
(s)econds, (m)inutes, (h)ours, (d)ays, and/or (w)eeks.
--features features Set the comma-separated list of features the integration
token can be used for. Options: `signinattempts`,
`itemusages`, `auditevents`.
```
1Password CLI prints the token when successful.
Requires a business account.
### Examples
Create an Events API integration to report sign-in attempts that expires in one hour:
```
op events-api create SigninEvents --features signinattempts --expires-in 1h
```
Create an Events API integration that reports all supported events that does not expire:
```
op events-api create AllEvents
```
# group
Source: https://www.1password.dev/cli/reference/management-commands/group
Manage the groups in your 1Password account.
Groups can be used to organize your team and delegate administrative responsibilities. You can give groups access to vaults and assign them permissions, so you don't have to keep track of everyone separately.
### Subcommands
* [group create](#group-create): Create a group
* [group delete](#group-delete): Remove a group
* [group edit](#group-edit): Edit a group's name or description
* [group get](#group-get): Get details about a group
* [group list](#group-list): List groups
* [group user](#group-user): Manage group membership
## group create
Create a group and receive a JSON object with the group's ID.
```
op group create [flags]
```
### Flags
```
--description string Set the group's description.
```
## group delete
Remove a group. Specify the group to delete by its name or ID.
```
op group delete [{ | | - }] [flags]
```
## group edit
Edit a group's name or description. Specify the group to edit by its name or ID.
```
op group edit [{ | | - }] [flags]
```
### Flags
```
--description description Change the group's description.
--name name Change the group's name.
```
## group get
Get details about a group. Specify the group by its name or ID.
```
op group get [{ | | - }] [flags]
```
#### Use standard input to specify objects
If you enter a hyphen (`-`) instead of a single object for this command,
the tool will read object specifiers from standard input (stdin).
Separate each specifier with a new line. For more information about how
to specify objects, run `op help`.
You can also pass the command a list or array of JSON objects. The tool
will get an item for any object that has an ID, ignoring line
breaks. This is useful for passing information from one `op` command
to another.
### Examples
Get details for all groups:
```
op group list --format=json | op group get -
```
Get details for the groups who have access to a vault:
```
op group list --vault "Production keys" --format=json | op group get -
```
## group list
List groups.
```
op group list [flags]
```
### Flags
```
--user user List groups that a user belongs to.
--vault vault List groups that have direct access to a vault.
```
Returns all groups in an account by default.
### Examples
Get details for all groups:
```
op group list | op group get -
```
Get details for the groups that have access to a vault:
```
op group list --vault Staging --format=json | op group get -
```
Get details for the groups that a user belongs to:
```
op group list --user wendy_appleseed@1password.com --format=json | op group get -
```
## group user
### Subcommands
* [group user grant](#group-user-grant): Add a user to a group
* [group user list](#group-user-list): Retrieve users that belong to a group
* [group user revoke](#group-user-revoke): Remove a user from a group
## group user grant
Grant a user access to a group.
```
op group user grant [flags]
```
### Flags
```
--group string Specify the group to grant the user access to.
--role string Specify the user's role as a member or manager. Default: member.
--user string Specify the user to grant group access to.
```
## group user list
Retrieve users that belong to a group.
```
op group user list [flags]
```
## group user revoke
Revoke a user's access to a group.
```
op group user revoke [flags]
```
### Flags
```
--group string Specify the group to remove the user from.
--help Get help with group user revoke.
--user string Specify the user to remove from the group.
```
# item
Source: https://www.1password.dev/cli/reference/management-commands/item
Perform CRUD operations on the 1Password items in your vaults.
### Subcommands
* [item create](#item-create): Create an item
* [item delete](#item-delete): Delete or archive an item
* [item edit](#item-edit): Edit an item's details
* [item get](#item-get): Get an item's details
* [item list](#item-list): List items
* [item move](#item-move): Move an item between vaults
* [item share](#item-share): Share an item
* [item template](#item-template): Manage templates
## item create
Create a new item.
```
op item create [ - ] [ ... ] [flags]
```
### Flags
```
--category category Set the item's category.
--dry-run Test the command and output a preview of the resulting item.
--favorite Add item to favorites.
--generate-password[=recipe] Add a randomly-generated password to a Login or Password item.
--reveal Don't conceal sensitive fields.
--ssh-generate-key The type of SSH key to create: Ed25519 or RSA. For RSA,
specify 2048, 3072, or 4096 (default) bits. Possible values:
ed25519, rsa, rsa2048, rsa3072, rsa4096. (default Ed25519)
--tags tags Set the tags to the specified (comma-separated)
values.
--template string Specify the filepath to read an item template from.
--title title Set the item's title.
--url URL Set the website where 1Password suggests and fills a Login, Password, or API Credential item.
--vault vault Save the item in this vault. Default: Private.
```
Get a list of all item categories:
```shell theme={null}
op item template list
```
Use assignment statements or an item category JSON template to save details in
built-in or custom fields.
[Learn more about creating items.](/cli/item-create/)
[Learn more about item fields and fieldTypes.](/cli/item-fields/)
#### Generate a password
Use the `--generate-password` option to set a random password for a Login
or Password item. The default is 32-characters, and includes upper and
lowercase letters, numbers, and symbols (`!@.-_*`).
You can specify the password length (between 1 and 64 characters) and the
character types to use:
```shell theme={null}
--generate-password='letters,digits,symbols,32'
```
#### Set additional fields with assignment statements
You can use assignment statements as command arguments to set built-in and
custom fields.
```
[.][[]]=
```
Command arguments get logged in your command history, and
can be visible to other processes on your machine. If you’re assigning
sensitive values, use a JSON template instead.
For example, to create a text field named "host" within a section named
"Database Credentials", with the value set to 33.166.240.221:
```shell theme={null}
DatabaseCredentials.host[text]=33.166.240.221
```
The section name is optional unless multiple sections contain fields with
the same name.
Use a backslash to escape periods, equal signs, or backslashes in section
or field names. Don’t use backslashes to escape the value.
You can omit spaces in the section or field name, or refer to the field by
its JSON short name (`name` or `n`).
#### Create an item using a json template
Use an item JSON template to assign sensitive values to an item. If you
combine a template with assignment statements, assignment statements
take precedence.
1. Save the appropriate item category template to a file:
```shell theme={null}
op item template get --out-file login.json "Login"
```
2. Edit the template.
3. Create a new item using the `-—template` flag to specify the path to the edited template:
```shell theme={null}
op item create --template=login.json
```
4. After 1Password CLI creates the item, delete the edited template.
You can also create an item from standard input using an item JSON template.
Pass the `-` character as the first argument, followed by any assignment
statements.
```shell theme={null}
op item template get Login | op item create --vault personal -
```
You can’t use both piping and the `--template` flag in the same command, to
avoid collisions.
### Examples
Create a Login item with a random password and website set using flags
and custom and built-in fields set with assignment statements, including
a one-time password field and a file attachment:
```shell theme={null}
op item create --category=login --title='My Example Item' --vault='Test' \
--url https://www.acme.com/login \
--generate-password=20,letters,digits \
username=jane@acme.com \
'Test Section 1.Test Field3[otp]=otpauth://totp/:?secret=&issuer=' \
'FileName[file]=/path/to/your/file'
```
Create an item by duplicating an existing item from another vault and modifying
it with assignment statements:
```shell theme={null}
op item get "My Item" --format json | op item create --vault prod - \
username="My Username" password="My Password"
```
Duplicate all items in a vault in one account to a vault in another account:
```shell theme={null}
op item list --vault test-vault --format json --account agilebits | \
op item get --format json --account agilebits - | \
op item create --account work -
```
## item delete
Delete or archive items you no longer need.
```
op item delete [{ | | | - }] [flags]
```
### Flags
```
--archive Move the item to the Archive.
--vault string Look for the item in this vault.
```
Deleted items remain available for 30 days in Recently Deleted. You can restore or permanently delete items from Recently Deleted in the 1Password apps.
Use the `--archive` option to move an item to the Archive instead.
Specify an item to delete or archive by its name, ID, or sharing link.
#### Specify items on standard input
The command treats each line of information on standard input (stdin) as
an object specifier. Run `op help` to learn more about how to specify
objects.
The input can also be a list or array of JSON objects. The command will
get an item for any object that has an ID. This is useful for
passing information from one `op` command to another.
### Examples
Delete an item:
```
op item delete "Defunct Login"
```
Move an item to the Archive:
```
op item delete "Defunct Login" --archive
```
## item edit
Edit an item's details.
```
op item edit { | | } [ ... ] [flags]
```
### Flags
```
--dry-run Perform a dry run of the command and output a preview
of the resulting item.
--favorite Whether this item is a favorite item. Options: true, false.
--generate-password[=recipe] Give the item a randomly generated password.
--reveal Don't conceal sensitive fields.
--tags tags Set the tags to the specified (comma-separated)
values. An empty value will remove all tags.
--template string Specify the filepath to read an item template from.
--title title Set the item's title.
--url URL Set the website where 1Password suggests and fills a Login, Password, or API Credential item.
--vault vault Edit the item in this vault.
```
Specify the item by its name, ID, or sharing link. Use flags to update the
title, tags, or generate a new random password.
You can use assignment statements as command arguments to update built-in
or custom fields. For sensitive values, use a template instead.
#### Edit an item using assignment statements
Caution: Command arguments can be visible to other processes on your machine.
```shell theme={null}
[.][[]]=
```
To create a new field or section, specify a field or section name that doesn’t
already exist on the item.
To edit an existing field, specify the current section and field name, then make
changes to the fieldType or value. If you don’t specify a fieldType or value,
it will stay the same.
To delete a custom field, specify `[delete]` in place of the fieldType. If a
section no longer has any fields, the section will also be deleted. You can't
delete built-in fields, but you can set them to empty strings.
Learn more about assignment statements: `op item create –-help`.
[Learn more about available fields and fieldTypes.](/cli/item-fields)
#### Edit an item using a template
JSON item templates do not support passkeys. If you use a JSON template to update an item that contains a passkey, the passkey will be overwritten. To fix this, you can [restore a previous version of the item](https://support.1password.com/item-history/).
You can use a JSON template to edit an item, alone or in combination with
command arguments. Field assignment statements overwrite values in the
template.
1. Get the item you want to edit in JSON format and save it to a file:
```
op item get oldLogin --format=json > updatedLogin.json
```
2. Edit the file.
3. Use the `--template` flag to specify the path to the edited file and edit
the item:
op item edit oldLogin --template=updatedLogin.json
4. Delete the file.
You can also edit an item using piped input:
```shell theme={null}
cat updatedLogin.json | op item edit oldLogin
```
To avoid collisions, you can't combine piped input and the `--template`
flag in the same command.
### Examples
Add a 32-character random password that includes upper- and lower-case letters,
numbers, and symbols to an item:
```shell theme={null}
op item edit 'My Example Item' --generate-password='letters,digits,symbols,32'
```
Edit a custom field's value without changing the fieldType:
```
op item edit 'My Example Item' 'field1=new value'
```
Edit a custom field's fieldType without changing the value:
```
op item edit 'My Example Item' 'field1[password]'
```
Edit a custom field's type and value:
```
op item edit 'My Example Item' 'field1[monthyear]=2021/09'
```
Add a new custom field to an item:
```
op item edit 'My Example Item' 'section2.field5[phone]=1-234-567-8910'
```
Remove an existing custom field:
```
op item edit 'My Example Item' 'section2.field5[delete]'
```
Set the built-in username field to an empty value:
```
op item edit 'My Example Item' 'username='
```
Edit an item using a template alongside command arguments and assignment
statements:
```shell theme={null}
op item edit oldLogin --vault Private 'username=Lucky' --template=updatedLogin.json
```
## item get
Get details about an item. Specify the item by its name, ID, or sharing link.
```
op item get [{ | | | - }] [flags]
```
### Flags
```
--fields strings Return data from specific fields. Use `label=` to get the field by name or `type=` to filter fields by type. Specify multiple in a comma-separated list.
--include-archive Include items in the Archive. Can also be set using
OP_INCLUDE_ARCHIVE environment variable.
--otp Output the primary one-time password for this item.
--reveal Don't conceal sensitive fields.
--share-link Get a shareable link for the item.
--vault vault Look for the item in this vault.
```
If you have multiple items with the same name, or if you’re concerned about
API rate limits, specify the item by its ID or limit the scope of the search
with the `--vault` flag.
[Learn more about IDs and caching.](/cli/reference)
To retrieve the contents of a specific field, use `op read` instead.
When using service accounts, you must specify a vault with the `--vault` flag
or through piped input.
#### Specify items on standard input
`op item get` treats each line of information on standard input (stdin) as an
object specifier.
You can also input a list or array of JSON objects, and the command will get an
item for any object that has an ID key. This is useful for passing information
from one command to another.
#### Items in the archive
Items in the Archive are ignored by default. To get details for an
item in the Archive, specify the item by ID or use the
`--include-archive` option.
### Examples
Get details for all items with a specified tag:
```
op item list --tags documentation --format json | op item get -
```
Get a CSV list of the username, and password for all logins in a vault:
```
op item list --categories Login --vault Staging --format json | op item get - --fields label=username,label=password
```
Get a JSON object of an item's username and password fields:
```
op item get Netflix --fields label=username,label=password --format json
```
Get a list of fields by type:
```
op item get Netflix --fields type=concealed
```
Get an item's one-time password:
```
op item get Google --otp
```
Retrieve a shareable link for the item referenced by ID:
```
op item get kiramv6tpjijkuci7fig4lndta --vault "Ops Secrets" --share-link
```
## item list
List items.
```
op item list [flags]
```
### Flags
```
--categories categories Only list items in these categories (comma-separated).
--favorite Only list favorite items.
--include-archive Include items in the Archive. Can also be set using
OP_INCLUDE_ARCHIVE environment variable.
--long Output a more detailed item list.
--tags tags Only list items with these tags (comma-separated).
--vault vault Only list items in this vault.
```
Returns a list of all items the account has read access to by default. Use flags to filter results.
Excludes items in the Archive by default.
Categories are:
* API Credential
* Bank Account
* Credit Card
* Database
* Document
* Driver License
* Email Account
* Identity
* Login
* Membership
* Outdoor License
* Passport
* Password
* Reward Program
* Secure Note
* Server
* Social Security Number
* Software License
* Wireless Router
### Examples
Get details for all items with a specified tag:
```
op item list --tags documentation --format=json | op item get -
```
Get a CSV list of the username, and password for all logins in a vault:
```
op item list --categories Login --vault Staging --format=json | op item get - --fields username,password
```
Selecting a tag `` will also return items with tags sub-nested to ``. For example: ``.
## item move
Move an item between vaults.
Moving an item creates a copy of the item in the destination vault and
deletes the item from the current vault. As a result, the item gets a new ID.
```
op item move [{ | | | - }] [flags]
```
### Flags
```
--current-vault string Vault where the item is currently saved.
--destination-vault string The vault you want to move the item to.
--reveal Don't conceal sensitive fields.
```
To restore or permanently delete the original item, find the item in Recently Deleted
in your 1Password app or on 1Password.com.
Moving an item between vaults may change who has access to the item.
### Examples
Move an item from the Private vault to the Shared vault:
```
op item move "My Example Item" --current-vault Private --destination-vault Shared
```
## item share
Share an item.
```
op item share { | } [flags]
```
### Flags
```
--emails strings Email addresses to share with.
--expires-in duration Expire link after the duration specified in (s)econds,
(m)inutes, (h)ours, (d)ays, and/or (w)eeks. (default 7d)
--vault string Look for the item in this vault.
--view-once Expire link after a single view.
```
You can securely share copies of passwords and other items you've saved in 1Password with anyone, even if they don't use 1Password.
When you share an item, you'll get a unique link that you can send to others.
Copy the URL, then send the link to the person or people you want to share the item copy with, like in an email or text message. Anyone with the link can view the item copy unless you specify addresses with the emails flag.
If you edit an item, your changes won't be shared until you share the item
again. Note that file attachments and Document items cannot be shared.
## item template
### Subcommands
* [item template get](#item-template-get): Get an item template
* [item template list](#item-template-list): Get a list of templates
## item template get
Return a template for an item type.
```
op item template get [{ | - }] [flags]
```
### Flags
```
--file-mode filemode Set filemode for the output file. It is ignored without the --out-file flag. (default 0600)
-f, --force Do not prompt for confirmation.
-o, --out-file string Write the template to a file instead of stdout.
```
You can create a new item with a template.
Run `op item create --help` for more information.
Categories are:
* API Credential
* Bank Account
* Credit Card
* Database
* Document
* Driver License
* Email Account
* Identity
* Login
* Membership
* Outdoor License
* Passport
* Password
* Reward Program
* Secure Note
* Server
* Social Security Number
* Software License
* Wireless Router
## item template list
Lists available item type templates.
```
op item template list [flags]
```
Use `op item template get ` to get a template.
# plugin
Source: https://www.1password.dev/cli/reference/management-commands/plugin
Manage your shell plugin configurations.
You can use shell plugins to securely authenticate third-party CLIs with
1Password, rather than storing your CLI credentials in plaintext.
After you configure a plugin, 1Password CLI will prompt you to authenticate the
third-party CLI with your fingerprint or other system authentication option.
[Learn more about shell plugins.](/cli/shell-plugins)
### Subcommands
* [plugin clear](#plugin-clear): Clear shell plugin configuration
* [plugin init](#plugin-init): Configure a shell plugin
* [plugin inspect](#plugin-inspect): Inspect your existing shell plugin configurations
* [plugin list](#plugin-list): List all available shell plugins
* [plugin run](#plugin-run): Provision credentials from 1Password and run this command
## plugin clear
Clear an existing shell plugin configuration.
```shell theme={null}
op plugin clear [flags]
```
### Flags
```
--all Clear all configurations for this plugin that apply to this directory
and/or terminal session, including the global default.
-f, --force Apply immediately without asking for confirmation.
```
You can clear one configuration at a time, in this order of precedence:
* Terminal session default
* Directory default, from the current directory to `$HOME`
* Global default
For example, if you're in the directory `$HOME/projects/awesomeProject`
and you have a terminal session default, directory defaults for `$HOME`
and `$HOME/projects/awesomeProject`, and a global default credential
configured, you would need to run `op plugin clear aws` four times to
clear all of your defaults.
To clear your global default credentials, terminal session default, and
the defaults for your current directory at the same time, run `op plugin
clear aws --all`.
## plugin init
Choose a shell plugin to install and configure your default credentials. Bash,
Zsh, and fish shells are supported.
```shell theme={null}
op plugin init [ ] [flags]
```
Shell plugins require the [1Password desktop app integration](/cli/shell-plugins/).
To see all available plugins, run `op plugin list`.
#### Configure your default credentials
1Password CLI prompts you to select or import the credentials you want to
use with the third-party CLI, then returns a command to source your
`plugins.sh` file and make the plugin alias usable.
To use the plugin beyond the current terminal session, make sure
to add the source command to your RC file or shell profile (e.g.
`~/.bashrc`, `~/.zshrc`, `~/.config/fish/config.fish`). For example:
```shell theme={null}
echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc
```
#### Configuration options
You can choose whether 1Password CLI remembers your configuration. With
any option, your credentials never leave your 1Password account.
* "Prompt me for each new terminal session" only configures the credentials for
the current terminal session. Once you exit the terminal, your default
is removed.
* "Use automatically when in this directory or subdirectories" makes your
credentials the default in the current directory and all its
subdirectories, as long as no other directory-specific defaults are set
in them. A terminal-session default takes precedence over a
directory-specific one.
* "Use as global default on my system" sets the credentials as the default
in all terminal sessions and directories. A directory-specific default
takes precedence over a global one.
## plugin inspect
Inspect your existing shell plugin configurations.
```shell theme={null}
op plugin inspect [ ] [flags]
```
You can run `op plugin inspect` to select a plugin from the list of
all available plugins, or `op plugin inspect ` to inspect
a specific plugin.
1Password CLI returns a list of the credentials you've configured
to use with the plugin and their default scopes, as well as configured
alias details.
## plugin list
Lists all available shell plugins, their usage, name, and required fields.
```shell theme={null}
op plugin list [flags]
```
To get started with a shell plugin, run `op plugin init `.
## plugin run
Provision credentials from 1Password and run this command.
```shell theme={null}
op plugin run ... [flags]
```
`op plugin run` passes your credentials saved in 1Password to the
underlying CLI and runs the provided command. If you haven't configured
your default credentials, 1Password CLI will prompt you to select an
item that contains your credentials.
After this, you will be automagically authenticated with this CLI, and your selection will be recorded for future calls to this plugin in the current terminal session.
To configure a default credential, see `op plugin init --help`.
# service-account
Source: https://www.1password.dev/cli/reference/management-commands/service-account
Manage service accounts.
### Subcommands
* [service-account create](#service-account-create): Create a service account
* [service-account ratelimit](#service-account-ratelimit): Retrieve rate limit usage for a service account
## service-account create
Create a service account to gain programmatic access to your secrets using 1Password CLI.
```shell theme={null}
op service-account create [flags]
```
### Flags
```
--can-create-vaults Allow the service account to create new vaults.
--expires-in duration Set how long the service account is valid for in (s)econds,
(m)inutes, (h)ours, (d)ays, or (w)eeks.
--raw Only return the service account token.
--vault stringArray Give access to this vault with a set of permissions. Has
syntax :[,]
```
You can specify the vaults the service account can access,
as well as the permissions it will have for each vault
using the `--vault` flag. The syntax looks like this:
```shell theme={null}
--vault :,
```
The permissions can be one of the following:
* `read_items`
* `write_items` (requires `read_items`)
* `share_items` (requires `read_items`)
If no permissions are specified, it will default to `read_items`.
You can set an expiry to a service account using the `--expires-in` flag.
1Password CLI only returns the service account token once.
Save the token in 1Password immediately to avoid losing it.
Treat this token like a password, and don't store it in plaintext.
You can't grant a service account access to your built-in [Personal](https://support.1password.com/1password-glossary/#personal-vault), [Private](https://support.1password.com/1password-glossary/#private-vault), or [Employee](https://support.1password.com/1password-glossary/#employee-vault) vault.
### Examples
Create a new service account:
```shell theme={null}
op service-account create my-service-account --vault Dev:read_items --vault Test:read_items,write_items
```
Create a service account with an expiry:
```shell theme={null}
op service-account create my-service-account --expires-in=24h
```
Create a service account that can create new vaults:
```shell theme={null}
op service-account create my-service-account --can-create-vaults
```
## service-account ratelimit
Retrieve hourly and daily rate limit usage for a service account.
```shell theme={null}
op service-account ratelimit [{ | }] [flags]
```
# user
Source: https://www.1password.dev/cli/reference/management-commands/user
### Subcommands
* [user confirm](#user-confirm): Confirm a user
* [user delete](#user-delete): Remove a user and all their data from the account
* [user edit](#user-edit): Edit a user's name or Travel Mode status
* [user get](#user-get): Get details about a user
* [user list](#user-list): List users
* [user provision](#user-provision): Provision a user in the authenticated account
* [user reactivate](#user-reactivate): Reactivate a suspended user
* [user recovery](#user-recovery): Manage user recovery in your 1Password account
* [user suspend](#user-suspend): Suspend a user
## user confirm
Specify the user by their e-mail address, name, or ID.
```shell theme={null}
op user confirm [{ | | | - }] [flags]
```
### Flags
```
--all Confirm all unconfirmed users.
```
Specify the user by their e-mail address, name, or ID.
### Examples
Confirm a user by specifying their name:
```shell theme={null}
op user confirm "Wendy Appleseed"
```
Confirm a user by specifying their email:
```shell theme={null}
op user confirm "wendy.appleseed@example.com"
```
## user delete
Remove a user and all their data from the account.
```shell theme={null}
op user delete [{ | | | - }] [flags]
```
Specify the user by their e-mail address, name, or ID.
## user edit
Change a user's name or Travel Mode status.
```shell theme={null}
op user edit [{ | | | - }] [flags]
```
### Flags
```
--name string Set the user's name.
--travel-mode on|off Turn Travel Mode on or off for the user. (default off)
```
Specify the user by their e-mail address, name, or ID.
## user get
Get details about a user.
```shell theme={null}
op user get [{ | | | --me | - }] [flags]
```
### Flags
```
--fingerprint Get the user's public key fingerprint.
--me Get the authenticated user's details.
--public-key Get the user's public key.
```
Specify the user by their e-mail address, name, or ID.
#### Use standard input to specify objects
If you enter a hyphen (`-`) instead of a single object for this command,
the tool will read object specifiers from standard input (stdin).
Separate each specifier with a new line. For more information about how
to specify objects, run `op help`.
You can also pass the command a list or array of JSON objects. The tool
will get an item for any object that has an ID, ignoring line
breaks. This is useful for passing information from one `op` command
to another.
### Examples
Look up a user by name:
```shell theme={null}
op user get "Wendy Appleseed"
```
Look up a user by e-mail:
```shell theme={null}
op user get wendy.appleseed@example.com
```
Get details for all users:
```shell theme={null}
op user list --format=json | op user get -
```
Get the public key for all users in a group:
```shell theme={null}
op user list --group "Frontend Developers" --format=json | op user get - --publickey
```
Get details for all users who have access to a vault:
```shell theme={null}
op user list --vault Staging --format=json | op user get -
```
## user list
List users.
```shell theme={null}
op user list [flags]
```
### Flags
```
--group group List users who belong to a group.
--vault vault List users who have direct access to vault.
```
Returns all users in an account by default. Use flags to filter results.
When you use the `--group` option, the output includes the user's role
in the group.
### Examples
Get details for all users:
```shell theme={null}
op user list --format=json | op user get -
```
Get the public key for all users in a group:
```shell theme={null}
op user list --group "Frontend Developers" --format=json | op user get - --publickey
```
Get details for all users who have access to a vault:
```shell theme={null}
op user list --vault Staging --format=json | op user get -
```
## user provision
Provision a user in the authenticated account.
```shell theme={null}
op user provision [flags]
```
### Flags
```
--email string Provide the user's email address.
--language string Provide the user's account language. (default "en")
--name string Provide the user's name.
```
Provisioned users will receive an invitation email to join the 1Password
account.
Once a user accepts an invitation, an admin must confirm them on
1Password.com or using the `op user confirm` command.
Invited users will not be considered for billing until they accept their invitation.
### Examples
Invite a user by specifying their e-mail address and name:
```shell theme={null}
op user provision --name "Wendy Appleseed" --email "wendy.appleseed@example.com"
```
## user reactivate
Reactivate a suspended user.
```shell theme={null}
op user reactivate [{ | | | - }] [flags]
```
A user may be specified by their e-mail address, name, or ID.
## user recovery
### Subcommands
* [user recovery begin](#user-recovery-begin): Begin recovery for users in your 1Password account
## user recovery begin
Begin recovery for users in your 1Password account:
```shell theme={null}
op user recovery begin [ { | | } ] [flags]
```
### Examples
Begin recovery for multiple users by UUID:
```shell theme={null}
op user recovery begin ZMAE4RTRONHN7LGELNYYO373KM WHPOFIMMYFFITBVTOTZUR3R324
```
## user suspend
Suspend a user.
```shell theme={null}
op user suspend [{ | | | - }] [flags]
```
### Flags
```
--deauthorize-devices-after duration Deauthorize the user's devices after a time
(rounded down to seconds).
```
Specify the user by their e-mail address, name, or ID.
A suspended user will immediately be logged out of all devices and
will not be able to log in or access any data.
Users in a suspended state are not considered in billing.
You can reactivate a suspended user with the `op user reactivate`
command.
# vault
Source: https://www.1password.dev/cli/reference/management-commands/vault
Manage permissions and perform CRUD operations on your 1Password vaults.
### Subcommands
* [vault create](#vault-create): Create a new vault
* [vault delete](#vault-delete): Remove a vault
* [vault edit](#vault-edit): Edit a vault's name, description, icon, or Travel Mode status
* [vault get](#vault-get): Get details about a vault
* [vault group](#vault-group): Manage group vault access
* [vault list](#vault-list): List all vaults in the account
* [vault user](#vault-user): Manage user vault access
## vault create
Create a new vault
```
op vault create [flags]
```
### Flags
```
--allow-admins-to-manage true|false Set whether administrators can manage the vault.
If not provided, the default policy for the account applies.
--description description Set the vault's description.
--icon string Set the vault icon.
```
Valid icon keywords are:
airplane, application, art-supplies, bankers-box, brown-briefcase, brown-gate, buildings, cabin, castle, circle-of-dots, coffee, color-wheel, curtained-window, document, doughnut, fence, galaxy, gears, globe, green-backpack, green-gem, handshake, heart-with-monitor, house, id-card, jet, large-ship, luggage, plant, porthole, puzzle, rainbow, record, round-door, sandals, scales, screwdriver, shop, tall-window, treasure-chest, vault-door, vehicle, wallet, wrench
## vault delete
Remove a vault. Specify the vault to delete by name or ID.
```
op vault delete [{ | | - }] [flags]
```
A vault may be specified by name or ID.
## vault edit
Edit a vault's name, description, icon, or Travel Mode status. Specify the vault by name or ID.
```
op vault edit [{ | | - }] [flags]
```
### Flags
```
--description description Change the vault's description.
--icon icon Change the vault's icon.
--name name Change the vault's name.
--travel-mode on|off Turn Travel Mode on or off for the vault. Only vaults
with Travel Mode enabled are accessible while a user has Travel Mode turned on. (default off)
```
A vault may be specified by name or ID.
Valid icon keywords are:
airplane, application, art-supplies, bankers-box, brown-briefcase, brown-gate, buildings, cabin, castle, circle-of-dots, coffee, color-wheel, curtained-window, document, doughnut, fence, galaxy, gears, globe, green-backpack, green-gem, handshake, heart-with-monitor, house, id-card, jet, large-ship, luggage, plant, porthole, puzzle, rainbow, record, round-door, sandals, scales, screwdriver, shop, tall-window, treasure-chest, vault-door, vehicle, wallet, wrench
## vault get
Get details about a vault. Specify the vault by name or ID.
```
op vault get [{ | | - }] [flags]
```
A vault may be specified by name or ID.
#### Use standard input to specify objects
If you enter a hyphen (`-`) instead of a single object for this command,
the tool will read object specifiers from standard input (stdin).
Separate each specifier with a new line. For more information about how
to specify objects, run `op help`.
You can also pass the command a list or array of JSON objects. The tool
will get an item for any object that has an ID, ignoring line
breaks. This is useful for passing information from one `op` command
to another.
### Examples
Get details for all vaults:
```
op vault list --format=json | op vault get -
```
Get details for the vaults that a group has access to:
```
op vault list --group security --format=json | op vault get -
```
## vault group
### Subcommands
* [vault group grant](#vault-group-grant): Grant a group permissions to a vault
* [vault group list](#vault-group-list): List all the groups that have access to the given vault
* [vault group revoke](#vault-group-revoke): Revoke a portion or the entire access of a group to a vault
## vault group grant
Grant a group permissions in a vault.
```
op vault group grant [flags]
```
### Flags
```
--group group The group to receive access.
--no-input input Do not prompt for input on interactive terminal.
--permissions permissions The permissions to grant to the group.
--vault vault The vault to grant group permissions to.
```
Permissions are specified in a comma separated list such as:
```
view_items,view_and_copy_passwords,edit_items
```
1Password Teams includes three permissions:
```
allow_viewing, allow_editing, allow_managing
```
1Password Business includes the permissions above as well as more
granular options:
allow\_viewing
```
view_items, view_and_copy_passwords, view_item_history
```
allow\_editing
```
create_items, edit_items, archive_items, delete_items, import_items,
export_items, copy_and_share_items, print_items
```
allow\_managing
```
manage_vault
```
When granting or revoking permissions, some permissions require
dependent permissions to be granted or revoked alongside them.
[Learn more about managing vault permissions.](/cli/vault-permissions/)
### Examples
Grant a group certain permissions in a vault with a business account:
```
op vault group grant --vault VAULT --group GROUP \
--permissions view_items,create_items,allow_viewing
```
```
op vault group grant --vault VAULT --group GROUP \
--permissions allow_viewing,export_items
```
Grant a group certain permissions in a vault with a team account:
```
op vault group grant --vault VAULT --group GROUP \
--permissions allow_viewing,allow_editing
```
## vault group list
List all the groups that have access to the given vault.
```
op vault group list [{ | - }] [flags]
```
## vault group revoke
Revoke a group's permissions in a vault, in part or in full.
```
op vault group revoke [flags]
```
### Flags
```
--group group The group to revoke access from.
--no-input input Do not prompt for input on interactive terminal.
--permissions permissions The permissions to revoke from the group.
--vault vault The vault to revoke access to.
```
Not specifying any permissions revokes the group's access to the vault.
Removing all existing permissions also revokes the group’s access to
the vault.
Permissions are specified in a comma separated list such as:
```
view_items,view_and_copy_passwords,edit_items
```
1Password Teams includes three permissions:
```
allow_viewing, allow_editing, allow_managing
```
1Password Business includes the permissions above as well as more
granular options:
allow\_viewing
```
view_items, view_and_copy_passwords, view_item_history
```
allow\_editing
```
create_items, edit_items, archive_items, delete_items, import_items,
export_items, copy_and_share_items, print_items
```
allow\_managing
```
manage_vault
```
When granting or revoking permissions, some permissions require
dependent permissions to be granted or revoked alongside them.
[Learn more about managing vault permissions.](/cli/vault-permissions/)
### Examples
Remove a group from a vault:
```
op vault group revoke --vault VAULT --group GROUP
```
Revoke certain permissions from a group in a vault with a business account:
```
op vault group revoke --vault VAULT --group GROUP \
--permissions view_items,create_items,allow_editing
```
Revoke certain permissions from a group in a vault with a team account:
```
op vault group revoke --vault VAULT --group GROUP \
--permissions allow_viewing,allow_editing
```
## vault list
List vaults.
```
op vault list [flags]
```
### Flags
```
--group string List vaults a group has access to.
--permission permissions List only vaults that the specified user/group has this permission for.
--user string List vaults that a given user has access to.
```
By default, returns all vaults the current user has read access to.
### Examples
Get details for all vaults:
```
op vault list --format=json | op vault get -
```
Get details for vaults that a group has access to:
```
op vault list --group Security --format=json | op vault get -
```
Get details for vaults that a user has access to:
```
op vault list --user wendy_appleseed@1password.com --format=json | op vault get -
```
Only list vaults for which the user/group has a specific set of permissions:
```
op vault list --user wendy_appleseed@1password.com --permission manage_vault
```
## vault user
### Subcommands
* [vault user grant](#vault-user-grant): Grant a user access to a vault
* [vault user list](#vault-user-list): List all users with access to the vault and their permissions
* [vault user revoke](#vault-user-revoke): Revoke a portion or the entire access of a user to a vault
## vault user grant
Grant a user permissions in a vault.
```
op vault user grant [flags]
```
### Flags
```
--no-input input Do not prompt for input on interactive terminal.
--permissions permissions The permissions to grant to the user.
--user user The user to receive access.
--vault vault The vault to grant access to.
```
Permissions are specified in a comma separated list such as:
```
view_items,view_and_copy_passwords,edit_items
```
1Password Teams and 1Password Families include three permissions:
```
allow_viewing, allow_editing, allow_managing
```
1Password Business includes the permissions above as well as more
granular options:
allow\_viewing
```
view_items, view_and_copy_passwords, view_item_history
```
allow\_editing
```
create_items, edit_items, archive_items, delete_items, import_items,
export_items, copy_and_share_items, print_items
```
allow\_managing
```
manage_vault
```
When granting or revoking permissions, some permissions require
dependent permissions to be granted or revoked alongside them.
[Learn more about managing vault permissions.](/cli/vault-permissions/)
### Examples
Grant a user certain permissions in a vault with a business account:
```
op vault user grant --vault VAULT --user USER \
--permissions view_items,create_items,allow_viewing
```
```
op vault user grant --vault VAULT --user USER \
--permissions allow_viewing,export_items
```
Grant a user certain permissions in a vault with a team account:
```
op vault user grant --vault VAULT --user USER \
--permissions allow_viewing,allow_editing
```
## vault user list
List all users with access to the vault and their permissions.
```
op vault user list [flags]
```
## vault user revoke
Revoke a user's permissions in a vault, in part or in full.
```
op vault user revoke [flags]
```
### Flags
```
--no-input input Do not prompt for input on interactive terminal.
--permissions permissions The permissions to revoke from the user.
--user user The user to revoke access from.
--vault vault The vault to revoke access to.
```
Not specifying any permissions revokes the user's access to the vault.
Removing all existing permissions also revokes the user’s access to
the vault.
Permissions are specified in a comma separated list such as:
```
view_items,view_and_copy_passwords,edit_items
```
1Password Teams and 1Password Families include three permissions:
```
allow_viewing, allow_editing, allow_managing
```
1Password Business includes the permissions above as well as more
granular options:
allow\_viewing
```
view_items, view_and_copy_passwords, view_item_history
```
allow\_editing
```
create_items, edit_items, archive_items, delete_items, import_items,
export_items, copy_and_share_items, print_items
```
allow\_managing
```
manage_vault
```
When granting or revoking permissions, some permissions require
dependent permissions to be granted or revoked alongside them.
[Learn more about managing vault permissions.](/cli/vault-permissions/)
### Examples
Remove a user from a vault:
```
op vault user revoke --vault VAULT --user USER
```
Revoke certain permissions from a user in a vault with a business account:
```
op vault user revoke --vault VAULT --user USER \
--permissions view_items,create_items,allow_editing
```
Revoke certain permissions from a user in a vault with a team account:
```
op vault user revoke --vault VAULT --user USER \
--permissions allow_viewing,allow_editing
```
# Update to the latest version of 1Password CLI
Source: https://www.1password.dev/cli/reference/update
To make sure you're up to date with the latest features and security improvements, always use the latest version of 1Password CLI.
To check what version you currently have installed, use `op --version`.
## Download the latest version
There are two ways you can download the latest version for your platform and architecture:
* Visit our [release page](https://app-updates.agilebits.com/product_history/CLI2) and download the latest version of 1Password CLI.
* Use `op update` to download the latest version from the command line. Set the `--directory` flag to choose where to download the installer (defaults to `~/Downloads`) and confirm the download.
You can use `op update` without signing in.
After downloading the appropriate installer, follow the [installation instructions](/cli/get-started/#step-1-install-1password-cli) to finish the update.
## Update with a package manager
If you installed 1Password CLI with a package manager, use the following commands to update your installation.
```shell title="Brew" theme={null}
brew upgrade --cask 1password-cli
```
# Release notes
Source: https://www.1password.dev/cli/release-notes
# Example scripts
Source: https://www.1password.dev/cli/scripts
The 1Password Solutions team manages [a repository of example 1Password CLI scripts](https://github.com/1Password/solutions) that you can use as inspiration for your own projects.
You'll need to install [jq](https://stedolan.github.io/jq/), a command-line JSON processor, for the example scripts to work correctly.
You can find demo scripts to help you:
* [Migrate from another password solution](https://github.com/1Password/solutions/tree/main/1password/migration)
* [Provision new users from a CSV](https://github.com/1Password/solutions/tree/main/1password/scripted-provisioning)
* [Audit or manage existing users](https://github.com/1Password/solutions/tree/main/1password/user-management)
* [Manage your vaults and groups](https://github.com/1Password/solutions/tree/main/1password/account-management)
* [Create, update, and share items](https://github.com/1Password/solutions/tree/main/1password/item-management)
## Learn more
* [Get started with secret references](/cli/secret-references/)
* [Load secrets into scripts](/cli/secrets-scripts/)
* [Load secrets into the environment](/cli/secrets-environment-variables/)
* [Load secrets into config files](/cli/secrets-config-files/)
# Secret reference syntax
Source: https://www.1password.dev/cli/secret-reference-syntax
Secret reference URIs point to where a secret is saved in your 1Password account using the names (or [unique identifiers](/cli/reference/#unique-identifiers-ids)) of the vault, item, section, and field where the information is stored.
```shell theme={null}
op:////[section-name/]
```
Secret references remove the risk of exposing plaintext secrets in your code and reflect changes you make in your 1Password account, so when you run a script you get the latest value.
You can use secret references with:
Load secrets into environment variables, configuration files, and scripts.
Programmatically access your secrets with Go, JavaScript, and Python.
Use secret references to secure your secrets management workflows.
Create, preview, and read secret references in your code.
Securely access your secrets in Kubernetes, CircleCI, GitHub Actions, Jenkins, Terraform, Pulumi, Postman, and more.
## Get secret references
### With the 1Password desktop app
To see the option to copy secret references in the 1Password desktop app, first turn on the [integration with 1Password CLI](/cli/app-integration). Then:
1. Open the item where the secret you want to reference is stored.
2. Select next to the field that contains the secret you want to reference, then select Copy Secret Reference.
### With 1Password for VS Code
You can use 1Password for VS Code to [insert secret references](/vscode/#get-values) from 1Password as you edit your code. First, [install the extension](/vscode/). Then:
1. Open the **[Command Palette ](https://code.visualstudio.com/api/ux-guidelines/command-palette)**.
2. Enter `1Password: Get from 1Password`.
3. Enter the item name or ID.
4. Select the field to use.
### With 1Password CLI
To get a secret reference with 1Password CLI, run [`op item get`](/cli/reference/management-commands/item/#item-get) with the `--format json` flag and include the `--fields` flag to specify a field label. Then use [jq ](https://jqlang.github.io/jq/) to retrieve the secret reference from the JSON output. For example:
```shell theme={null}
op item get GitHub --format json --fields username | jq .reference
#code-result
"op://development/GitHub/username"
```
To get secret references for every field on an item, use [`op item get`](/cli/reference/management-commands/item/#item-get) with the `--format json` flag without specifying a field.
```shell theme={null}
op item get GitHub --format json
```
Each field object will include a `reference` key that contains its secret reference. For the example `GitHub` item, the output looks like this:
```json highlight={8,17,29,40} theme={null}
"fields": [
{
"id": "username",
"type": "STRING",
"purpose": "USERNAME",
"label": "username",
"value": "wendy_appleseed@agilebits.com",
"reference": "op://development/GitHub/username"
},
{
"id": "password",
"type": "CONCEALED",
"purpose": "PASSWORD",
"label": "password",
"value": "GADbhK6MjNZrRftGMqto",
"entropy": 115.5291519165039,
"reference": "op://development/GitHub/password",
"password_details": {
"entropy": 115,
"generated": true,
"strength": "FANTASTIC"
}
},
{
"id": "notesPlain",
"type": "STRING",
"purpose": "NOTES",
"label": "notesPlain",
"reference": "op://development/GitHub/notesPlain"
},
{
"id": "5ni6bw735myujqe4elwbzuf2ee",
"section": {
"id": "hv46kvrohfj75q6g45km2uultq",
"label": "credentials"
},
"type": "CONCEALED",
"label": "personal_token",
"value": "ghp_WzgPAEutsFRZH9uxWYtw",
"reference": "op://development/GitHub/credentials/personal_token"
}
]
}
```
## Syntax rules
### Supported characters
Secret references are case-insensitive and support the following characters:
* alphanumeric characters (`a-z`, `A-Z`, `0-9`)
* `-`, `_`, `.` and the whitespace character
If a secret reference includes a whitespace, enclose the secret reference in quotation marks. For example:
```shell theme={null}
op read "op://development/aws/Access Keys/access_key_id"
```
Any part of a secret reference that includes an unsupported character must be referred to by its [unique identifier (ID)](/cli/reference/#unique-identifiers-ids) instead of its name.
To get an ID, run [`op item get`](/cli/reference/management-commands/item#item-get) with the output set to JSON. For example, to get the ID for a custom text field named `test/`:
```
op item get PagerDuty --fields label=test/ --format json
#code-result
{
"id": "hu4vwo3bjkawq2uw2fkn5pkjzu",
"section": {
"id": "add more"
},
"type": "STRING",
"label": "text/",
"value": "t",
"reference": "op://Management/PagerDuty/add more/hu4vwo3bjkawq2uw2fkn5pkjzu"
}
```
### File attachments
To reference a file attachment, use the file name in place of a field name:
```shell theme={null}
op://vault-name/item-name/[section-name/]file-name
```
### Externally-set variables
If you use different sets of secrets in different environments, you can include variables within secret references and then set the variable to switch between secrets.
For example, the `APP_ENV` variable in the example below can be set to `dev` to load development credentials or `prod` to load production credentials, assuming the credentials are stored in 1Password vaults named `dev` and `prod`.
```shell app.env theme={null}
MYSQL_DATABASE = "op://$APP_ENV/mysql/database"
MYSQL_USERNAME = "op://$APP_ENV/mysql/username"
MYSQL_PASSWORD = "op://$APP_ENV/mysql/password"
```
Learn how to use variables to switch between sets of secrets in [environment files](/cli/secrets-environment-variables#optional-differentiate-between-environments) and [config files](/cli/secrets-config-files#step-3-differentiate-between-environments).
### Field and file metadata attributes
You can use secret references with query parameters to get more information about an item.
#### Attribute parameter
To get information about item fields and file attachments, use the
`attribute` (or `attr`) query parameter.
```html Fields theme={null}
op:///[/]/?attribute=
```
```html File attachments theme={null}
op:///[/]/?attribute=
```
Field attributes:
| Attribute | Definition |
| --------- | ------------------------------------------------------------------------------- |
| `type` | The field's type |
| `value` | The field's content |
| `id` | The field's unique identifier |
| `purpose` | The designation of a built-in field (can be "username", "password", or "notes") |
| `otp` | Use with one-time password fields to generate a one-time password code |
File attachment attributes:
| Attribute | Definition |
| --------- | --------------------------------------- |
| `type` | The field's type |
| `content` | The file attachment's content |
| `size` | The size of the file attachment |
| `id` | The file attachment's unique identifier |
| `name` | The name of the file attachment |
For example, to retrieve an item's one-time password code:
```shell theme={null}
op read "op://development/GitHub/Security/one-time password?attribute=otp"
#code-result
359836
```
To retrieve a field's type:
```shell theme={null}
op read "op://Personal/aws/access credentials/username?attribute=type"
#code-result
string
```
To retrieve the name of a file attachment:
```shell theme={null}
op read "op://app-infra/ssh/key.pem?attribute=name"
#code-result
key.pem
```
#### SSH format parameter
To get an SSH private key in the OpenSSH format, include the `ssh-format` query parameter with the value `openssh` on a secret reference for the SSH key's `private key` field.
```shell theme={null}
op read "op://Private/ssh keys/ssh key/private key?ssh-format=openssh"
#code-result
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABD3rRrf8J
ruD0CxZTYfpbTYAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIJ5B/GnxX6t9jMwQ
G7QE7r5daJLkMKTZhNZhWfvzK2y+AAAAkLgQAivYu/+12/YrZhK5keIAZf4ZgsZsZ2JI2q
qbx23PqgO93oGy1iCxXe3kngQL4cM6lwOZPsZPKCinkN6KxEr6RnXqFRHJbMpOiGeZhTuD
rjeo77HqFdxDqDeckB77XCKL0Ew28H5JlM/WO31XR3Z4VBAgTe+BQLjrFV8WU5UX38hpBJ
PMJyRsK72ZUDDaGQ==
-----END OPENSSH PRIVATE KEY-----
```
## Secret reference examples
### A field inside a section
To create a secret reference that refers to the PagerDuty email field, which is within the Admin section, use:
```shell theme={null}
op://Management/PagerDuty/Admin/email
```
* `Management` refers to the vault where the item is saved
* `PagerDuty` refers to the item
* `Admin` refers to the section where the field is a part of
* `email` refers to the field where the secret you want to reference is located
### A field without a section
To create a secret reference for the Stripe publishable-key field, which is not part of a section, use:
```shell theme={null}
op://dev/Stripe/publishable-key
```
* `dev` refers to the vault where the item is saved
* `Stripe` refers to the item
* `publishable-key` refers to the field where the secret you want to reference is located
## Learn more
* [Use secret references with 1Password CLI](/cli/secret-references/)
* [Get started with 1Password SDKs](/sdks/)
* [Load secrets into config files](/cli/secrets-config-files/)
* [Load secrets into the environment](/cli/secrets-environment-variables/)
* [Template syntax](/cli/secrets-template-syntax/)
# Use secret references with 1Password CLI
Source: https://www.1password.dev/cli/secret-references
**New beta feature**
You can now [pass secrets as environment variables](/cli/secrets-environment-variables) to applications or scripts from [1Password Environments](/environments). This allows you to more easily access project secrets from 1Password without the need to create secret references.
With 1Password CLI, you can use [secret references](/cli/secret-reference-syntax) to securely load information saved in 1Password into environment variables, configuration files, and scripts without exposing any secrets in plaintext.
A secret reference URI includes the names (or [unique identifiers](/cli/reference/#unique-identifiers-ids)) of the vault, item, section, and field where a secret is stored in your 1Password account:
```shell theme={null}
op:////[section-name/]
```
To replace secret references with the secrets they refer to at runtime, use [`op read`](#with-op-read), [`op run`](#with-op-run), or [`op inject`](#with-op-inject).
We recommend using [1Password Service Accounts](/service-accounts/) to follow the [principle of least privilege](/cli/best-practices/). Service accounts support restricting 1Password CLI to specific vaults, so that processes in your authorized terminal session can only access items required for a given purpose.
## Requirements
Before you can use secret references to securely load your secrets with 1Password CLI, you'll need to:
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. [Install 1Password CLI.](/cli/get-started/#step-1-install-1password-cli)
3. Save the secrets you want to reference in your 1Password account.
## Step 1: Get secret references
You can get secret references in several ways:
* [With the 1Password desktop app](/cli/secret-reference-syntax/#with-the-1password-desktop-app): Copy secret references from the app.
* [With 1Password for VS Code](/vscode/#get-values): Insert secret references from 1Password as you edit code.
* [With 1Password CLI](/cli/secret-reference-syntax/#with-1password-cli): Get secret references for one or multiple fields with `op item get`.
* [With the secret reference syntax](/cli/secret-reference-syntax/#syntax-rules): Write secret references manually.
## Step 2: Replace plaintext secrets with secret references
After you create secret references, use them in place of plaintext secrets in your code.
The example below shows a GitHub environment file with a secret reference pointing to where the GitHub Personal Access Token is stored in 1Password rather than a plaintext token.
## Step 3: Resolve secret references
There are three ways you can replace secret references with the actual secrets they reference at runtime:
* [Use `op read` to write secrets to `stdout` or to a file.](#with-op-read)
* [Use `op run` to pass secrets as environment variables to a process.](#with-op-run)
* [Use `op inject` to inject secrets into configuration files or scripts.](#with-op-inject)
### With `op read`
You can use [`op read`](/cli/reference/commands/read/) with a secret reference to print the secret to `stdout`.
```shell theme={null}
op read op://development/GitHub/credentials/personal_token
#code-result
ghp_WzgPAEutsFRZH9uxWYtw
```
To write the secret to a file instead of `stdout`, include the `--out-file` flag (or `-o`) with the path to the new file. For example, to create a file `token.txt` that contains the GitHub personal access token:
```shell theme={null}
op read --out-file token.txt op://development/GitHub/credentials/personal_token
```
```shell token.txt theme={null}
ghp_WzgPAEutsFRZH9uxWYtw
```
You can also use `op read` with secret references to [load secrets into scripts](/cli/secrets-scripts/). For example, to use secret references in place of your Docker username and password with the `docker login` command:
```shell myscript.sh theme={null}
#!/bin/bash
docker login -u "$(op read op://prod/docker/username)" -p "$(op read op://prod/docker/password)"
```
#### Query parameters
You can use secret references with [query parameters](/cli/secret-reference-syntax/#field-and-file-metadata-attributes) to get more information about an item.
To get information about item fields or file attachments, include the `attribute` (or `attr`) query parameter with the attribute you want to get.
```shell theme={null}
op:///[/]/?attribute=
```
You can query the following attributes for fields:
`type`, `value`, `title`, `id`, `purpose`, `otp`
And the following attributes for file attachments:
`content`, `size`, `id`, `name`, `type`.
For example, to retrieve a one-time password from the one-time password field on a GitHub item:
```shell theme={null}
op read "op://development/GitHub/Security/one-time password?attribute=otp"
#code-result
359836
```
To get an SSH key's private key in the OpenSSH format, include the `ssh-format` query parameter with the value `openssh` on a secret reference for the SSH key's `private key` field.
```shell theme={null}
op read "op://Private/ssh keys/ssh key/private key?ssh-format=openssh"
#code-result
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABD3rRrf8J
ruD0CxZTYfpbTYAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIJ5B/GnxX6t9jMwQ
G7QE7r5daJLkMKTZhNZhWfvzK2y+AAAAkLgQAivYu/+12/YrZhK5keIAZf4ZgsZsZ2JI2q
qbx23PqgO93oGy1iCxXe3kngQL4cM6lwOZPsZPKCinkN6KxEr6RnXqFRHJbMpOiGeZhTuD
rjeo77HqFdxDqDeckB77XCKL0Ew28H5JlM/WO31XR3Z4VBAgTe+BQLjrFV8WU5UX38hpBJ
PMJyRsK72ZUDDaGQ==
-----END OPENSSH PRIVATE KEY-----
```
**Next step**
Learn more about [securely loading secrets into scripts](/cli/secrets-scripts/).
### With `op run`
You can set environment variables to secret references, then use [`op run`](/cli/reference/commands/run/) to pass secrets to an application or script at runtime.
`op run` scans environment variables for secret references, loads the corresponding values from 1Password, then runs the provided command in a subprocess with the secrets made available as environment variables for the duration of the subprocess.
When you reference a variable like `$MY_VAR` in the **same command** where you call `op run`, your shell expands `$MY_VAR` before `op run` can substitute the secret reference. To make sure `op run` substitutes the secret before the variable expands, you can either:
* **Export the variable** as a secret reference before calling `op run`, or
* Set the variable in the same command as `op run`, then **run the command to expand the variable in a subshell**. For example:
```shell theme={null}
MY_VAR=op://vault/item/field op run --no-masking -- sh -c 'echo "$MY_VAR"'
```
#### Pass the secrets to an application or script
To pass secrets to your script or application at runtime, wrap the command with `op run`.
For example, here's a Node.js app that needs credentials to connect to a database:
```shell theme={null}
$ node app.js
[INFO] Launching Node.js app...
[ERROR] Missing credentials DB_USER and DB_PASSWORD
[INFO] Exiting with code 1
```
You can set the `DB_USER` and `DB_PASSWORD` environment variables to secret references:
```shell theme={null}
export DB_USER="op://app-dev/db/user"
export DB_PASSWORD="op://app-dev/db/password"
```
```shell theme={null}
set -x DB_USER="op://app-dev/db/user"
set -x DB_PASSWORD="op://app-dev/db/password"
```
```powershell theme={null}
$Env:DB_USER = "DB_USER=op://app-dev/db/user"
$Env:DB_PASSWORD = "DB_PASSWORD=op://app-dev/db/password"
```
Then use `op run` to pass the secrets to the `node app.js` command:
```shell theme={null}
op run -- node app.js
[INFO] Launching Node.js app...
[DEBUG] ✔ Connected to db as user 'mydbuser' with password ''
```
#### Use with environment files
You can also use `op run` with environment files. To do this, use secret references instead of plaintext secrets in your environment file:
```html node.env theme={null}
DB_USER="op://app-dev/db/user"
DB_PASSWORD="op://app-dev/db/password"
```
Then use `op run` with the `--env-file` flag:
```shell theme={null}
op run --env-file="./node.env" -- node app.js
```
#### Print a secret with or without masking
If a subprocess used with `op run` prints a secret to `stdout`, the secret will be concealed by default. You can include the `--no-masking` flag to print the value.
To export an example environment variable `DB_PASSWORD` to a secret reference:
```shell theme={null}
export DB_PASSWORD=op://app-prod/db/password
```
Use `op run` with the `printenv` command to print the concealed secret:
```shell theme={null}
op run -- printenv DB_PASSWORD
#code-result
```
Include the `--no-masking` flag to print the actual secret:
```shell theme={null}
op run --no-masking -- printenv DB_PASSWORD
#code-result
fX6nWkhANeyGE27SQGhYQ
```
To export an example environment variable `DB_PASSWORD` to a secret reference:
```shell theme={null}
set -x DB_PASSWORD=op://app-prod/db/password
```
Use `op run` with the `printenv` command to print the concealed secret:
```shell theme={null}
op run -- printenv DB_PASSWORD
#code-result
```
Include the `--no-masking` flag to print the actual secret:
```shell theme={null}
op run --no-masking -- printenv DB_PASSWORD
#code-result
fX6nWkhANeyGE27SQGhYQ
```
To export an example environment variable `DB_PASSWORD` to a secret reference:
```powershell theme={null}
$Env:DB_PASSWORD = "DB_PASSWORD=op://app-prod/db/password"
```
To print the concealed secret:
```powershell theme={null}
op run -- powershell -c '$env:DB_PASSWORD'
#code-result
```
Include the `--no-masking` flag to print the actual secret:
```powershell theme={null}
op run --no-masking -- powershell -c '$env:DB_PASSWORD'
#code-result
fX6nWkhANeyGE27SQGhYQ
```
**Next step**
Learn more about [loading secrets into the environment](/cli/secrets-environment-variables/) with `op run`, including how to use template variables to switch between different sets of secrets for different environments.
### With `op inject`
You can use [`op inject`](/cli/reference/commands/inject/) to replace secret references in a script or file with the secrets they reference.
By default, `op inject` accepts input on `stdin` and outputs on `stdout`. You can use the `--in-file` flag (or `-i`) to read the input from a file instead, and the `--out-file` flag (or `-o`) to specify where the ouput should be written.
To use `op inject` to resolve a secret in a simple command:
```shell theme={null}
echo "here is my GitHub token: op://development/GitHub/credentials/personal_token" | op inject
#code-result
here is my GitHub token: ghp_WzgPAEutsFRZH9uxWYtw
```
To write the output to a file `token.txt` in the current directory:
```shell theme={null}
echo "here is my GitHub token: op://development/GitHub/credentials/personal_token" >> token.txt | op inject --out-file token.txt
```
```shell token.txt theme={null}
here is my GitHub token: ghp_WzgPAEutsFRZH9uxWYtw
```
#### Use with configuration files
You can use `op inject` to pass in a configuration file templated with secret references and output a configuration file that contains resolved secrets. Configuration files that use secret references instead of plaintext secrets can be safely checked into Git.
```yaml config.yml.tpl theme={null}
database:
host: http://localhost
port: 5432
username: op://prod/mysql/username
password: op://prod/mysql/password
```
```shell theme={null}
op inject --in-file config.yml.tpl --out-file config.yml
```
**Next step**
Learn more about [loading secrets into configuration files](/cli/secrets-config-files/) with `op inject`, including how to use template variables to switch between different sets of secrets for different environments.
## Learn more
* [Secret reference syntax](/cli/secret-reference-syntax/)
* [Load secrets into the environment](/cli/secrets-environment-variables/)
* [Load secrets into config files](/cli/secrets-config-files/)
* [Load secrets into scripts](/cli/secrets-scripts/)
* [Use service accounts with 1Password CLI](/service-accounts/use-with-1password-cli)
# Load secrets into config files
Source: https://www.1password.dev/cli/secrets-config-files
With 1Password CLI, you can use [secret references](/cli/secret-reference-syntax/) to automatically load secrets into configuration files from your 1Password account without putting any plaintext secrets in code. This allows you to check config files into source control and keep them in sync throughout developer workstations, CI, and production servers, which is otherwise manual and error-prone work.
We recommend using [1Password Service Accounts](/service-accounts/) to follow the [principle of least privilege](/cli/best-practices/). Service accounts support restricting 1Password CLI to specific vaults, so that processes in your authorized terminal session can only access items required for a given purpose.
## Requirements
Before you can use 1Password to secure your config files, you'll need to:
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. [Install 1Password CLI.](/cli/get-started/#step-1-install-1password-cli)
3. Store the secrets you want to provision in your 1Password account.
## Step 1: Get secret references
You can get secret references in several ways:
* [With the 1Password desktop app](/cli/secret-reference-syntax/#with-the-1password-desktop-app): Copy secret references from the app.
* [With 1Password for VSCode](/vscode/#get-values): Insert secret references from 1Password as you edit code.
* [With 1Password CLI](/cli/secret-reference-syntax/#with-1password-cli): Get secret references for one or multiple fields with `op item get`.
* Use the [secret reference syntax rules](/cli/secret-reference-syntax/#syntax-rules) to write secret references manually.
## Step 2: Use secret references in your config file
Replace the plaintext secrets in your config file with the appropriate secret references, following the [template syntax](/cli/secrets-template-syntax/).
For example, if you start with a config file that looks like this:
```yaml config.yml theme={null}
database:
host: http://localhost
port: 5432
username: mysql-user
password: piG1rX5P1QMF6J5k7u7sNb
```
And you saved the `username` and `password` secrets on the `mysql` item in the `prod` vault, you would end up with this templated config file:
```yaml config.yml.tpl theme={null}
database:
host: http://localhost
port: 5432
username: op://prod/mysql/username
password: op://prod/mysql/password
```
## Step 2: Inject the secrets
To load secrets from the config file and provision them at runtime, use `op inject` to inject the secrets directly into your production environment. For example:
```zsh theme={null}
op inject -i config.yml.tpl -o config.yml
```
In the output file, `config.yml`, you'll see the secret references replaced with the plaintext secrets they reference.
The config file template is stored together with the code in source control, so that every developer can see the structure of the file.
Make sure to delete the resolved config file when you no longer need it.
## Step 3: Differentiate between environments
We highly recommend you organize your 1Password items in the same way across all of your environments. For example: `app/dev/db/password` and `app/prod/db/password`.
If you do this, you can use variables in your template file to switch to a different set of secrets. You can have variables for your environment, stage, region, or anything else. For example:
```yaml config.yml.tpl theme={null}
database:
host: http://localhost
port: 5432
username: op://$APP_ENV/mysql/username
password: op://$APP_ENV/mysql/password
```
You can then set the `APP_ENV` variable when you inject into the template, using the [Template Syntax](/cli/secrets-template-syntax/):
```shell theme={null}
APP_ENV=prod op inject -i config.yml.tpl -o config.yml
```
1. Set `APP_ENV` to `prod`:
```powershell theme={null}
$Env:APP_ENV = "prod"
```
2. Inject the secrets:
```powershell theme={null}
op inject -i config.yml.tpl -o config.yml
```
This allows you to use the same template file, stored in source control next to your application, for all your deployments.
## Optional: Use `op inject` in production
Now that the application works with the right configuration locally, you can use 1Password CLI to provision secrets in production environments.
To do this, you'll first need to:
1. [Install 1Password CLI 2 in your production environment.](/cli/install-server/)
2. [Set up a Secrets Automation workflow](/connect/).
3. [Deploy 1Password Connect Server](/connect/get-started/#step-2-deploy-1password-connect-server) and make it accessible to your production environment.
To use 1Password CLI with a Connect server, set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` environment variables to your Connect instance's credentials in your production environment.
You can now move your secrets to config files and have them readily accessible with `op inject`.
The following commands can be used with a Connect server:
* `op run`
* `op inject`
* `op read`
* `op item get`
## Learn more
* [Load secrets into the environment](/cli/secrets-environment-variables/)
* [Secret reference syntax](/cli/secret-reference-syntax/)
* [Template syntax](/cli/secrets-template-syntax/)
# Load secrets into the environment
Source: https://www.1password.dev/cli/secrets-environment-variables
With [`op run`](/cli/reference/commands/run/), you can provide your project secrets directly from 1Password to an application or script as environment variables at runtime. You can use `op run` with [1Password Environments](/environments), environment variables set to [secret references](/cli/secret-references), or a combination of both.
1Password CLI loads the specified secrets, then runs the provided command in a subprocess with the secrets made available as environment variables only for the duration of the process. This allows you to avoid hardcoding any plaintext secrets and quickly switch between different sets of secrets for different development contexts.
## Choose your configuration
1Password CLI provides multiple methods to load your project secrets:
* **[1Password Environments (beta)](/environments)** allow you to create Environments in 1Password that contain all your environment variables for a specific workflow. You can share Environments with your team and create separate Environments for each project, application, or development context (like staging or production).
* **[Secret references](/cli/secret-references)** are URIs that point to where a secret is stored in your 1Password account. A secret reference uses the names or unique identifiers of the vault, item, section, and field where the secret is stored in 1Password. You can set environment variables to secret references on the command line or use secret references in your `.env` files. Secret references require more manual setup than 1Password Environments to switch between different sets of environment variables for different contexts, or create shared team workflows.
* **Hybrid approach**: You can use `op run` to load variables from a 1Password Environment alongside secret references from `.env` files or exported environment variables.
Authenticate with a [1Password Service Account](/service-accounts/) to follow the [principle of least privilege](/cli/best-practices/). You can scope service account access to specific vaults and 1Password Environments so that processes in your authorized terminal session can only access secrets required for a given purpose.
You should assume that processes on your computer can access the environment of other processes run by the same user. Be aware of this when supplying secrets through environment variables.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. [Install the latest beta build of 1Password CLI](https://app-updates.agilebits.com/product_history/CLI2#beta), version `2.33.0-beta.02` or later.
Before you can load secrets into the environment, you'll need to:
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. [Install 1Password CLI.](/cli/get-started#step-1-install-1password-cli)
## Step 1: Store your project secrets in 1Password
To store your project secrets in a 1Password Environment, [follow the steps to create an Environment](/environments), then import a `.env` file or manually add your environment variables.
To use secret references, save your project secrets as items in a vault in your 1Password account.
Then follow the instructions to create secret references for each item using your preferred method:
* [With the 1Password desktop app](/cli/secret-reference-syntax#with-the-1password-desktop-app): Copy secret references from the app.
* [With 1Password for VSCode](/vscode#get-values): Insert secret references from 1Password as you edit code.
* [With 1Password CLI](/cli/secret-reference-syntax#with-1password-cli): Get secret references for one or multiple fields with `op item get`.
* Use the [secret reference syntax rules](/cli/secret-reference-syntax#syntax-rules) to write secret references manually.
## Step 2: Pass the secrets to the application
To pass your environment variables from 1Password to an application or script:
1. Open the 1Password app and navigate to **Developer** > **Environments**.
2. Select the Environment where your project secrets are stored, then select **Manage environment** > **Copy environment ID**.
3. Use `op run --` with the command for starting the application or script. 1Password will run the provided command in a subprocess with the secrets made available as environment variables for the duration of the process.
```shell theme={null}
op run --environment --
```
For example:
```shell theme={null}
op run --environment blgexucrwfr2dtsxe2q4uu7dp4 -- ./my-script.sh
```
Step 1: Map secret references to environment variables
To pass secrets to an application or script using `op run` and [secret references](/cli/secret-references), you must first map the secret references to the appropriate environment variables. To do this, you can set environment variables to secret references using an environment file or export them on the command line.
Environment (`.env`) files allow you to define multiple environment variables as secret references with `KEY=VALUE` statements separated by a newline.
To use an environment file with `op run`, add key-value pairs for each of your project secrets with the value set to a [secret reference](/cli/secret-references). For example:
```shell title="prod.env" theme={null}
AWS_ACCESS_KEY_ID="op://development/aws/Access Keys/access_key_id"
AWS_SECRET_ACCESS_KEY="op://development/aws/Access Keys/secret_access_key"
```
The `.env` file parsing engine follows the following rules:
* Environment variables are defined as `KEY=VALUE` statements separated by a newline.
* Variables can span multiple lines if they are enclosed in either `'` or `"`:
```
MY_VAR = "this is on the first line
and this is on the second line"
```
* Empty lines are skipped.
* Lines beginning with `#` are treated as comments. Comments can also be placed inline after `KEY=VALUE` statements.
* Empty values become empty strings. For example, `EMPTY=` will set the environment variable `EMPTY` to the empty string.
* If a value is surrounded by single or double quotes, these quotes do not end up in the evaluated value. So `KEY="VALUE"` and `KEY='VALUE'` both evaluate to `KEY` and `VALUE`.
* Occurrences of `$VAR_NAME` or `${VAR_NAME}` are replaced with their respective value from the environment.
* A variable defined in a .env file can be referred to later in the same file:
```
SOME_VAR = value
OTHER_VAR = ${SOME_VAR}
```
* Special characters can be escaped with `\`. For example, `MY_VAR = "\$SOME_VAR that is not actually replaced."` results in the following value for MY\_VAR: `$SOME_VAR that is not actually replaced.`.
* Inner quotes are maintained, so `JSON={"foo":"bar"}` evaluates to `JSON` and `{"foo":"bar"}`.
* Variables do not get replaced in values that are enclosed in single quotes. So `KEY='$SOME_VAR'` evaluates to `KEY` and `$SOME_VAR`.
* Template syntax can be used in the `VALUE` to inject secrets. The `KEY` can only contain template variables.
* Template parsing is performed after `.env` file parsing, so you cannot use the former to construct the latter.
* Leading and trailing whitespace of both `KEY` and `VALUE` segments are ignored, so `KEY = VALUE` is parsed the same as `KEY=VALUE`.
* Single and double quoted values maintain both leading and trailing whitespace, so `KEY=" some value "` evaluates to `KEY` and some value .
* These files should use UTF-8 character encoding.
### Optional: Differentiate between environments
If you need to pass secrets for multiple environments, we recommend using 1Password Environments instead of secret references. 1Password Environments allow you to more easily organize, share, and pass environment variables for multiple contexts.
If you have different sets of secrets for different environments, like staging and production, you can check a single environment file into source control and include a variable within the secret references to represent the context. You can then set the variable to the appropriate context when you pass the file to `op run`.
To use this approach, you must organize your project secrets in 1Password into different vaults for each environment, with each item's fields structured in the same way. For example: `dev/mysql/password` and `prod/mysql/password`.
Then, include an externally set variable (`$VARIABLE_NAME`) in place of the vault name for each secret reference in your environment file.
For example, in the following environment file, `$APP_ENV` is the externally set environment variable. It can be set to `dev` or `prod` to load secrets from either the `dev` vault or the `prod` vault in 1Password.
```shell title="app.env" theme={null}
MYSQL_DATABASE = "op://$APP_ENV/mysql/database"
MYSQL_USERNAME = "op://$APP_ENV/mysql/username"
MYSQL_PASSWORD = "op://$APP_ENV/mysql/password"
```
You can individually export environment variables as [secret references](/cli/secret-reference-syntax/) from the command line.
For example, to set the variable `GITHUB_TOKEN` to a secret reference URI that points to the `personal_token` field within a `credentials` section in a `GitHub` item:
```shell theme={null}
export GITHUB_TOKEN=op://development/GitHub/credentials/personal_token
```
```shell theme={null}
set -x GITHUB_TOKEN op://development/GitHub/credentials/personal_token
```
```powershell theme={null}
$Env:GITHUB_TOKEN = "op://development/GitHub/credentials/personal_token"
```
Step 2: Pass the resolved secret references to the application
To use an environment file with `op run`, specify the path to the environment file using the `--env-file` flag:
```shell theme={null}
op run --env-file="./prod.env" -- aws
```
If you structured your environment file to load secrets for multiple environments, make sure to also set the variable for the vault (in the example below, `APP_ENV`).
For example, to pass secrets from the `dev` vault to an application running in the development environment:
```shell theme={null}
APP_ENV=dev op run --env-file="./app.env" -- myapp deploy
```
1. Set the `$APP_ENV` variable:
```powershell theme={null}
$ENV:APP_ENV = "dev"
```
2. Run `op run` with the environment file:
```powershell theme={null}
op run --env-file="./app.env" -- myapp deploy
```
If you exported environment variables as secret references on the command line, use `op run --` with the command to start the application or script. 1Password will run the provided command in a subprocess with the secrets made available as environment variables for the duration of the process.
```shell theme={null}
op run --
```
For example:
```shell theme={null}
op run -- gh
```
**Expand variables in a subshell**
When you reference a variable like `$MY_VAR` in the same command where you call `op run`, your shell expands `$MY_VAR` before `op run` can substitute the secret reference. For example, a command like the following will pass the secret reference URI instead of the secret value from 1Password:
```shell theme={null}
MY_VAR=op://vault/item/field op run --no-masking -- echo "$MY_VAR"
```
To make sure `op run` substitutes the secret before the variable expands, run the command to expand the variable in a subshell:
```shell theme={null}
MY_VAR=op://vault/item/field op run --no-masking -- sh -c 'echo "$MY_VAR"'
#code-result open
skdjfs7dyrwhk4jhref
```
**Use both methods together**
You can load environment variables from an Environment in combination with secret references from a `.env` file or flag. For example:
```shell theme={null}
op run --environment --env-file="./extra-secrets.env" --
```
## Next step: Run in production
Now that the application works locally, choose how to load your secrets in production or CI/CD:
* **[1Password Service Account](/service-accounts/use-with-1password-cli)**: Automate access with a service account token. Service accounts support both secret references and 1Password Environments.
* **[1Password Connect Server](/connect/cli/)**: Best for self-hosting within your own infrastructure. Connect only supports secret references and does not currently support 1Password Environments.
## Learn more
* [Use 1Password Service Accounts with 1Password CLI](/service-accounts/use-with-1password-cli)
* [Use 1Password Connect Server with 1Password CLI](/connect/cli#continuous-integration-ci-environments)
* [Load secrets into config files](/cli/secrets-config-files/)
* [Secret reference syntax](/cli/secret-reference-syntax/)
* [Template syntax](/cli/secrets-template-syntax/)
# Load secrets into scripts
Source: https://www.1password.dev/cli/secrets-scripts
You can use 1Password CLI to load secrets into your scripts, so that the credentials in your scripts are always in sync with the information in your 1Password account and your secrets are never exposed in plaintext.
We recommend using [1Password Service Accounts](/service-accounts/) to follow the [principle of least privilege](/cli/best-practices/). Service accounts support restricting 1Password CLI to specific vaults, so that processes in your authorized terminal session can only access items required for a given purpose.
Service accounts are also useful if your personal account has SSO or MFA requirements.
You can use the following methods to load secrets into scripts, separately or in combination:
1. [Use `op run` to pass environment variables from a 1Password Environment](#use-op-run-to-pass-environment-variables-from-a-1password-environment-beta)
2. [Use `op run` to load secrets into the environment.](#use-op-run-to-pass-secrets-using-secret-references)
3. [Use `op read` to read secrets.](#use-op-read-to-read-secrets)
4. [Use `op inject` to load secrets into a config file.](#use-op-inject-to-load-secrets-into-a-config-file)
5. [Use `op plugin run` to load secrets using a shell plugin.](#use-op-plugin-run-to-load-secrets-using-a-shell-plugin)
## Requirements
Before you can use 1Password CLI to load secrets into your scripts, you'll need to:
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. [Install 1Password CLI.](/cli/get-started#step-1-install-1password-cli)
3. Store the secrets you need for your script in your 1Password account.
## Use `op run` to pass environment variables from a 1Password Environment (beta)
**Beta feature**
To use `op run` with 1Password Environments, you'll need to install the [latest beta build of 1Password CLI](https://app-updates.agilebits.com/product_history/CLI2#beta), version `2.33.0-beta.02` or later.
You can use [`op run`](/cli/reference/commands/run/) to [pass environment variables](/cli/secrets-environment-variables) stored in a [1Password Environment](/environments) to an application or script at runtime.
1Password CLI runs the application or script in a subprocess with the environment variables stored in your 1Password Environment provisioned for the duration of the process.
## Use `op run` to pass secrets using secret references
You can replace the plaintext secrets in your environment files with [secret reference URIs](/cli/secret-reference-syntax/) that reference where your project secrets are stored in your 1Password account, then use [`op run`](/cli/reference/commands/run/) to load the corresponding secrets from 1Password and pass them to your script as environment variables at runtime.
Learn more about [loading secrets into the environment](/cli/secrets-environment-variables/).
## Use `op read` to read secrets
You can use `op read` with secret references [directly in your script](#directly-in-your-script) or [with environment variables](#with-environment-variables).
### Directly in your script
With this method, secrets are only passed to the single command that includes the secret reference.
For example, to replace your Docker username and password with [secret references](/cli/secret-reference-syntax/) in a command to log in to Docker:
```shell title="yourscript.sh" theme={null}
#!/bin/bash
docker login -u "$(op read op://prod/docker/username)" -p "$(op read op://prod/docker/password)"
```
### With environment variables
You can also include a command to set environment variables to `op read` and [secret references](/cli/secret-reference-syntax/) in your script.
For example, if you supply an AWS command in your script with secrets using the `AWS_SECRET_ACCESS_KEY` and `AWS_ACCESS_KEY_ID` environment variables, your script might look like this:
```shell title="yourscript.sh" theme={null}
#!/bin/bash
export AWS_SECRET_ACCESS_KEY="$(op read op://prod/aws/secret-key)"
export AWS_ACCESS_KEY_ID="$(op read op://prod/aws/access-key-id)"
aws sts get-caller-identity
```
## Use `op inject` to load secrets into a config file
If your script uses a configuration file, you can template the config file with [secret references](/cli/secret-reference-syntax/), then use [`op inject`](/cli/reference/commands/inject/) to pass the config file with the resolved secrets to your script at runtime.
This allows you to check config files into source control and keep them in sync throughout developer workstations, CI, and production servers. And you can include template variables within the secret references to [load different sets of secrets for different environments](/cli/secrets-config-files#step-3-differentiate-between-environments).
[Learn how to load secrets into config files](/cli/secrets-config-files/).
## Use `op plugin run` to load secrets using a shell plugin
If your script runs interactively and each person using the script authenticates with their own personal token, you can minimize the configuration required in advance of using the script with a [1Password Shell Plugin](/cli/shell-plugins/). Shell plugins prompt each user to select their credentials when the script is executed.
Each person using the script will be prompted to configure when their credentials should be used to authenticate. To make sure the credentials they selected will also be used for future invocations of the script, they can configure their credentials as a global or directory default.
To use a shell plugin to authenticate an individual command, wrap the command in [`op plugin run`](/cli/reference/management-commands/plugin#plugin-run). For example, to use the AWS shell plugin to provide an AWS Access Key and Secret Key ID to the `sts get-caller-identity` command:
```shell title="yourscript.sh" theme={null}
#!/bin/bash
op plugin run -- aws sts get-caller-identity
```
To use a shell plugin throughout a script, you can include an alias for the tool's executable command at the beginning of the script. For example, in this script, the AWS shell plugin would be used to supply secrets for every `aws` command in the script.
```shell title="yourscript.sh" theme={null}
#!/bin/bash
alias aws="op plugin run -- aws"
aws sts get-caller-identity
```
If a shell plugin doesn't exist for the tool you're using, you can [build a new plugin](/cli/shell-plugins/contribute/).
## Learn more
* [Example CLI scripts](/cli/scripts/)
* [Get started with secret references](/cli/secret-references/)
* [Load secrets into the environment](/cli/secrets-environment-variables/)
* [Load secrets into config files](/cli/secrets-config-files/)
* [Use 1Password Shell Plugins to securely authenticate third-party CLIs](/cli/shell-plugins/)
# Template syntax
Source: https://www.1password.dev/cli/secrets-template-syntax
You can create a templated config file that contains [secret references](/cli/secret-reference-syntax/), then [use op inject](/cli/secrets-config-files/) to receive a resolved config file that contains the actual secrets.
Here's an example of a template file with enclosed secret references in place of the plaintext secrets:
```yml config.yml.tpl theme={null}
database:
host: localhost
port: 5432
username: {{ op://prod/database/username }}
password: {{ op://prod/database/password }}
```
## Secret references
Secret references included in template files can be formatted as either [unenclosed secret references](#unenclosed-secret-references) or [enclosed secret references](#enclosed-secret-references).
### Unenclosed secret references
```shell theme={null}
op://test-app/database/password
```
An unenclosed secret reference is a string that:
* Begins with `op://` and is not preceded by any of the characters from: `alphanumeric`, `-`, `+` , `\`, `.`.
* Ends with either the end of the template, or the first encountered character outside the following set: `alphanumeric`, `-`, `?`, `_`, `.`.
Examples of good and bad unenclosed secret references:
```yml theme={null}
op://prod/docker-credentials/username
```
```yml theme={null}
op://d3v/stripe.keys/s3ct10n/public_key
```
```yml theme={null}
op://h?ack/1Password!/for"real
```
(contains special characters that are not supported by the syntax)
```yml theme={null}
op://{vault}/[item]/(section)/field
```
(contains special characters that are not supported by the syntax)
### Enclosed secret references
```shell theme={null}
{{ op://test-app/database/password }}
```
An enclosed secret reference is defined as any string that satisifies all of the following:
* Begins with two closed braces `{{`
* Ends with the two closed braces `}}`
* Contains a valid unenclosed secret reference between the two pairs of braces, possibly padded with spaces
Examples of good and bad enclosed secret references:
```yml theme={null}
{{op://prod/docker-credentials/username}}
```
```yml theme={null}
{{ op://d3v/stripe.keys/s3ct10n/public_key }}
```
```yml theme={null}
{{op://h?ack/1Password!/for"real}}
```
(the secret reference contains unsupported characters)
### Special characters
If you need to escape special characters in your template, you can use curly braces and double quotes:
```yml theme={null}
{{ "{{ test op://prod/docker-credentials/username }}" }}
will be resolved to
{{ test op://prod/docker-credentials/username }}
```
If the content contains double quotes, they must be escaped with `\`:
```yml theme={null}
{{ "{{ test \"test\" test }}" }}
will be resolved to
{{ test "test" test }}
```
## Variables
The template syntax also supports variable tags:
* `$var` (unenclosed variables)
* `${var}` (enclosed variables)
When resolving an unenclosed variable of the form `$FOO`, it is replaced with the value of the environment variable named `FOO`.
When resolving an enclosed variable of the form `${FOO}`, any whitespace at the beginning or end of `FOO` is discarded and the reference is replaced with the value of the environment variable named `FOO`.
Variable names are case-insensitive, cannot start with a number, and can only contain letters, numbers, and underscores.
Examples of good and bad unenclosed variables:
```yml theme={null}
$my_var
```
```yml theme={null}
$mY_2nd_vAr
```
```yml theme={null}
$2nd_var
```
(starts with a number)
```yml theme={null}
$var-?notvar!
```
(contains unsupported special characters)
Examples of good and bad enclosed variables:
```yml theme={null}
${my_var}
```
```yml theme={null}
${ mY_2nd_vAr }
```
```yml theme={null}
${my_var\}
```
(the closing brace is escaped)
### Default values
To set a default value for a template variable, use this syntax:
`${VAR_NAME:-}`
The default value will be used when the variable can't be found in the environment.
For example, `op://${VAULT:-dev}/docker/password` evaluates to `op://dev/docker/password` when the `VAULT` environment variable isn't set.
If `VAULT` is set to `prod` instead, it will evaluate to `op://prod/docker/password`.
## Learn more
* [Load secrets into config files](/cli/secrets-config-files/)
* [Load secrets into the environment](/cli/secrets-environment-variables/)
* [Secret reference syntax](/cli/secret-reference-syntax/)
# Use 1Password Shell Plugins to securely authenticate any CLI
Source: https://www.1password.dev/cli/shell-plugins
With 1Password Shell Plugins, you can configure 1Password to securely authenticate third-party CLIs with your fingerprint, Apple Watch, or system authentication. Your CLI credentials are stored in your 1Password account, so you never have to manually enter your credentials or store them in plaintext.
You can [test shell plugins](/cli/shell-plugins/test/) or choose a shell plugin from the [list below](#get-started) to get started.
Shell plugins are compatible with the following shells:
* Bash
* Zsh
* fish
## Get started
## Your favorite tool not listed?
Find out how to [build your own plugin](/cli/shell-plugins/contribute/).
# Use 1Password to securely authenticate the Akamai CLI
Source: https://www.1password.dev/cli/shell-plugins/akamai
The Akamai CLI shell plugin allows you to use 1Password to securely authenticate [the Akamai CLI ](https://techdocs.akamai.com/developer/docs/about-clis) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Akamai CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.13.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the Akamai CLI. ](https://techdocs.akamai.com/developer/docs/about-clis)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
## Get help
## Reference
1Password authenticates with Akamai by injecting a temporary config file with the credentials required by the plugin commands directly from your 1Password account.
If you saved your Akamai CLI credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | `.edgerc` field |
| -------------------- | --------------- |
| Client Secret | `client_secret` |
| Host | `host` |
| Access Token | `access_token` |
| Client Token | `Client_token` |
*Thanks to [@wongle](https://github.com/wongle) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/234)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Use 1Password to securely authenticate Argo CD CLI
Source: https://www.1password.dev/cli/shell-plugins/argo-cd
The Argo CD shell plugin allows you to use 1Password to securely authenticate [Argo CD CLI ](https://argo-cd.readthedocs.io/en/stable/user-guide/commands/argocd/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Argo CD CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.13.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [Argo CD CLI ](https://argo-cd.readthedocs.io/en/stable/cli_installation/).
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| AuthToken | `ARGOCD_AUTH_TOKEN` |
| Address (optional) | `ARGOCD_SERVER` |
*Thanks to [@ssttehrani](https://github.com/ssttehrani) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/145)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Use 1Password to securely authenticate the AWS CLI
Source: https://www.1password.dev/cli/shell-plugins/aws
The AWS shell plugin allows you to use 1Password to securely authenticate [the AWS CLI ](https://aws.amazon.com/cli/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the AWS CLI with biometrics.
If you use `cdk`, you can also set up the [AWS CDK Toolkit shell plugin](/cli/shell-plugins/aws-cdk-toolkit/).
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the AWS CLI. ](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
After you install the AWS CLI, make sure you have an AWS config file at `~/.aws/config` on Mac or Linux, or `C:\Users\USERNAME\.aws\config` on Windows. If you don't have a config file:
1. Use [`aws configure` ](https://docs.aws.amazon.com/cli/latest/reference/configure/) to create one.
2. When prompted, skip entering your AWS access key pair to avoid writing your credentials on disk in the `.aws/credetials` file.
The following shells are supported:
* Bash
* Zsh
* fish
## Before you begin: Create and save an AWS access key
If you've already created an AWS access key, [skip to Step 1](#step-1-configure-your-default-credentials).
If you haven't created an access key yet, you can create one and use the [1Password browser extension](https://support.1password.com/getting-started-browser/) to quickly save it in 1Password:
1. Open and unlock [1Password in your browser](https://support.1password.com/getting-started-browser/).
2. [Follow the steps](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html?icmpid=docs_iam_console#Using_CreateAccessKey) to create an access key for the AWS CLI.
3. On the "Retrieve access keys" page, select **Show** to reveal the secret access key.
4. Select **Save item** when 1Password asks if you want to save an item for the AWS access key.
5. Choose the vault where you want to save the item, edit the item's name and details, then select **Save item**.
## Step 1: Configure your default credentials
**If you use AWS in multiple environments**
If you want to use the AWS shell plugin in multiple environments, like production and development, [learn how to set up your plugin for seamless context switching](/cli/shell-plugins/environments/).
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After you save your AWS credentials in 1Password, you can remove all local copies you currently have stored on disk.
Plaintext access keys are commonly stored in your AWS [shared credentials file ](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/creds-file.html) (default location: `~/.aws/credentials`). If you remove your credentials from this file, make sure to configure shell plugins for any other tools that use the file to authenticate to AWS, like [Terraform](/cli/shell-plugins/terraform/).
## Optional: Assume multiple roles
You can use the AWS shell plugin to assume multiple roles in the same way you'd assume roles with the AWS CLI, by defining role profiles [in your AWS config file. ](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-role-prepare) For example:
```html ~/.aws/config theme={null}
[profile prod]
role_arn = arn:aws:iam::123456789012:role/prod
source_profile = wendyappleseed
```
Then include the `--profile` flag to call an AWS command using a role. For example:
```shell theme={null}
aws sts get-caller-identity --profile prod
```
If you want to always use the same profile, you can set the `AWS_PROFILE` environment variable. In that case, the `--profile` flag would only be needed to override the default set in the environment. For example:
```shell theme={null}
export AWS_PROFILE=prod
```
## Optional: Set up multi-factor authentication
If you use [multi-factor authentication ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html) with AWS, you can configure the AWS shell plugin to provide your one-time password.
You can do this in two ways:
* [Add the ARN for your multi-factor authentication device to a profile in your AWS config file. ](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-configure-role-mfa)
* Add the one-time password code and ARN to the item in 1Password where your AWS credentials are stored. If you choose this option, your multi-factor authentication information will be treated as your `default` profile and used globally with every other profile.
Save your one-time password and ARN in 1Password
Step 1: Save your QR code
2. Open and unlock the 1Password app.
3. Select the item where your AWS credentials are saved, then select **Edit**.
4. Select **Add More** > **One-Time Password**.
5. [Follow the steps to enable a virtual multi-factor authentication device](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html) for your AWS account.
6. Select **Show secret key** in the AWS wizard, then copy the string of characters into the One-Time Password field on your item.
7. Select **Save**.
Your item will now show a one-time password that you can use to finish the AWS multi-factor authentication device set-up flow.
Your edited item must include the `one-time password` and `mfa serial` fields:
Step 2: Save the ARN for your multi-factor authentication device
1. Find the [ARN for your multi-factor authentication device](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_checking-status.html) and copy it.
2. Open and unlock the 1Password app.
3. Select the item where you saved your AWS credentials then select **Edit**.
4. Select **Add More** > **Text**.
5. Paste the ARN as the value of the field.
6. Title the field `mfa serial`.
7. Select **Save**.
1Password CLI will detect your multi-factor authentication credentials if they're saved in fields titled `one-time password` and `mfa serial`. If your one-time password isn't detected, make sure your fields are titled correctly.
1Password CLI will then set the `AWS_SECRET_ACCESS_KEY`, `AWS_ACCESS_KEY_ID` and `AWS_SESSION_TOKEN` provisional environment variables to specify the temporary multi-factor authentication session values.
## Next steps
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
# Use 1Password to securely authenticate the AWS CDK Toolkit
Source: https://www.1password.dev/cli/shell-plugins/aws-cdk-toolkit
The AWS CDK Toolkit shell plugin allows you to use 1Password to securely authenticate the [AWS CDK Toolkit ](https://docs.aws.amazon.com/cdk/v2/guide/cli.html) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the AWS CDK Toolkit with biometrics.
You can also set up the [AWS CLI shell plugin](/cli/shell-plugins/aws/).
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.17.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. [Install the AWS CDK Toolkit ](https://docs.aws.amazon.com/cdk/v2/guide/cli.html).
6. Make sure you have an AWS config file at `~/.aws/config` on Mac or Linux, or `C:\Users\USERNAME\.aws\config` on Windows. If you don't have a config file, use [`aws configure` ](https://docs.aws.amazon.com/cli/latest/reference/configure/) to create one. When prompted, skip entering your AWS access key pair to avoid writing your credentials on disk in the `.aws/credetials` file.
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
# Use 1Password to securely authenticate Axiom CLI
Source: https://www.1password.dev/cli/shell-plugins/axiom
The Axiom CLI shell plugin allows you to use 1Password to securely authenticate [Axiom CLI ](https://axiom.co/docs/reference/cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Axiom CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.x.x or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Connect 1Password CLI with the 1Password app](/cli/app-integration/).
5. [Install Axiom CLI. ](https://axiom.co/docs/reference/cli)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| Token | `AXIOM_TOKEN` |
| Organization | `AXIOM_ORG_ID` |
| Deployment | `AXIOM_DEPLOYMENT` |
*Thanks to [@rajapri28613](https://github.com/rajapri28613) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/342)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute).*
# Use 1Password to securely authenticate Binance CLI
Source: https://www.1password.dev/cli/shell-plugins/binance
The Binance shell plugin allows you to use 1Password to securely authenticate [Binance CLI ](https://github.com/binance/binance-cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Binance CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Connect 1Password CLI with the 1Password app](/cli/app-integration/).
5. [Install Binance CLI. ](https://github.com/binance/binance-cli)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| API Key | `BINANCE_API_KEY` |
| API Secret | `BINANCE_API_SECRET` |
*Thanks to [@bala-ceg](https://github.com/bala-ceg) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/391)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute).*
# Use 1Password to securely authenticate the Cachix CLI
Source: https://www.1password.dev/cli/shell-plugins/cachix
The Cachix shell plugin allows you to use 1Password to securely authenticate [the Cachix CLI ](https://docs.cachix.org) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Cachix CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.11.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the Cachix CLI. ](https://github.com/cachix/cachix#installation)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| Token | `CACHIX_AUTH_TOKEN` |
*Thanks to [@micnncim](https://github.com/micnncim) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/97)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Use 1Password to securely authenticate Cargo CLI
Source: https://www.1password.dev/cli/shell-plugins/cargo
The Cargo CLI shell plugin allows you to use 1Password to securely authenticate [Cargo CLI ](https://crates.io/crates/cargo-cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Cargo CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.13.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [Cargo CLI. ](https://crates.io/crates/cargo-cli)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | ---------------------- |
| Token | `CARGO_REGISTRY_TOKEN` |
*Thanks to [@accraw](https://github.com/accraw) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/139)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Use 1Password to securely authenticate the CircleCI CLI
Source: https://www.1password.dev/cli/shell-plugins/circleci
The CircleCI shell plugin allows you to use 1Password to securely authenticate [the CircleCI CLI ](https://circleci-public.github.io/circleci-cli/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the CircleCI CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the CircleCI CLI. ](https://circleci.com/docs/local-cli/#installation)
The following shells are supported:
* Bash
* Zsh
* fish
## Before you begin: Create and save a CircleCI personal API token
If you've already created a CircleCI personal API token, [skip to Step 1](#step-1-configure-your-default-credentials).
If you haven't created a personal API token yet, you can create one and use the [1Password browser extension](https://support.1password.com/getting-started-browser/) to quickly save it in 1Password:
1. Open and unlock [1Password in your browser](https://support.1password.com/getting-started-browser/).
2. [Follow the steps](https://circleci.com/docs/managing-api-tokens/#creating-a-personal-api-token) to create a CircleCI personal API token.
3. Select **Save item** when 1Password asks if you want to save an item for the CircleCI personal API token.
4. Choose the vault where you want to save the item, edit the item's name and details, then select **Save item**.
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| Token | `CIRCLECI_CLI_TOKEN` |
# Use 1Password to securely authenticate Civo CLI
Source: https://www.1password.dev/cli/shell-plugins/civo
The Civo CLI shell plugin allows you to use 1Password to securely authenticate [Civo CLI ](https://www.civo.com/docs/overview/civo-cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Civo CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Connect 1Password CLI with the 1Password app](/cli/app-integration/).
5. [Install Civo CLI. ](https://www.civo.com/docs/overview/civo-cli)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| API Key | `CIVO_API_KEY` |
| API Key ID | `CIVO_API_KEY_NAME` |
*Thanks to [@siddhikhapare](https://github.com/siddhikhapare) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/325)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute).*
# Use 1Password to authenticate Claude Code with biometrics
Source: https://www.1password.dev/cli/shell-plugins/claude-code
The Claude Code shell plugin allows you to use your Anthropic API key through 1Password to securely authenticate the [`claude` CLI ](https://docs.anthropic.com/en/docs/agents-and-tools/claude-code/overview) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to store your API key in 1Password and source the `plugins.sh` file, then you'll be prompted to authenticate the `claude` CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.34.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [Claude Code ](https://code.claude.com/docs/en/overview) in your terminal and [create an Anthropic API key. ](https://console.anthropic.com/settings/keys)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| API Key | `ANTHROPIC_API_KEY` |
*Thanks to [@malob](https://github.com/malob) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/519)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute).*
## Learn more
# Use 1Password to securely authenticate the Cloudflare Workers CLI
Source: https://www.1password.dev/cli/shell-plugins/cloudflare-workers
The Cloudflare Workers shell plugin allows you to use 1Password to securely authenticate [Wrangler ](https://developers.cloudflare.com/workers/wrangler/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Wrangler with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.12.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [Wrangler. ](https://developers.cloudflare.com/workers/wrangler/install-and-update/)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| --------------------- | ----------------------- |
| Account ID (Optional) | `CLOUDFLARE_ACCOUNT_ID` |
| Token | `CLOUDFLARE_API_TOKEN` |
*Thanks to [@shyim](https://github.com/shyim) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/94)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Build your own shell plugins (beta)
Source: https://www.1password.dev/cli/shell-plugins/contribute
If you don't see your favorite command-line tool [listed in the 1Password Shell Plugin registry](/cli/shell-plugins/), you can write your own plugin.
1Password CLI allows you to build and test shell plugins locally, so you can add support for authenticating your favorite CLI using a credential you saved in 1Password.
If you want to make your plugin available to others, you can [create a pull request in the shell plugins GitHub repository](https://github.com/1Password/shell-plugins).
## Requirements
* [Sign up for 1Password](https://1password.com/pricing/password-manager).
* Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
* Install [1Password CLI](/cli/get-started/) and turn on the [desktop app integration](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
* Install [Go 1.18 or later](https://go.dev/doc/install).
* Install [Git](https://git-scm.com/).
* Install [GNU Make](https://www.gnu.org/software/make/).
## Concepts
A 1Password Shell Plugin should describe the following:
* The **credential** offered by a platform
* The CLI or **executable** offered by a platform
* How the credential should be **provisioned** for the respective CLI to authenticate
* Which commands for the respective CLI **need authentication**
* How credentials stored on the local filesystem can be **imported** into 1Password
Shell plugins are written in Go and consist of a set of Go structs in a package that together make up the plugin for a certain platform, service, or product. Don't worry if you're not a Go expert – there are [lots of examples](https://github.com/1Password/shell-plugins/tree/main/plugins) you can learn from to build your plugin!
## Step 1: Use the plugin template
First, clone or fork the [1Password Shell Plugins repository](https://github.com/1Password/shell-plugins) on GitHub. It contains the current plugin registry, as well as the SDK needed to contribute.
To get started with those, use the following Makefile command:
```shell theme={null}
make new-plugin
```
You'll be prompted to enter the following information:
* **Plugin name:** Lowercase identifier for the platform, e.g. `aws`, `github`, `digitalocean`, `azure`. This will also be used as the name of the Go package.
* **Plaform display name:** The display name of the platform, e.g `AWS`, `GitHub`, `DigitalOcean`, `Azure`.
* **Credential name:** The credentials the platform offers, e.g. `Personal Access Token`, `API Key`, `Auth Token`.
* **Executable name:** The command to invoke, e.g. `aws`, `gh`, `doctl`, `az`.
After filling in the form, you'll see a Go package created in the `plugins` directory, with separate files for the plugin, credential, and executable. For example:
```
plugins/
├── aws/
│ ├── plugin.go
│ ├── access_key.go
│ └── aws.go
├── digitalocean/
│ ├── plugin.go
│ ├── personal_access_token.go
│ └── doctl.go
├── github/
│ ├── plugin.go
│ ├── personal_access_token.go
│ └── gh.go
└── heroku/
├── plugin.go
├── api_key.go
└── heroku.go
```
To save you some time, the generated files will be stubbed out with information that's derived from the Makefile prompts on a best-effort basis.
It contains *TODO* comments in the code to steer you in the direction of what to change or validate for correctness.
## Step 2: Edit the plugin definition
The `plugin.go` file contains basic information about the plugin and the platform it represents, including which credential types and executables make up the plugin.
### Plugin Examples
* [AWS](https://github.com/1Password/shell-plugins/blob/main/plugins/aws/plugin.go)
* [GitHub](https://github.com/1Password/shell-plugins/blob/main/plugins/github/plugin.go)
* [Heroku](https://github.com/1Password/shell-plugins/blob/main/plugins/heroku/plugin.go)
## Step 3: Edit the credential definition
The credential definition file describes the schema of the credential, how the credential should get provisioned to executables, and how the credential can be imported into 1Password.
### Credential Examples
* [AWS Access Key](https://github.com/1Password/shell-plugins/blob/main/plugins/aws/access_key.go)
* [GitHub Personal Access Token](https://github.com/1Password/shell-plugins/blob/main/plugins/github/personal_access_token.go)
* [Heroku API Key](https://github.com/1Password/shell-plugins/blob/main/plugins/heroku/api_key.go)
### Credential information and schema
The first section of the credential definition is where you can add information about the credential:
* The **name** of the credential, as the platform calls it.
* The **documentation URL** provided by the platform that describes the credential. *(optional)*
* The **management URL** on the platform where the credential can be created and revoked. This is usually a URL to the dashboard, console, or authentication settings of the platform. *(optional)*
The next section is where you define the schema of the credential. This is segmented into fields. Many credentials consist of just a single secret field, but you can add more fields to add more details to the 1Password item that are related to authentication, even if the fields are not secret.
Examples of additional fields are: the host, username, account ID, and all other things that are needed to authenticate and make sense to include in the 1Password item for the credential type. All fields you declare here will also show up in the end user's 1Password item.
Here's what you can specify per **field**:
* The **field name**, titlecased. *(required)*
* A short **description** of the field. This supports markdown. *(required)*
* Whether the field is **optional**. Defaults to false.
* Whether the field is **secret**, and should be concealed in the 1Password GUI. Defaults to not secret. Note: The credential schema is expected to contain at least 1 secret field.
* What the actual credential **value is composed of**. The length, character set, and whether it contains a fixed prefix.
### Provisioner
The credential definition also specifies how the credential is usually provisioned to exectuables, in order for them to use the credential for authentication.
Provisioners are in essence hooks that get executed before the executable is run by 1Password CLI, and after the executable exits in case any cleanup is needed. In those hooks, provisioners can do all the setup required for the executable to authenticate, including setting environment variables, creating files, adding command-line arguments, or even generating temporary credentials. After the executable exits, there should be no trace of the credentials on the user's filesystem.
The SDK provides a few common provisioners out of the box, so in most cases you don't have to care about the provisioning internals.
We currently recommend using environment variables as your provisioning method.
Environment variables are the most ubiquitous way to provision secrets. They only live in memory, and almost every CLI allows you to authenticate with them.
Here's how you can use the environment variable provisioner provided by the SDK:
```go theme={null}
provision.EnvVars(map[string]sdk.FieldName{
"AWS_ACCESS_KEY_ID": fieldname.AccessKeyID,
"AWS_SECRET_ACCESS_KEY": fieldname.SecretAccessKey,
})
```
Specify the 1Password field name and the environment variable name it should be placed in.
To figure out what environment variable the underlying CLI reads, here are a few tips:
* Search the platform's CLI documentation website for a getting started guide, authentication guide, or CLI reference docs.
* Look at the CLI's help text or manpage.
* If the CLI or the underlying SDK it uses is open source, scan the source code to see if it accepts environment variables for authentication.
Some CLIs only support reading credentials from files on disk. In that case, you can use the file provisioner provided by the SDK. The file provisioner takes care of creating the file in a temporary directory and deleting it afterwards.
For security purposes, the file created by the file provisioner can only be read **once** by the executable. If that limitation does not work for your use case, you can file an [issue on GitHub](https://github.com/1Password/shell-plugins/issues).
Here are a few examples on how you can use the file provisioner to provision a temporary JSON file and pass the generated path to the executable:
```go Create a file provisioner and pass output path as --config-file theme={null}
provision.TempFile(configFile,
provision.Filename("config.json"),
provision.AddArgs("--config-file", "{{ .Path }}"),
)
```
```go Create a file provisioner and set output path as CONFIG_FILE_PATH theme={null}
provision.TempFile(configFile,
provision.Filename("config.json"),
provision.SetPathAsEnvVar("CONFIG_FILE_PATH"),
)
```
```go Create a file provisioner and pass output path as Java property theme={null}
provision.TempFile(configFile,
provision.Filename("config.json"),
provision.AddArgs(`-Dconfig.path="{{ .Path }}"`),
)
```
```go Code to generate JSON file contents theme={null}
func configFile(in sdk.ProvisionInput) ([]byte, error) {
config := Config{
Token: in.ItemFields[fieldname.Token]
}
contents, err := json.Marshal(config)
if err != nil {
return nil, err
}
return []byte(contents), nil
}
type Config struct {
Token string `json:"token"`
}
```
If the standard provisioners included in the SDK are not enough to authenticate the executable, you can also write your own provisioner. You can do so by implementing the [`sdk.Provisioner` interface](https://github.com/1Password/shell-plugins/blob/main/sdk/provisioner.go).
A good example of a custom provisioner is the [AWS STS provisioner](https://github.com/1Password/shell-plugins/blob/main/plugins/aws/sts_provisioner.go) that generates temporary credentials based on a one-time password code loaded from 1Password.
### Importer
The credential definition also lets you specify importers. Importers are responsible for scanning the user's environment and file system for any occurrences of the needed credentials. 1Password CLI will run the importer and prompt the user to import their credentials one by one into 1Password.
It's very common for CLIs to write authentication data to disk, most commonly in a hidden config file in your home directory. This is not always documented by the CLI, so here are some tips to figure out if such a config file exists:
* Check the platform's documentation for mentions of config files.
* See if the CLI offers a `login`, `auth`, `configure`, or `setup` command that covers authentication. If it does, it's pretty likely there's a credential being stored in your home directory after completing such a flow.
* If the CLI is open source, check the source code to see if such a file exists.
* Look at your own home directory or `~/.config` directory to see if there are files related to the platform. Here's an example command to find local `aws` configuration files:
```shell theme={null}
find ~/.* -maxdepth 3 -path "*aws*"
```
The SDK provides helper functions to load files, parse files, and scan environment variables to make writing an importer for your credential type easier.
### Importer Examples
* [AWS Access Key](https://github.com/1Password/shell-plugins/blob/main/plugins/aws/access_key.go) (`~/.aws/credentials`)
* [CircleCI Personal API Token](https://github.com/1Password/shell-plugins/blob/main/plugins/circleci/personal_api_token.go) (`~/.circleci/cli.yml`)
* [Heroku API Key](https://github.com/1Password/shell-plugins/blob/main/plugins/heroku/api_key.go) (`~/.netrc`)
If you already have a shell plugin configured for a tool, and you want to generate an example configuration tile to test an importer, reference the tool by its full path rather than by its name. This makes sure you invoke the the tool without the plugin.
## Step 4: Edit the executable definition
The last thing the plugin is responsible for is to define the CLI or executable that you'd like 1Password to handle authentication for. This is the final piece that glues everything together.
The executable definition describes the following:
* The **command** that should get executed by the 1Password CLI.
* The display **name** of the CLI, as the platform calls it.
* The **documentation URL** provided by the platform that describes the executable. *(optional)*
* When the executable **needs authentication**. For example, many CLIs don't require authentication when the `--help` or `--version` flags are present.
* The **credentials** that the executable uses.
### Executable Examples
* [AWS CLI](https://github.com/1Password/shell-plugins/blob/main/plugins/aws/aws.go) (`aws`)
* [GitHub CLI](https://github.com/1Password/shell-plugins/blob/main/plugins/github/gh.go) (`gh`)
* [Heroku CLI](https://github.com/1Password/shell-plugins/blob/main/plugins/heroku/heroku.go) (`heroku`)
## Step 5: Build and test your plugin locally
To see if you've properly filled out the plugin, credential, and executable defintions, you can run the following Makefile command to validate the definitions:
```
make /validate
```
If that succeeds, it's now time to locally build and test your plugin! You can do so using the following command:
```
make /build
```
The build artifact will be placed in `~/.op/plugins/local`. It should show up in `op` if you run the following command:
```shell theme={null}
op plugin list
```
To see it in action, you can use the `op plugin init` command:
```shell theme={null}
op plugin init
```
## Submit a PR
While you're free to keep on using the plugin locally, we'd encourage you to submit a PR on the [main registry on GitHub](https://github.com/1Password/shell-plugins) so others can use it too!
Before doing so, be sure to read the [CONTRIBUTING.md](https://github.com/1Password/shell-plugins/blob/main/CONTRIBUTING.md) file on GitHub.
If you feel that the SDK does not serve your use case well, reach out to us by creating an [issue on GitHub](https://github.com/1Password/shell-plugins/issues) or by joining our [Developer Slack workspace](/joinslack) to tell us about your plugin proposal. We can advise you on the most suitable approach for your use case.
## Learn more
* [Shell plugins troubleshooting](/cli/shell-plugins/troubleshooting/)
* [Join our Developer Slack workspace](/joinslack)
# Use 1Password to securely authenticate Crowdin CLI
Source: https://www.1password.dev/cli/shell-plugins/crowdin
The Crowdin CLI shell plugin allows you to use 1Password to securely authenticate [Crowdin CLI ](https://crowdin.github.io/crowdin-cli/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Crowdin CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Connect 1Password CLI with the 1Password app](/cli/app-integration/).
5. [Install Crowdin CLI. ](https://crowdin.github.io/crowdin-cli/)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | ------------------------ |
| Token | `CROWDIN_PERSONAL_TOKEN` |
| Project ID | `CROWDIN_PROJECT_ID` |
| Host Address | `CROWDIN_BASE_URL` |
*Thanks to [@JoeKarow](https://github.com/JoeKarow) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/359)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute).*
# Use 1Password to securely authenticate Databricks CLI
Source: https://www.1password.dev/cli/shell-plugins/databricks
The Databricks shell plugin allows you to use 1Password to securely authenticate [Databricks CLI ](https://docs.databricks.com/dev-tools/cli/index.html) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Databricks CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.13.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [Databricks CLI. ](https://docs.databricks.com/dev-tools/cli/index.html)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| Host | `DATABRICKS_HOST` |
| Token | `DATABRICKS_TOKEN` |
*Thanks to [@bsamseth](https://github.com/bsamseth) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/143)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Use 1Password to securely authenticate Dogshell
Source: https://www.1password.dev/cli/shell-plugins/datadog
The Dogshell shell plugin allows you to use 1Password to securely authenticate [Dogshell ](https://docs.datadoghq.com/developers/guide/dogshell-quickly-use-datadog-s-api-from-terminal-shell/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Dogshell with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [Dogshell. ](https://docs.datadoghq.com/developers/guide/dogshell-quickly-use-datadog-s-api-from-terminal-shell/)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
# Use 1Password to securely authenticate the DigitalOcean CLI
Source: https://www.1password.dev/cli/shell-plugins/digitalocean
The DigitalOcean shell plugin allows you to use 1Password to securely authenticate [doctl ](https://docs.digitalocean.com/reference/doctl/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate doctl with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [doctl. ](https://docs.digitalocean.com/reference/doctl/how-to/install/)
The following shells are supported:
* Bash
* Zsh
* fish
## Before you begin: Create and save a DigitalOcean personal access token
If you've already created a DigitalOcean personal access token, [skip to Step 1](#step-1-configure-your-default-credentials).
If you haven't created a personal access token yet, you can create one and use the [1Password browser extension](https://support.1password.com/getting-started-browser/) to quickly save it in 1Password:
1. Open and unlock [1Password in your browser](https://support.1password.com/getting-started-browser/).
2. [Follow the steps](https://docs.digitalocean.com/reference/api/create-personal-access-token/) to create a DigitalOcean personal access token.
3. Select **Save item** when 1Password asks if you want to save an item for the DigitalOcean personal access token.
4. Choose the vault where you want to save the item, edit the item's name and details, then select **Save item**.
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | --------------------------- |
| Token | `DIGITALOCEAN_ACCESS_TOKEN` |
# Use shell plugins to switch between multiple environments
Source: https://www.1password.dev/cli/shell-plugins/environments
You can use [1Password Shell Plugins](/cli/shell-plugins/) to seamlessly switch between different sets of credentials for different environments, so you don't have to spend time signing in or out between environments.
For example, you can set the Terraform shell plugin to use your development credentials in the working directory for your development environment and your production credentials in the working directory for your production environment. Then when you run a Terraform command in either directory, the Terraform plugin will automatically authenticate with the appropriate credentials.
## Step 1: Organize your directories by environment
Before you configure a shell plugin for context switching between environments, group the directories you want to use with the plugin by environment.
For example, if you wanted to use the Terraform shell plugin in both development and production environments, you would organize your directories like this:
```
projects/
├─ development/
│ ├─ dev-project-1
│ ├─ dev-project-2
├─ production/
│ ├─ prod-project-1
│ ├─ prod-project-2
```
## Step 2: Configure default credentials for each environment
After you organize your directories by environment, you can set default credentials for your shell plugin to use in each directory and all its subfolders.
1. Change directories to one of the environment-level folders you created. For example:
```shell theme={null}
cd projects/production
```
2. Sign in to the 1Password account where the credentials you want to use are stored:
```shell theme={null}
op signin
```
3. Choose a plugin to initialize, or run `op plugin init` to choose from a list of all available plugins. For example, to initialize the Terraform shell plugin:
```shell theme={null}
op plugin init terraform
```
4. Import or select the appropriate credentials for the environment.
5. Select **Use automatically when in this directory or subdirectories** as the default credential scope.
6. Repeat the process in other environment-level folders with their respective credentials.
This will make the credentials you configure in each environment-level folder the default for all subfolders within it, as long as no other directory-specific defaults are set in them.
## Step 3: Use the plugin in multiple environments
After you set default credentials in all your environment-level folders, you can use the shell plugin in the working directories for each environment without needing to sign in or out.
1. Enter the working directory for an environment. For example, to change directories into the development environment from the example above:
```shell theme={null}
cd ~/projects/development
```
2. Run a job in that environment. For example:
```shell theme={null}
terraform apply
```
3. Switch to a different environment. For example, to change to the production environment:
```shell theme={null}
cd ~/projects/production
```
4. Run a job in that environment:
```shell theme={null}
terraform apply
```
5. Exit the environment:
```shell theme={null}
op signout
```
The shell plugin will automatically authenticate with the appropriate credentials for each environment, without requiring any action on your part.
## Learn more
* [Get started with 1Password Shell Plugins](/cli/shell-plugins/)
* [Build your own shell plugins](/cli/shell-plugins/contribute/)
# Use 1Password to securely authenticate Fastly CLI
Source: https://www.1password.dev/cli/shell-plugins/fastly
The Fastly shell plugin allows you to use 1Password to securely authenticate [Fastly CLI ](https://developer.fastly.com/reference/cli/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Fastly CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.14.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [Fastly CLI. ](https://developer.fastly.com/learning/tools/cli)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| Token | `FASTLY_API_TOKEN` |
*Thanks to [@arunsathiya](https://github.com/arunsathiya) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/169)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Use 1Password to securely authenticate Flyctl
Source: https://www.1password.dev/cli/shell-plugins/flyctl
The Flyctl shell plugin allows you to use 1Password to securely authenticate [Flyctl ](https://fly.io/docs/hands-on/install-flyctl/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Flyctl with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Connect 1Password CLI with the 1Password app](/cli/app-integration/).
5. [Install Flyctl. ](https://fly.io/docs/hands-on/install-flyctl/)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| Token | `FLY_ACCESS_TOKEN` |
*Thanks to [@arunsathiya](https://github.com/arunsathiya) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/141)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute).*
# Use 1Password to securely authenticate FOSSA CLI
Source: https://www.1password.dev/cli/shell-plugins/fossa
The FOSSA shell plugin allows you to use 1Password to securely authenticate [FOSSA CLI ](https://github.com/fossas/fossa-cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate FOSSA CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [FOSSA CLI. ](https://github.com/fossas/fossa-cli)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| API Key | `FOSSA_API_KEY` |
# Use 1Password to securely authenticate the Gitea CLI
Source: https://www.1password.dev/cli/shell-plugins/gitea
The Gitea shell plugin allows you to use 1Password to securely authenticate [the Gitea CLI ](https://gitea.com/gitea/tea) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Gitea with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.16.1 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. [Install the Gitea CLI ](https://gitea.com/gitea/tea).
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
```shell theme={null}
rm ~/.config/tea/config.yml
```
## Next steps
## Get help
## Reference
1Password authenticates with Gitea by injecting a temporary file with the credentials required by the plugin commands directly from your 1Password account.
If you saved your Gitea credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | YAML config field |
| -------------------- | ----------------- |
| Token | `token` |
| HostAddress | `name`, `url` |
| User | `user` |
# Use 1Password to securely authenticate the GitHub CLI
Source: https://www.1password.dev/cli/shell-plugins/github
The GitHub shell plugin allows you to use 1Password to securely authenticate [the GitHub CLI ](https://cli.github.com/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the GitHub CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the GitHub CLI ](https://github.com/cli/cli#installation).
The following shells are supported:
* Bash
* Zsh
* fish
## Before you begin: Create and save a GitHub personal access token
Before you can use 1Password to authenticate the GitHub CLI, you'll need to [create a GitHub personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). 1Password authenticates the GitHub CLI with your personal access token instead of a username and password.
If you've already created a personal access token, [skip to Step 1](#step-1-configure-your-default-credentials).
If you haven't created a personal access token yet, you can create one and use the [1Password browser extension](https://support.1password.com/getting-started-browser/) to quickly save it in 1Password:
1. Open and unlock [1Password in your browser](https://support.1password.com/getting-started-browser/).
2. [Follow the steps](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) to create a GitHub personal access token.
3. Select **Save item** when 1Password asks if you want to save an item for the GitHub personal access token.
4. Choose the vault where you want to save the item, edit the item's name and details, then select **Save item**.
## Step 1: Configure your default credentials
**If you use multiple GitHub accounts**
If you want to use the GitHub shell plugin with more than one GitHub account, like your personal and work accounts, [learn how to set up your plugin to use multiple accounts](/cli/shell-plugins/multiple-accounts/).
If you use a single GitHub account, select **Use as global default on my system**. This will set your personal access token as the default in all terminal sessions and directories.
If you use multiple GitHub accounts, [learn how to use directory-specific defaults for context switching](/cli/shell-plugins/multiple-accounts/).
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your GitHub credentials in 1Password, you can remove all local copies you previously had stored on disk.
```shell theme={null}
rm ~/.config/gh/hosts.yml
```
## Next steps
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
# Use 1Password to securely authenticate the GitLab CLI
Source: https://www.1password.dev/cli/shell-plugins/gitlab
The GitLab shell plugin allows you to use 1Password to securely authenticate [the GitLab CLI ](https://docs.gitlab.com/ee/integration/glab/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the GitLab CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the GitLab CLI. ](https://gitlab.com/gitlab-org/cli/-/blob/main/README.md#installation)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Optional: If you use a self-hosted instance, set the host
If you use a self-hosted GitLab instance, you'll need to add your host URL to the GitLab item you configured in the previous step. Save the URL in a custom text field titled `Host` to make it available to the shell plugin.
To add the field using 1Password CLI:
To add the field using the 1Password desktop app:
1. Open and unlock the [1Password app](https://1password.com/downloads/).
2. Navigate to the item you configured in the previous step and select **Edit**.
3. Select **Add More** > **Text** to add a custom text field.
4. Select the default field name, "text", and rename it to `Host`.
5. Enter your GitLab host as the field value. For example, `https://gitlab.yourdomain.com`
6. Select **Save**.
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
# Use 1Password to securely authenticate the HashiCorp Vault CLI
Source: https://www.1password.dev/cli/shell-plugins/hashicorp-vault
The HashiCorp Vault shell plugin allows you to use 1Password to securely authenticate [the Vault CLI ](https://developer.hashicorp.com/vault/docs/commands) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Vault CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the Vault CLI. ](https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-install)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
# Use 1Password to securely authenticate the Heroku CLI
Source: https://www.1password.dev/cli/shell-plugins/heroku
The Heroku shell plugin allows you to use 1Password to securely authenticate [the Heroku CLI ](https://devcenter.heroku.com/articles/heroku-cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Heroku CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the Heroku CLI. ](https://devcenter.heroku.com/articles/heroku-cli#install-the-heroku-cli)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| API Key | `HEROKU_API_KEY` |
# Use 1Password to securely authenticate the Hetzner Cloud CLI
Source: https://www.1password.dev/cli/shell-plugins/hetzner-cloud
The Hetzner Cloud shell plugin allows you to use 1Password to securely authenticate [hcloud ](https://github.com/hetznercloud/cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate hcloud with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.12.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [hcloud. ](https://github.com/hetznercloud/cli#installation)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field names | Environment variable |
| --------------------- | -------------------- |
| Token | `HCLOUD_TOKEN` |
*Thanks to [@shyim](https://github.com/shyim) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/87)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Use 1Password to securely authenticate brew
Source: https://www.1password.dev/cli/shell-plugins/homebrew
The Homebrew shell plugin allows you to use 1Password to securely authenticate [the Homebrew package manager ](https://brew.sh/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate brew with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.11.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [brew. ](https://brew.sh/)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | --------------------------- |
| Token | `HOMEBREW_GITHUB_API_TOKEN` |
*Thanks to [@markdorison](https://github.com/markdorison) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/110)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Use 1Password to securely authenticate HuggingFace CLI
Source: https://www.1password.dev/cli/shell-plugins/huggingface
The HuggingFace CLI shell plugin allows you to use 1Password to securely authenticate [HuggingFace CLI ](https://huggingface.co/docs/huggingface_hub/quick-start) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate HuggingFace CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Connect 1Password CLI with the 1Password app](/cli/app-integration/).
5. [Install HuggingFace CLI. ](https://huggingface.co/docs/huggingface_hub/quick-start)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | ------------------------ |
| User Access Token | `HUGGING_FACE_HUB_TOKEN` |
| Endpoint (optional) | `HF_ENDPOINT` |
| API URL (optional) | `HF_INFERENCE_ENDPOINT` |
*Thanks to [@bala-ceg](https://github.com/bala-ceg) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/393)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute).*
# Use 1Password to securely authenticate InfluxDB
Source: https://www.1password.dev/cli/shell-plugins/influxdb
The InfluxDB shell plugin allows you to use 1Password to securely authenticate [InfluxDB ](https://docs.influxdata.com/influxdb/cloud/reference/cli/influx/config/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate InfluxDB with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Connect 1Password CLI with the 1Password app](/cli/app-integration/).
5. [Install InfluxDB. ](https://docs.influxdata.com/influxdb/cloud/reference/cli/influx/config/)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| Host | `INFLUX_HOST` |
| Organization | `INFLUX_ORG` |
| Access Token | `INFLUX_TOKEN` |
*Thanks to [@bala-ceg](https://github.com/bala-ceg) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/392)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute).*
# Use 1Password to securely authenticate Kaggle CLI
Source: https://www.1password.dev/cli/shell-plugins/kaggle
The Kaggle CLI shell plugin allows you to use 1Password to securely authenticate [Kaggle CLI ](https://github.com/Kaggle/kaggle-api) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Kaggle CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Connect 1Password CLI with the 1Password app](/cli/app-integration/).
5. [Install Kaggle CLI. ](https://github.com/Kaggle/kaggle-api)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| Token | `KAGGLE_KEY` |
| Username | `KAGGLE_USERNAME` |
*Thanks to [@rajapri28613](https://github.com/rajapri28613) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/341)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute).*
# Use 1Password to securely authenticate the Lacework CLI
Source: https://www.1password.dev/cli/shell-plugins/lacework
The Lacework shell plugin allows you to use 1Password to securely authenticate [the Lacework CLI ](https://docs.lacework.com/cli/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Lacework CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.10.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the Lacework CLI. ](https://docs.lacework.com/cli/)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| Account | `LW_ACCOUNT` |
| API Key ID | `LW_API_KEY` |
| API Secret | `LW_API_SECRET` |
*Thanks to [@colinbarr](https://github.com/colinbarr) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/95)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Use 1Password to securely authenticate the Laravel Forge CLI
Source: https://www.1password.dev/cli/shell-plugins/laravel-forge
The Laravel Forge shell plugin allows you to use 1Password to securely authenticate [the Laravel Forge CLI ](https://forge.laravel.com/docs/1.0/cli.html) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Laravel Forge CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.17.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the Laravel Forge CLI ](https://forge.laravel.com/docs/1.0/cli.html#installation).
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| Token | `FORGE_API_TOKEN` |
*Thanks to [@andresayej](https://github.com/andresayej) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/244)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Use 1Password to securely authenticate the Laravel Vapor CLI
Source: https://www.1password.dev/cli/shell-plugins/laravel-vapor
The Laravel Vapor shell plugin allows you to use 1Password to securely authenticate [the Laravel Vapor CLI ](https://docs.vapor.build/1.0/introduction.html) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Laravel Vapor CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.17.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the Laravel Vapor CLI ](https://docs.vapor.build/1.0/introduction.html#installing-the-vapor-cli).
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| Token | `VAPOR_API_TOKEN` |
*Thanks to [@andresayej](https://github.com/andresayej) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/245)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Use 1Password to securely authenticate the Linode CLI
Source: https://www.1password.dev/cli/shell-plugins/linode
The Linode shell plugin allows you to use 1Password to securely authenticate [the Linode CLI ](https://www.linode.com/docs/products/tools/cli/get-started/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Linode CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.10.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the Linode CLI. ](https://www.linode.com/docs/products/tools/cli/get-started/)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| Token | `LINODE_CLI_TOKEN` |
*Thanks to [@alexclst](https://github.com/alexclst) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/86)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Use 1Password to securely authenticate LocalStack
Source: https://www.1password.dev/cli/shell-plugins/localstack
The LocalStack shell plugin allows you to use 1Password to securely authenticate [LocalStack ](https://docs.localstack.cloud/getting-started/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate LocalStack with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Connect 1Password CLI with the 1Password app](/cli/app-integration/).
5. [Install LocalStack. ](https://docs.localstack.cloud/getting-started/)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| API Key | `LOCALSTACK_API_KEY` |
# Use 1Password to securely authenticate MongoDB Atlas
Source: https://www.1password.dev/cli/shell-plugins/mongodb-atlas
The MongoDB Atlas shell plugin allows you to use 1Password to securely authenticate [the Atlas CLI ](https://www.mongodb.com/tools/atlas-cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Atlas CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Connect 1Password CLI with the 1Password app](/cli/app-integration/).
5. [Install the Atlas CLI ](https://www.mongodb.com/try/download/atlascli).
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | ------------------------------- |
| Public key | `MONGODB_ATLAS_PUBLIC_API_KEY` |
| Private key | `MONGODB_ATLAS_PRIVATE_API_KEY` |
*Thanks to [@joqim](https://github.com/joqim) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/198)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute).*
# Use shell plugins to authenticate with multiple accounts
Source: https://www.1password.dev/cli/shell-plugins/multiple-accounts
You can configure [1Password Shell Plugins](/cli/shell-plugins/) to authenticate with different accounts in different directories, so you don't have to spend time signing in or out between projects.
For example, you can set the GitHub shell plugin to authenticate with your work credentials in the directories for your work repositories and your personal credentials in the directories for your personal repositories.
## Step 1: Organize your directories by account
Before you configure your shell plugins to use multiple accounts, group the project directories on your computer by the accounts they use.
For example, if you have a personal and a work GitHub account, you might organize your personal and work GitHub repository folders like this:
```
github/
├─ personal/
│ ├─ personal-repo-1
│ ├─ personal-repo-2
│ ├─ personal-repo-3
├─ work/
│ ├─ work-repo-1
│ ├─ work-repo-2
```
## Step 2: Configure default credentials for each environment
After you organize your projects under account-level directories, you can set default credentials for your shell plugin to use in each directory and all its subfolders.
1. Change directories to one of the account-level folders you created. For example:
```shell theme={null}
cd projects/work
```
2. Sign in to the 1Password account where the credentials you want to use are stored:
```shell theme={null}
op signin
```
3. Choose a plugin to initialize, or run `op plugin init` to choose from a list of all available plugins. For example, to initialize the GitHub plugin:
```shell theme={null}
op plugin init gh
```
4. Import or select the appropriate credentials to use with the account.
5. Select **Use automatically when in this directory or subdirectories** as the default credential scope.
6. Repeat the process in other account-level folders with their respective credentials.
This will make the credentials you configure in each account-level folder the default for all subfolders within it, as long as no other directory-specific defaults are set in them.
After you set defaults in all your account-level folders, use the shell plugin as you normally would across all your projects. When you use the plugin in a folder within the personal or work directories, the plugin will automatically authenticate with the appropriate credentials.
## Learn more
* [Get started with 1Password Shell Plugins](/cli/shell-plugins/)
* [Build your own shell plugins](/cli/shell-plugins/contribute/)
# Use 1Password to securely authenticate the MySQL CLI
Source: https://www.1password.dev/cli/shell-plugins/mysql
The MySQL shell plugin allows you to use 1Password to securely authenticate [the MySQL CLI ](https://dev.mysql.com/doc/refman/en/mysql.html) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the MySQL CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the MySQL CLI. ](https://dev.mysql.com/doc/refman/en/installing.html)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
## Get help
## Reference
If you saved your MySQL credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below.
If your credentials are stored in a different field, you'll be prompted to select the field manually. Field names are case-insensitive. Field name tokens can be separated by whitespaces, underscores, dashes, or nothing.
| 1Password field name | Parameter |
| -------------------- | ---------- |
| Host (optional) | `host` |
| Port (optional) | `port` |
| User (optional) | `user` |
| Password | `password` |
| Database (optional) | `database` |
# Use 1Password to securely authenticate ngrok
Source: https://www.1password.dev/cli/shell-plugins/ngrok
The ngrok shell plugin allows you to use 1Password to securely authenticate [the ngrok CLI ](https://ngrok.com/docs/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate ngrok with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.14.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the ngrok CLI ](https://ngrok.com/docs/getting-started).
The following shells are supported:
* Bash
* Zsh
* Fish
## Step 1: Configure your default credentials
### Optional: Add an API key
The ngrok shell plugin sets up authentication for the following ngrok commands by default: `http`, `service`, `start`, `tcp`, `tls`, and `tunnel`.
To configure authentication for the `ngrok api` command, [add a custom field](https://support.1password.com/custom-fields/#add-a-custom-field) to your ngrok item titled `API Key` and save [your ngrok API key](https://dashboard.ngrok.com/api/keys) there.
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your ngrok credentials in 1Password, you can remove all local copies you previously had stored on disk.
To find your ngrok configuration file location, run:
```shell theme={null}
ngrok config check
```
To remove your credentials, run `rm` with the filepath for your configuration file. For example:
## Next steps
## Get help
## Reference
If you're using ngrok 3.2.1 or later, 1Password authenticates with ngrok by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you're using an earlier version of ngrok, 1Password authenticates by injecting a temporary file with the appropriate credentials.
If you saved your ngrok credentials in 1Password manually rather than using `op plugin init` to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | YAML config field | Environment variable |
| -------------------- | ----------------- | -------------------- |
| Auth Token | `authtoken` | `NGROK_AUTHTOKEN` |
| API Key | `api_key` | `NGROK_API_KEY` |
*Thanks to [@arunsathiya](https://github.com/arunsathiya) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/165)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Configure shell plugins using Nix
Source: https://www.1password.dev/cli/shell-plugins/nix
If you're using Nix to manage your shell configuration, you can configure 1Password Shell Plugins natively within your Nix configuration.
1. Add the 1Password Shell Plugins flake to your flake inputs:
```nix theme={null}
{
description = "My NixOS system flake";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
# import the 1Password Shell Plugins Flake
_1password-shell-plugins.url = "github:1Password/shell-plugins";
# the rest of your flake inputs here
};
outputs = inputs@{ nixpkgs, ... }: {
# the rest of your flake here
}
}
```
2. Somewhere in your flake output configuration, import and use the appropriate module:
```nix theme={null}
{
# import the NixOS module
imports = [ inputs._1password-shell-plugins.nixosModules.default ];
programs._1password-shell-plugins = {
# enable 1Password shell plugins for bash, zsh, and fish shell
enable = true;
# the specified packages as well as 1Password CLI will be
# automatically installed and configured to use shell plugins
plugins = with pkgs; [ gh awscli2 cachix ];
};
# this can also be `programs.bash` or `programs.fish`
programs.zsh = {
enable = true;
# the rest of your shell configuration here
};
}
```
```nix theme={null}
{
# import the home-manager module
imports = [ inputs._1password-shell-plugins.hmModules.default ];
programs._1password-shell-plugins = {
# enable 1Password shell plugins for bash, zsh, and fish shell
enable = true;
# the specified packages as well as 1Password CLI will be
# automatically installed and configured to use shell plugins
plugins = with pkgs; [ gh awscli2 cachix ];
};
# this can also be `programs.bash` or `programs.fish`
programs.zsh = {
enable = true;
# the rest of your shell configuration here
};
}
```
3. Apply the updated configuration:
`~/path/to/flake/directory/` should be the path
to the directory containing your `flake.nix` file, and `my-computer`
should be the name of the flake output to use as the system configuration.
```shell theme={null}
sudo nixos-rebuild switch --flake "~/path/to/flake/directory/.#my-computer"
```
`~/path/to/flake/directory/` should be the path
to the directory containing your `flake.nix` file, and `my-computer`
should be the name of the flake output to use as the system configuration.
```shell theme={null}
home-manager switch --flake "~/path/to/flake/directory/.#my-computer"
```
# Use 1Password to securely authenticate Oh Dear CLI
Source: https://www.1password.dev/cli/shell-plugins/oh-dear
The Oh Dear CLI shell plugin allows you to use 1Password to securely authenticate [Oh Dear CLI ](https://github.com/ohdearapp/ohdear-cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Oh Dear CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.19.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. [Install Oh Dear CLI ](https://github.com/ohdearapp/ohdear-cli).
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| Token | `OHDEAR_API_TOKEN` |
*Thanks to [@owenvoke](https://github.com/owenvoke) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/269)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Use 1Password to securely authenticate the Okta CLI
Source: https://www.1password.dev/cli/shell-plugins/okta
The Okta shell plugin allows you to use 1Password to securely authenticate [the Okta CLI ](https://cli.okta.com/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Okta CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the Okta CLI. ](https://cli.okta.com/manual/#installation)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
# Use 1Password to securely authenticate the OpenAI CLI
Source: https://www.1password.dev/cli/shell-plugins/openai
The OpenAI shell plugin allows you to use 1Password to securely authenticate [the OpenAI CLI ](https://pypi.org/project/openai/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the OpenAI CLI with biometrics.
You can also use 1Password Shell Plugins to authenticate [OpenAI Evals](/cli/shell-plugins/openai-evals).
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.13.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the OpenAI CLI. ](https://pypi.org/project/openai/)
The following shells are supported:
* Bash
* Zsh
* fish
## Before you begin: Create and save an OpenAI API key
If you've already created an OpenAI API key, [skip to Step 1](#step-1-configure-your-default-credentials).
If you haven't created an API key yet, you can create one and use the [1Password browser extension](https://support.1password.com/getting-started-browser/) to quickly save it in 1Password:
1. Open and unlock [1Password in your browser](https://support.1password.com/getting-started-browser/).
2. [Follow the steps](https://platform.openai.com/account/api-keys) to create an OpenAI API key.
3. Select **Save item** when 1Password asks if you want to save an item for the OpenAI API key.
4. Choose the vault where you want to save the item, edit the item's name and details, then select **Save item**.
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| API Key | `OPENAI_API_KEY` |
*Thanks to [@jodyheavener](https://github.com/jodyheavener) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/152)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Use 1Password to securely authenticate OpenAI Evals
Source: https://www.1password.dev/cli/shell-plugins/openai-evals
The OpenAI Evals shell plugins allow you to use 1Password to securely authenticate [`oaieval` and `oaievalset` ](https://github.com/openai/evals/blob/main/docs/run-evals.md) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials for each CLI and source the `plugins.sh` file, then you'll be prompted to authenticate OpenAI Evals with biometrics.
You can also use 1Password Shell Plugins to authenticate [OpenAI](/cli/shell-plugins/openai).
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.19.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Connect 1Password CLI with the 1Password app](/cli/app-integration/).
5. [Install OpenAI Evals. ](https://github.com/openai/evals/blob/main/docs/run-evals.md)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your oaieval credentials
## Step 2: Configure your oaievalset credentials
## Step 3: Source the plugins.sh file
## Step 4: Use the CLI
## Step 5: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| API Key | `OPENAI_API_KEY` |
*Thanks to [@arunsathiya](https://github.com/arunsathiya) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/208)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Use 1Password to securely authenticate Pipedream CLI
Source: https://www.1password.dev/cli/shell-plugins/pipedream
The Pipedream CLI shell plugin allows you to use 1Password to securely authenticate [Pipedream CLI ](https://pipedream.com/docs/cli/install/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Pipedream CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Connect 1Password CLI with the 1Password app](/cli/app-integration/).
5. [Install Pipedream CLI. ](https://pipedream.com/docs/cli/install/)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
## Get help
## Reference
1Password authenticates with Pipedream by injecting a temporary config file with the credentials required by the plugin commands directly from your 1Password account.
If you saved your Pipedream credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Config file field |
| -------------------- | ----------------- |
| API Key | api\_key |
| Org ID | org\_id |
*Thanks to [@rajapri28613](https://github.com/rajapri28613) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/338)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute).*
# Use 1Password to securely authenticate the PostgreSQL CLI
Source: https://www.1password.dev/cli/shell-plugins/postgresql
The PostgreSQL shell plugin allows you to use 1Password to securely authenticate [psql ](https://www.postgresguide.com/utilities/psql/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate psql with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [psql. ](https://www.postgresql.org/docs/current/app-psql.html)
The following shells are supported:
* Bash
* Zsh
* fish
## Additional executables
You can also use the PostgreSQL shell plugin with:
* [`pg_dump` ](https://www.postgresql.org/docs/current/app-pgdump.html)
* [`pg_restore` ](https://www.postgresql.org/docs/current/app-pgrestore.html)
* [`pgcli` ](https://www.pgcli.com/)
Run `op plugin init ` with the executable you want to configure, then follow the steps to select your credentials.
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
# Use 1Password to securely authenticate the Pulumi CLI
Source: https://www.1password.dev/cli/shell-plugins/pulumi
The Pulumi CLI shell plugin allows you to use 1Password to securely authenticate [the Pulumi CLI ](https://www.pulumi.com/docs/reference/cli/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Pulumi CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.17.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the Pulumi CLI. ](https://www.pulumi.com/docs/get-started/install/)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | --------------------- |
| Token | `PULUMI_ACCESS_TOKEN` |
| Host (optional) | `PULUMI_BACKEND_URL` |
*Thanks to [@ringods](https://github.com/ringods) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/199)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Use 1Password to securely authenticate the ReadMe CLI
Source: https://www.1password.dev/cli/shell-plugins/readme
The ReadMe shell plugin allows you to use 1Password to securely authenticate [the ReadMe CLI ](https://docs.readme.com/main/docs/rdme) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the ReadMe CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.12.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the ReadMe CLI. ](https://github.com/readmeio/rdme#setup)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field names | Environment variable |
| --------------------- | -------------------- |
| API Key | `RDME_API_KEY` |
| Username (Optional) | `RDME_EMAIL` |
| Website (Optional) | `RDME_PROJECT` |
*Thanks to [@kanadgupta](https://github.com/kanadgupta) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/106)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Use 1Password to securely authenticate the Scaleway CLI
Source: https://www.1password.dev/cli/shell-plugins/scaleway
The Scaleway shell plugin lets you use 1Password to authenticate the [Scaleway CLI (`scw`) ](https://www.scaleway.com/en/cli/) with your fingerprint, Apple Watch, or system authentication, instead of storing API keys in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Scaleway CLI with biometrics.
The plugin applies to the Scaleway CLI’s **default** configuration. It does not support separate [CLI profiles](https://github.com/scaleway/scaleway-cli/blob/master/docs/commands/config.md).
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.34.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install and configure the [Scaleway CLI ](https://www.scaleway.com/en/docs/developer-tools/scaleway-cli/quickstart/).
The following shells are supported:
* Bash
* Zsh
* fish
## Before you begin: Create a Scaleway API key
If you already have a Scaleway API key, [skip to step 1](#step-1-configure-your-default-credentials).
Otherwise, create an API key in the [Scaleway console ](https://console.scaleway.com/iam/api-keys) and save the **access key** and **secret key** in 1Password. See Scaleway’s guide to [creating API keys ](https://www.scaleway.com/en/docs/iam/how-to/create-api-keys/).
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
For example, after configuring the plugin, try:
```shell theme={null}
scw account project list
```
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field names | Environment variable |
| -------------------------- | ----------------------------- |
| Access key | `SCW_ACCESS_KEY` |
| Secret key | `SCW_SECRET_KEY` |
| Default region (optional) | `SCW_DEFAULT_REGION` |
| Default zone (optional) | `SCW_DEFAULT_ZONE` |
| Project ID (optional) | `SCW_DEFAULT_PROJECT_ID` |
| Organization ID (optional) | `SCW_DEFAULT_ORGANIZATION_ID` |
*Thanks to [@jksolbakken](https://github.com/jksolbakken) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/515)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# About 1Password Shell Plugins security
Source: https://www.1password.dev/cli/shell-plugins/security
## Authorization model
To get your consent when a 1Password CLI command or 1Password Shell Plugin is invoked, 1Password will present you with an approval dialog:
This dialog will show which application is requesting permission to use which 1Password account. After you approve the request, a *session* will be established between 1Password and the terminal window or tab the plugin was invoked from.
Any consecutive invocations of 1Password CLI within that terminal window can use your 1Password account without additional authorization until 1Password locks. This includes invocations of the same plugin, a different plugin and any other 1Password CLI commands. As always when working with secrets, it's worth being mindful of the processes, scripts, and plugins you run that can access those secrets.
A session is ended in any of the following scenarios:
* When 1Password is locked
* After 10 minutes of inactivity
* After 12 hours
* When `op signout` is run in the authorized terminal session
* When `op signout --all` is run in any terminal session
## Extendability & community contributions
1Password Shell Plugins is [extendable](/cli/shell-plugins/contribute/). Contributed plugins are curated and reviewed by 1Password before they are included and shipped in 1Password CLI.
1Password has only reviewed contributed plugins if they are included in 1Password CLI. We recommend you only run plugins included in 1Password CLI and plugins you've written yourself.
In practice, this means you should not download binaries and place them in `~/.op/plugins/local`.
## Learn more
* [Biometric security](/cli/app-integration/)
# Use 1Password to securely authenticate the Sentry CLI
Source: https://www.1password.dev/cli/shell-plugins/sentry
The Sentry shell plugin allows you to use 1Password to securely authenticate [the Sentry CLI ](https://docs.sentry.io/product/cli/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Sentry CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the Sentry CLI. ](https://docs.sentry.io/product/cli/installation/)
The following shells are supported:
* Bash
* Zsh
* fish
Get \$240 in Sentry credits when you [create a new Sentry account](https://sentry.io/signup/) using the promo code **1Password**.
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
# Use 1Password to securely authenticate the Snowflake CLI
Source: https://www.1password.dev/cli/shell-plugins/snowflake
The Snowflake shell plugin allows you to use 1Password to securely authenticate [SnowSQL ](https://docs.snowflake.com/en/user-guide/snowsql.html) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the SnowSQL with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.14.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [SnowSQL. ](https://docs.snowflake.com/en/user-guide/snowsql-install-config)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field names | Environment variable |
| --------------------- | -------------------- |
| Account | `SNOWSQL_ACCOUNT` |
| Username | `SNOWSQL_USER` |
| Password | `SNOWSQL_PWD` |
*Thanks to [@williamhpark](https://github.com/williamhpark) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/161)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Use 1Password to securely authenticate the Snyk CLI
Source: https://www.1password.dev/cli/shell-plugins/snyk
The Snyk shell plugin allows you to use 1Password to securely authenticate [the Snyk CLI ](https://docs.snyk.io/snyk-cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Snyk CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the Snyk CLI. ](https://docs.snyk.io/snyk-cli/install-the-snyk-cli)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| Token | `SNYK_TOKEN` |
# Use 1Password to securely authenticate the Sourcegraph CLI
Source: https://www.1password.dev/cli/shell-plugins/sourcegraph
The Sourcegraph shell plugin allows you to use 1Password to securely authenticate [the Sourcegraph CLI ](https://docs.sourcegraph.com/cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Sourcegraph CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.14.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the Sourcegraph CLI. ](https://docs.sourcegraph.com/cli/quickstart)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field names | Environment variable |
| --------------------- | -------------------- |
| Endpoint | `SRC_ENDPOINT` |
| Token | `SRC_ACCESS_TOKEN` |
*Thanks to [@arunsathiya](https://github.com/arunsathiya) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/146)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Use 1Password to securely authenticate the Stripe CLI
Source: https://www.1password.dev/cli/shell-plugins/stripe
The Stripe shell plugin allows you to use 1Password to securely authenticate [the Stripe CLI ](https://stripe.com/docs/cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Stripe CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the Stripe CLI. ](https://stripe.com/docs/stripe-cli)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| API Key | `STRIPE_API_KEY` |
# Use 1Password to securely authenticate Terraform
Source: https://www.1password.dev/cli/shell-plugins/terraform
Beta
The Terraform shell plugin allows you to use 1Password to securely authenticate [Terraform CLI ](https://developer.hashicorp.com/terraform/cli) to supported providers with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
You can configure the Terraform plugin to authenticate with biometrics to any provider in the [1Password Shell Plugin ecosystem](/cli/shell-plugins#get-started), like AWS, ngrok, and Databricks.
The Terraform shell plugin is currently in beta. It can only be used with the latest [beta build](https://app-updates.agilebits.com/product_history/CLI2#beta) of 1Password CLI, version `2.19.0-beta.01` or later.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [the latest beta build of 1Password CLI](https://app-updates.agilebits.com/product_history/CLI2#beta) (`2.19.0-beta.01` or later).
4. [Integrate 1Password CLI with the 1Password app](/cli/app-integration#step-1-turn-on-the-app-integration).
5. Install [Terraform CLI ](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli).
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
If you have multiple 1Password accounts, run op signin to select the account you want to use before configuring the plugin. When you use the plugin, 1Password CLI will automatically switch to that account.
To get started with the Terraform shell plugin, run:
```shell theme={null}
op plugin init terraform
```
You'll be prompted to select the credential types you want to use with Terraform — you can choose as many as you want. Select the credential type for [a supported provider](/cli/shell-plugins#get-started), then you can either [import the credential](#import-a-new-item) into your 1Password account or [select an existing 1Password item](#select-an-existing-item) where the credential is saved.
When you've configured all the credentials you want to use with Terraform, select **Stop choosing credentials**.
Step 1.1: Import or select an item
#### Import a new item
If you haven't saved a credential in 1Password yet, select **Import into 1Password**. Enter a name for the new 1Password item and select the vault where you want to save it.
If 1Password detects the credential in your local development environment, you'll be prompted to import it automatically.
#### Select an existing item
If you've already saved a credential in 1Password, select **Search in 1Password**. Select the item from the list of suggested items. If you don't see the item you want, select **Expand search** to browse all items in your account.
Step 1.2: Set default credential scope
After you finish selecting your credentials, you'll be prompted to configure when to use them.
* **Prompt me for each new terminal session** will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the defaults will be removed.
* **Use automatically when in this directory or subdirectories** will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one.
* **Use as global default on my system** will set the credentials as the defaults in all terminal sessions and directories. A directory-specific default takes precedence over a global one.
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
```shell theme={null}
source ~/.config/op/plugins.sh
```
The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
The next time you use Terraform CLI with one of the providers you configured credentials for, you'll be prompted to authenticate with biometrics or system authentication.
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk, like in your [provider configurations ](https://developer.hashicorp.com/terraform/language/providers/configuration).
## Next steps
To inspect your current Terraform configuration:
```shell theme={null}
op plugin inspect terraform
```
1Password CLI will return a list of the credentials you've configured
to use with Terraform and their default scope, as well as a list of
aliases configured for Terraform CLI.
Clear your credentials
To reset the credentials used with Terraform CLI:
```shell theme={null}
op plugin clear terraform
```
You can clear one configuration at a time, in this order of precedence:
1. Terminal session default
2. Directory default, from the current directory to \$HOME
3. Global default
For example, if you're in the directory \$HOME/projects/awesomeProject and you have a terminal session default, directory defaults for \$HOME and \$HOME/projects/awesomeProject, and a global default credential configured, you would need to run op plugin clear terraform four times to clear all of your defaults.
To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run op plugin clear terraform --all.
## Reference
1Password authenticates to Terraform providers by provisioning the credentials required by the plugin commands directly from your 1Password account.
If you saved your provider credentials manually rather than using `op plugin` to import a new item, you might be prompted to rename your item's fields to match the item structure required by the credential schema.
# Test shell plugins
Source: https://www.1password.dev/cli/shell-plugins/test
You can test [1Password Shell Plugins](/cli/shell-plugins/) without making any changes to your current workflows.
To do this, you'll configure a shell plugin with default credentials that only last for the duration of your current terminal session, then source the shell plugin aliases script in your current terminal session instead of adding it to your shell profile. When you close your terminal window, your temporary shell plugin configuration will be cleared.
## Step 1: Temporarily configure a shell plugin
1. Sign in to the 1Password account where the credentials you want to use with the shell plugin are stored:
```shell theme={null}
op signin
```
2. Choose a plugin to test, or run `op plugin init` to choose from a list of all available plugins. For example, to test the AWS shell plugin:
```shell theme={null}
op plugin init aws
```
3. Import or select the credentials you want to test with the plugin.
4. When you're prompted to choose when the credentials will be used to authenticate, select **Prompt me for each new terminal session**. This will configure your credentials as a temporary default for the duration of your current terminal session.
5. Instead of adding the command to source the `plugins.sh` file to your shell profile, source the `plugins.sh` file in your current terminal session. This will create an alias for the CLI executable that lasts for the duration of your current terminal session. For example:
```shell theme={null}
source ~/.config/op/plugins.sh
```
The location of the `plugins.sh` file will vary depending on your [configuration directory](/cli/config-directories/).
## Step 2: Test the shell plugin
You can test the shell plugin for the duration of your current terminal session.
1. Sign out of 1Password CLI to make sure you'll be prompted to authenticate:
```shell theme={null}
op signout
```
2. Run a command with the CLI that requires authentication. For example, if you configured a shell plugin for AWS:
```shell theme={null}
aws s3 ls
```
When you're done testing, close the terminal window to clear your default credentials and remove the alias for the CLI executable.
To continue using a shell plugin, follow the installation guide for the [plugin of your choice](/cli/shell-plugins/).
# Use 1Password to securely authenticate Todoist CLI
Source: https://www.1password.dev/cli/shell-plugins/todoist
The Todoist CLI shell plugin allows you to use 1Password to securely authenticate [Todoist CLI ](https://github.com/sachaos/todoist) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Todoist CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Connect 1Password CLI with the 1Password app](/cli/app-integration/).
5. [Install Todoist CLI. ](https://github.com/sachaos/todoist)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
## Get help
## Reference
1Password authenticates with Todoist by injecting a temporary config file with the credentials required by the plugin commands directly from your 1Password account.
If you saved your Todoist credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Config file field |
| -------------------- | ----------------- |
| Token | token |
*Thanks to [@rajapri28613](https://github.com/rajapri28613) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/340)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute).*
# Use 1Password to securely authenticate the Treasure Data CLI
Source: https://www.1password.dev/cli/shell-plugins/treasure-data
The Treasure Data shell plugin allows you to use 1Password to securely authenticate the [Treasure Data Toolbelt ](https://www.treasuredata.com/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Treasure Data with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.16.1 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the Treasure Data Toolbelt ](https://toolbelt.treasuredata.com/).
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| API Key | `TD_API_KEY` |
# 1Password Shell Plugins troubleshooting
Source: https://www.1password.dev/cli/shell-plugins/troubleshooting
## Using shell plugins
### If you're using a non-interactive shell
1Password Shell Plugins are built to be used with interactive shells. An interactive shell is required for the shell plugin to prompt for authentication.
### If your script doesn't inherit shell plugin aliases
Scripts might not inherit your shell plugin aliases if they're run in a subshell where the `plugins.sh` file isn't sourced. When this happens, the CLI command in the script will output an error instead of running correctly.
For example, the following script runs a `doctl` command in a subshell, and as a result wouldn't inherit the `doctl` shell plugin alias:
```html yourscript.sh theme={null}
#!/usr/bin/env bash
doctl account get
```
To make the script run correctly, you can wrap the `doctl` command in [`op plugin run`](/cli/reference/management-commands/plugin/#plugin-run). For example:
```html yourscript.sh theme={null}
#!/usr/bin/env bash
op plugin run doctl account get
```
### If autocompletion stops working
If autocompletion stops working in Zsh after you configure a shell plugin, run the following command to configure completion for aliases:
```shell theme={null}
setopt completealiases
```
## Contributing shell plugins
### If your locally-built plugin stops working
If your locally-built plugin stops working, you might need to update your 1Password CLI version or rebuild your plugin with the latest shell plugins SDK.
#### Update your 1Password CLI installation
If you're using an outdated version of the CLI, you'll see this error message:
```shell theme={null}
1Password CLI is outdated, please run:
op update
to update 1Password CLI to the latest version and to be able to use
this Shell Plugin.
```
To update your 1Password CLI installation to the latest version:
```shell theme={null}
op update
```
Or [update 1Password CLI with a package manager](/cli/reference/update/#update-with-a-package-manager).
#### Rebuild your plugins with the latest shell plugins SDK
If the shell plugins SDK is outdated, you'll see this error message:
```shell theme={null}
1Password Shell Plugin is out of date. Remove the plugin at
'/Users//.op/plugins/local/aws' or rebuild it with the
latest Shell Plugin SDK to use it.
```
To update to the latest shell plugins SDK, you'll need to merge the `main` branch of the [shell plugins repository](https://github.com/1Password/shell-plugins/tree/main/) into the branch for your plugin. To do this:
1. Navigate to the directory where you cloned the shell plugins repo:
```shell theme={null}
cd
```
2. If you've made any local changes to your plugin branch, commit or stash them:
```shell theme={null}
git commit -am ""
```
3. Check out the `main` branch:
```shell theme={null}
git checkout main
```
4. Pull the `main` branch:
```shell theme={null}
git pull main
```
5. Check out your plugin branch:
```shell theme={null}
git checkout
```
6. Merge `main` into your branch:
```
git merge main
```
Then fix any merge conflicts and make any needed changes to the plugin code to conform to the latest version of the SDK.
When you're ready to rebuild your plugin:
```shell theme={null}
make /build
```
**Join our Developer Slack**
If you're still having trouble, join our [Developer Slack workspace](/joinslack) and we'll help you figure out a solution.
## Learn more
* [Uninstall shell plugins](/cli/shell-plugins/uninstall/)
* [Test shell plugins](/cli/shell-plugins/test/)
* [Use shell plugins to switch between multiple environments](/cli/shell-plugins/environments/)
* [Use shell plugins with multiple accounts](/cli/shell-plugins/multiple-accounts/)
# Use 1Password to securely authenticate the Tugboat CLI
Source: https://www.1password.dev/cli/shell-plugins/tugboat
The Tugboat shell plugin allows you to use 1Password to securely authenticate [the Tugboat CLI ](https://docs.tugboatqa.com/tugboat-cli/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Tugboat CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.10.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the Tugboat CLI. ](https://docs.tugboatqa.com/tugboat-cli/install-the-cli/)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| Token | `TUGBOAT_API_TOKEN` |
*Thanks to [@markdorison](https://github.com/markdorison) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/85)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Use 1Password to securely authenticate the Twilio CLI
Source: https://www.1password.dev/cli/shell-plugins/twilio
The Twilio shell plugin allows you to use 1Password to securely authenticate [the Twilio CLI ](https://twilio.com/docs/cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Twilio CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [the Twilio CLI. ](https://www.twilio.com/docs/twilio-cli/quickstart)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field names | Environment variables |
| --------------------- | --------------------- |
| Account SID | `TWILIO_ACCOUNT_SID` |
| API Key | `TWILIO_API_KEY` |
| API Secret | `TWILIO_API_SECRET` |
| Region (optional) | `TWILIO_REGION` |
# Uninstall shell plugins
Source: https://www.1password.dev/cli/shell-plugins/uninstall
[1Password Shell Plugins](/cli/shell-plugins/) are built so you can stop using them at any time.
* If you want to [reset a shell plugin configuration](#clear-your-default-credentials-for-a-plugin), you can clear your default credentials.
* If you want to [temporarily stop using a shell plugin](#temporarily-stop-using-a-shell-plugin), you can run `unalias ` or remove the alias for its executable from your `plugins.sh` file.
* If you want to [temporarily stop using all shell plugins](#temporarily-stop-using-all-shell-plugins), you can remove the command to source the `plugins.sh` file from your shell profile.
* And if you want to [completely uninstall shell plugins](#completely-stop-using-shell-plugins), you can do that too.
## Clear your default credentials for a plugin
If you want to remove your default credentials for a shell plugin:
```shell theme={null}
op plugin clear
```
Credentials will be removed in this order:
1. Terminal session default
2. Directory default, from the current directory to `$HOME`
3. Global default
To remove all the credentials you've configured for a shell plugin at the same time:
```shell theme={null}
op plugin clear --all
```
## Temporarily stop using a shell plugin
If you want to stop using a shell plugin for the current terminal session, run:
```
unalias
```
If you want to temporarily stop using a plugin for a longer period of time, you can remove its alias from your `plugins.sh` file. Then 1Password CLI will no longer handle authentication when you use the third-party CLI.
1. Open your [`plugins.sh` file](#if-you-cant-find-your-pluginssh-file) file.
2. Remove the alias for the plugin you want to stop using. For example, `alias aws="op plugin run -- aws"`.
3. Save the file.
4. Open a new terminal window or source your shell profile for the change to go into effect.
You can add the alias back to the file at any time to continue using the shell plugin with your current setup.
## Temporarily stop using all shell plugins
If you want to temporarily stop using shell plugins without losing your configurations, you can remove the command to source the `plugins.sh` file from your shell profile.
1. Open your shell profile.
2. Remove the line that looks like this. Your [`plugins.sh` file path](#if-you-cant-find-your-pluginssh-file) may vary.
```shell theme={null}
source ~/.config/op/plugins.sh
```
3. Open a new terminal session or source your shell profile for the change to go into effect.
1Password will no longer prompt you to authenticate for any third-party CLI.
## Completely stop using shell plugins
To completely stop using shell plugins and remove all information about your configurations:
1. [Clear the default credentials](#clear-your-default-credentials-for-a-plugin) for each of your plugins.
2. [Remove the command to source the `plugins.sh` file](#temporarily-stop-using-all-shell-plugins) from your shell profile.
3. Delete the [`plugins.sh` file](#if-you-cant-find-your-pluginssh-file) and the `plugins` folder within your `op` directory.
4. If you configured any directory-specific defaults, remove the `.op` folder from those directories.
## Get help
If you can't find your plugins.sh file
The file path for your `plugins.sh` file may vary depending on your [configuration directory](/cli/config-directories/). Common locations include:
* `~/.op/plugins.sh`
* `~/.config/op/plugins.sh`
* `~/op/plugins.sh`
# Use 1Password to securely authenticate Upstash CLI
Source: https://www.1password.dev/cli/shell-plugins/upstash
The Upstash CLI shell plugin allows you to use 1Password to securely authenticate [Upstash CLI ](https://github.com/upstash/cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Upstash CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Connect 1Password CLI with the 1Password app](/cli/app-integration/).
5. [Install Upstash CLI. ](https://github.com/upstash/cli)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| API Key | `UPSTASH_API_KEY` |
| Email | `UPSTASH_EMAIL` |
*Thanks to [@siddhikhapare](https://github.com/siddhikhapare) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/316)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute).*
# Use 1Password to securely authenticate Vercel CLI
Source: https://www.1password.dev/cli/shell-plugins/vercel
The Vercel CLI shell plugin allows you to use 1Password to securely authenticate [Vercel CLI ](https://vercel.com/docs/cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Vercel CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.19.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. [Install Vercel CLI ](https://vercel.com/docs/cli).
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
## Get help
## Reference
1Password authenticates with Vercel by injecting injecting the token as a command line argument.
If you saved your Vercel CLI credentials in 1Password manually rather than using `op plugin init` to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Command line argument | |
| -------------------- | --------------------- | -- |
| Token | `--token` | \` |
*Thanks to [@j178](https://github.com/j178) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/273)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Use 1Password to securely authenticate Vertica CLI
Source: https://www.1password.dev/cli/shell-plugins/vertica
The Vertica CLI shell plugin allows you to use 1Password to securely authenticate [Vertica CLI ](https://www.vertica.com/docs/9.2.x/HTML/Content/Authoring/ConnectingToVertica/vsql/Install/InstallingTheVsqlClient.htm) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Vertica CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Connect 1Password CLI with the 1Password app](/cli/app-integration/).
5. [Install Vertica CLI. ](https://www.vertica.com/docs/9.2.x/HTML/Content/Authoring/ConnectingToVertica/vsql/Install/InstallingTheVsqlClient.htm)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| Username | `VSQL_USER` |
| Password | `VSQL_PASSWORD` |
| Host (optional) | `VSQL_HOST` |
| Port (optional) | `VSQL_PORT` |
| Database | `VSQL_DATABASE` |
*Thanks to [@parthiv11](https://github.com/parthiv11) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/327)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute).*
# Use 1Password to securely authenticate Vultr CLI
Source: https://www.1password.dev/cli/shell-plugins/vultr
The Vultr CLI shell plugin allows you to use 1Password to securely authenticate [Vultr CLI ](https://github.com/vultr/vultr-cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Vultr CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.14.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [Vultr CLI. ](https://github.com/vultr/vultr-cli#installation)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field names | Environment variable |
| --------------------- | -------------------- |
| API Key | `VULTR_API_KEY` |
*Thanks to [@arunsathiya](https://github.com/arunsathiya) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/159)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Use 1Password to securely authenticate YugabyteDB SQL Shell
Source: https://www.1password.dev/cli/shell-plugins/yugabytedb
The YugabyteDB SQL Shell shell plugin allows you to use 1Password to securely authenticate [YugabyteDB SQL Shell ](https://docs.yugabyte.com/preview/admin/ysqlsh/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate YugabyteDB SQL Shell with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Connect 1Password CLI with the 1Password app](/cli/app-integration/).
5. [Install YugabyteDB SQL Shell. ](https://docs.yugabyte.com/preview/admin/ysqlsh/)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| Host | `PGHOST` |
| Port | `PGPORT` |
| Username | `PGUSER` |
| Password | `PGPASSWORD` |
*Thanks to [@parthiv11](https://github.com/parthiv11) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/322)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute).*
# Use 1Password to securely authenticate Zapier CLI
Source: https://www.1password.dev/cli/shell-plugins/zapier
The Zapier CLI shell plugin allows you to use 1Password to securely authenticate [Zapier CLI ](https://platform.zapier.com/cli_docs/docs) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Zapier CLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Connect 1Password CLI with the 1Password app](/cli/app-integration/).
5. [Install Zapier CLI. ](https://platform.zapier.com/cli_docs/docs)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| Key | `ZAPIER_DEPLOY_KEY` |
*Thanks to [@rajapri28613](https://github.com/rajapri28613) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/337)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute).*
# Use 1Password to securely authenticate the Zendesk CLI
Source: https://www.1password.dev/cli/shell-plugins/zendesk
The Zendesk CLI shell plugin allows you to use 1Password to securely authenticate [ZCLI ](https://developer.zendesk.com/documentation/apps/getting-started/using-zcli/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext.
Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate ZCLI with biometrics.
## Requirements
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux).
3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.17.0 or later.
If you've already installed 1Password CLI, learn how to update your installation.
4. [Integrate 1Password CLI with the 1Password app](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration).
5. Install [ZCLI. ](https://developer.zendesk.com/documentation/apps/getting-started/using-zcli/#installing-and-updating-zcli)
The following shells are supported:
* Bash
* Zsh
* fish
## Step 1: Configure your default credentials
## Step 2: Source the plugins.sh file
To make the plugin available, source your plugins.sh file. For example:
The file path for your op folder may vary depending on your configuration directory. op plugin init will output a source command with the correct file path.
If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:
## Step 3: Use the CLI
## Step 4: Remove imported credentials from disk
After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk.
1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account.
If you saved your credentials in 1Password manually rather than using op plugin to import a new item, make sure that your field names match the table below.
If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields.
| 1Password field name | Environment variable |
| -------------------- | -------------------- |
| Subdomain | `ZENDESK_SUBDOMAIN` |
| Email | `ZENDESK_EMAIL` |
| Token | `ZENDESK_API_TOKEN` |
*Thanks to [@williamhpark](https://github.com/williamhpark) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/207)! Learn how to [build your own shell plugins](/cli/shell-plugins/contribute/).*
# Sign in to your 1Password account manually
Source: https://www.1password.dev/cli/sign-in-manually
If you don't want to [use the 1Password app to sign in to 1Password CLI](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration), you can manually add and sign in to your accounts in the terminal.
**Known security risks**
If you sign in to 1Password CLI manually, any process running under the current user can, on some platforms, potentially access your 1Password account.
We recommend you [use the 1Password app to sign in to 1Password CLI](/cli/app-integration/) because it offers more robust security guarantees.
When you sign in manually in the terminal, 1Password CLI stores your session key encrypted on disk and the random wrapper key used in the environment of the current shell.
Sessions expire after 30 minutes of inactivity, after which you’ll need to sign in again and save a new token. If you want to immediately terminate your authenticated session, you can run `op signout`.
## Sign in manually
### Step 1: Add an account
To manually add a 1Password account to 1Password CLI, use [`op account add`](/cli/reference/management-commands/account/):
```shell theme={null}
op account add
```
1Password CLI will prompt you to enter your [sign-in address](https://support.1password.com/sign-in-troubleshooting#if-youre-asked-for-a-sign-in-address), email address, [Secret Key](https://support.1password.com/secret-key/), and 1Password account password.
For non-interactive shells in local environments, sign in with the [1Password desktop app integration](/cli/app-integration/) instead.
For non-interactive shells in remote environments, authenticate with a [service account](/service-accounts/) or a [Connect server](/connect/).
#### Set a custom account shorthand
1Password CLI uses account shorthands to refer to each of the accounts you add. The default shorthand is your [sign-in address](https://support.1password.com/sign-in-troubleshooting#if-youre-asked-for-a-sign-in-address) subdomain (for example, `my` for `my.1password.com`).
To set a custom shorthand, include the `--shorthand` flag when you add an account. For example, to add an account with the shorthand `personal`:
```shell theme={null}
op account add --shorthand personal
```
### Step 2: Sign in
If you added your accounts to 1Password CLI manually, you'll need to use the [manual sign-in command](/cli/reference/commands/signin/) to sign in.
This command also works with the [app integration](/cli/app-integration) turned on, so you can use it in scripts to provide compatibility for all users regardless of their sign-in method.
```shell theme={null}
eval "$(op signin)"
```
```powershell theme={null}
Invoke-Expression "$(op signin)"
```
After you sign in, 1Password CLI creates a session token and sets the `OP_SESSION` environment variable to it. Include the `--raw` flag to get a token you can export manually.
Session tokens expire after 30 minutes of inactivity, after which you’ll need to sign in again and save a new token.
To sign out, use the command [`op signout`](/cli/reference/commands/signout/).
### Optional: Switch between accounts with the `--account` flag
If you've added multiple accounts and are using an interactive terminal, 1Password CLI will prompt you to select the account you want to sign in to. Use the arrow keys to select an account, then press the Return key to sign in.
In most shells, you can bypass the prompt to select an account using the `--account` flag with your [account shorthand, sign-in address, or ID](#appendix-find-an-account-shorthand-or-id). This option isn't available in PowerShell. For example:
```shell theme={null}
eval "$(op signin --account personal)"
```
To always sign in to the same account, set the `OP_ACCOUNT` environment variable to your [account shorthand, sign-in address, or ID](#appendix-find-an-account-shorthand-or-id).
```shell theme={null}
export OP_ACCOUNT=my.1password.com
```
```shell theme={null}
set -x OP_ACCOUNT my.1password.com
```
```powershell theme={null}
$Env:OP_ACCOUNT = "my.1password.com"
```
You can sign in to multiple accounts at the same time, then use the `--account` flag to specify which account should execute each command. If you don't specify an account, 1Password CLI will default to the account you most recently signed in to.
For example, to sign in to accounts with the shorthands `personal` and `agilebits`:
```shell theme={null}
eval "$(op signin --account personal)" && eval "$(op signin --account agilebits)"
```
```powershell theme={null}
Invoke-Expression "$(op signin --account personal)"; Invoke-Expression "$(op signin --account agilebits)"
```
To run the command `op vault list` in the account with the shorthand `personal`:
```shell theme={null}
op vault list --account personal
```
Then to run the same command in the `agilebits` account:
```shell theme={null}
op vault list --account agilebits
```
You can also [specify a custom shorthand](#set-a-custom-account-shorthand) when you add an account.
## Troubleshooting
If you've already [turned on the 1Password app integration](/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration), you'll need to turn it off before you can add an account on the command line.
## Learn more
* [Integrate 1Password CLI with the 1Password desktop app](/cli/app-integration/)
* [About the security of the 1Password desktop app integration](/cli/app-integration-security/)
## Appendix: Find an account shorthand or ID
1Password CLI uses account shorthands to refer to each of the accounts you've added. To see all the accounts you've added, their shorthands, and account details, run `op account list`.
```shell theme={null}
op account list
#code-result
SHORTHAND URL EMAIL USER UUID
my https://my.1password.com wendy.c.appleseed@gmail.com A10S...
agilebits https://agilebits-inc.1password.com wendy_appleseed@agilebits.com ONJ9...
```
You can use the shorthand, sign-in address, or user ID to refer to a specific account in your commands.
# Unlock 1Password CLI with SSO
Source: https://www.1password.dev/cli/sign-in-sso
This feature is only available as part of [1Password Unlock with SSO](https://support.1password.com/sso/).
If your 1Password administrator has [set up 1Password Unlock with SSO](https://support.1password.com/sso/), you can sign in to 1Password CLI with your identity provider.
If the 1Password account you sign in to with SSO doesn't allow biometric unlock, you'll be prompted to allow 1Password CLI access to the 1Password app when you sign in.
## Requirements
Before you start, you'll need to:
1. [Join your team](https://support.1password.com/sso-get-started/#join-your-team), or [switch to unlock with SSO](https://support.1password.com/sso-get-started/#switch-to-unlock-with-sso).
2. Install the latest version of 1Password for [Mac](https://1password.com/downloads/mac), [Windows](https://1password.com/downloads/windows), or [Linux](https://1password.com/downloads/linux).
3. Sign in to 1Password for [Mac](https://support.1password.com/sso-sign-in/#in-the-apps/), [Windows](https://support.1password.com/sso-sign-in/#in-the-apps/), or [Linux](https://support.1password.com/sso-sign-in/#in-the-apps/) using SSO.
4. Install [the latest Password CLI build](/cli/get-started/).
## Step 1: Connect 1Password CLI with the 1Password app
To turn on the app integration and set up 1Password CLI to authenticate with your identity provider:
1. Open and unlock the [1Password app](https://1password.com/downloads/).
2. Select your account or collection at the top of the sidebar.
3. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**.
4. Select **Integrate with 1Password CLI**.
5. If you want to authenticate 1Password CLI with your fingerprint, turn on **[Touch ID](https://support.1password.com/touch-id-mac/)** in the app.
1. Open and unlock the [1Password app](https://1password.com/downloads/).
2. Select your account or collection at the top of the sidebar.
3. Turn on **[Windows Hello](https://support.1password.com/windows-hello/)** in the app.
4. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**.
5. Select **Integrate with 1Password CLI**.
1. Open and unlock the [1Password app](https://1password.com/downloads/).
2. Select your account or collection at the top of the sidebar.
3. Navigate to **Settings** > **[Security](onepassword://settings/security)**.
4. Turn on **[Unlock using system authentication](https://support.1password.com/system-authentication-linux/)**.
5. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**.
6. Select **Integrate with 1Password CLI**.
## Step 2: Sign in with SSO
Once the 1Password app integration is turned on, open the terminal and type [`op signin`](/cli/get-started/#step-3-enter-any-command-to-sign-in). Use the arrow keys to select your SSO-enabled account from the list of all accounts added to your 1Password app. 1Password CLI will prompt you to authenticate.
```shell theme={null}
op signin
```
```shell highlight={2} theme={null}
Select account [Use arrows to move, type to filter]
> ACME Corp (acme.1password.com)
AgileBits (agilebits.1password.com)
Add another account
```
After you sign in for the first time, 1Password CLI will automatically sign in to your most recently used account.
If you want to [sign in to a different account](/cli/use-multiple-accounts/), you can use the `--account` flag or an environment variable.
## Get help
If the 1Password account you sign in to with SSO doesn't allow biometric unlock, you'll be prompted to allow 1Password CLI access to the 1Password app when you sign in.
## Learn more
* [Set up 1Password Unlock with SSO](https://support.1password.com/sso/)
* [Get started with 1Password Unlock with SSO](https://support.1password.com/sso-get-started/)
* [Sign in to 1Password with SSO](https://support.1password.com/sso-sign-in/)
* [Link new apps and browsers to unlock with SSO](https://support.1password.com/sso-linked-apps-browsers/)
* [If you're having trouble unlocking 1Password with SSO](https://support.1password.com/sso-troubleshooting/)
# Unlock 1Password CLI with Microsoft
Source: https://www.1password.dev/cli/sign-in-sso-azure
This feature is only available as part of the [Unlock with Microsoft beta](https://support.1password.com/cs/sso-azure/).
If your 1Password administrator has [configured Unlock with SSO](https://support.1password.com/cs/sso-configure-azure/), you can sign in to 1Password CLI with Microsoft.
During the beta period, Unlock with SSO will be available only for Microsoft using the OpenID Connect (OIDC) protocol. Additional platforms, identity providers, and protocols will be available in the future.
If the 1Password account you sign in to with Microsoft doesn't allow biometric unlock, you'll be prompted to allow 1Password CLI access to the 1Password app when you sign in.
## Requirements
Before you start, you'll need to:
1. [Join your team](https://support.1password.com/cs/sso-get-started-azure/#join-your-team), or [switch to unlock with Microsoft](https://support.1password.com/cs/sso-get-started-azure/#switch-to-unlock-with-microsoft).
2. Install the nightly release of 1Password for [Mac](https://support.1password.com/betas/?mac), [Windows](https://support.1password.com/betas/?windows), or [Linux](https://support.1password.com/betas/?linux).
3. Sign in to 1Password for [Mac](https://support.1password.com/cs/sso-sign-in-azure/#in-the-apps/), [Windows](https://support.1password.com/cs/sso-sign-in-azure/#in-the-apps/), or [Linux](https://support.1password.com/cs/sso-sign-in-azure/#in-the-apps/) using Microsoft.
4. Install [the latest 1Password CLI beta build](https://app-updates.agilebits.com/product_history/CLI2#beta).
## Step 1: Connect 1Password CLI with the 1Password app
To turn on the app integration and set up 1Password CLI to authenticate with Microsoft:
1. Open and unlock the [1Password app](https://1password.com/downloads/).
2. Select your account or collection at the top of the sidebar.
3. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**.
4. Select **Integrate with 1Password CLI**.
5. If you want to authenticate 1Password CLI with your fingerprint, turn on **[Touch ID](https://support.1password.com/touch-id-mac/)** in the app.
1. Open and unlock the [1Password app](https://1password.com/downloads/).
2. Select your account or collection at the top of the sidebar.
3. Turn on **[Windows Hello](https://support.1password.com/windows-hello/)** in the app.
4. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**.
5. Select **Integrate with 1Password CLI**.
1. Open and unlock the [1Password app](https://1password.com/downloads/).
2. Select your account or collection at the top of the sidebar.
3. Navigate to **Settings** > **[Security](onepassword://settings/security)**.
4. Turn on **[Unlock using system authentication](https://support.1password.com/system-authentication-linux/)**.
5. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**.
6. Select **Integrate with 1Password CLI**.
## Step 2: Sign in with Microsoft
Once the 1Password app integration is turned on, open the terminal and type [`op signin`](/cli/get-started/#step-3-enter-any-command-to-sign-in). Use the arrow keys to select your Microsoft-enabled account from the list of all accounts added to your 1Password app. 1Password CLI will prompt you to authenticate.
```shell theme={null}
op signin
```
```shell highlight={2} theme={null}
Select account [Use arrows to move, type to filter]
> ACME Corp (acme.1password.com)
AgileBits (agilebits.1password.com)
Add another account
```
After you sign in for the first time, 1Password CLI will automatically sign in to your most recently used account.
If you want to [sign in to a different account](/cli/use-multiple-accounts/), you can use the `--account` flag or an environment variable.
## Get help
If the 1Password account you sign in to with Microsoft doesn't allow biometric unlock, you'll be prompted to allow 1Password CLI access to the 1Password app when you sign in.
## Learn more
* [About Unlock with Microsoft](https://support.1password.com/cs/sso-azure/)
* [Configure Unlock 1Password with Microsoft](https://support.1password.com/cs/sso-configure-azure/)
* [Get started with Unlock 1Password with Microsoft](https://support.1password.com/sso-get-started/)
* [Sign in to 1Password with Microsoft](https://support.1password.com/cs/sso-sign-in-azure/)
* [Link new apps and browsers to unlock with Microsoft](https://support.1password.com/sso-linked-apps-browsers/)
* [If you're having trouble unlocking 1Password with SSO](https://support.1password.com/sso-troubleshooting/)
# Manage SSH keys
Source: https://www.1password.dev/cli/ssh-keys
## Requirements
Before you can use 1Password CLI to manage your SSH keys, you'll need to:
* [Sign up for 1Password](https://1password.com/pricing/password-manager).
* [Install 1Password CLI](/cli/get-started#step-1-install-1password-cli) (`2.20.0` or later).
## Generate an SSH key
You can use [`op item create`](/cli/reference/management-commands/item#item-create) with the `ssh` item category to generate a new SSH key. To import an existing SSH key, [use the 1Password desktop app](/ssh/manage-keys/#import-an-ssh-key).
```shell theme={null}
op item create --category ssh --title "My SSH Key"
```
1Password CLI generates an SSH key and saves it as a new item in your built-in Personal, Private, or Employee vault, then prints the key to stdout with the private key redacted. The item includes the key type, private key, public key, and its fingerprint.
By default, 1Password CLI creates an Ed25519 key. To create an RSA key instead, use the `--ssh-generate-key` flag to specify `RSA`. Include the number of bits to specify a custom size: 2048, 3072 or 4096 (default).
For example, to generate a 2048-bit RSA key:
```shell theme={null}
op item create --category ssh --title "RSA SSH Key" --ssh-generate-key RSA,2048
```
## Get a private key
To get an SSH key's private key, use [`op read`](/cli/reference/commands/read/) with a [secret reference](/cli/secret-reference-syntax/) for the item's `private key` field. Include the `ssh-format` query parameter with `openssh` to get the private key in the OpenSSH format.
```shell theme={null}
op read "op://Private/ssh keys/ssh key/private key?ssh-format=openssh"
#code-result
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABD3rRrf8J
ruD0CxZTYfpbTYAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIJ5B/GnxX6t9jMwQ
G7QE7r5daJLkMKTZhNZhWfvzK2y+AAAAkLgQAivYu/+12/YrZhK5keIAZf4ZgsZsZ2JI2q
qbx23PqgO93oGy1iCxXe3kngQL4cM6lwOZPsZPKCinkN6KxEr6RnXqFRHJbMpOiGeZhTuD
rjeo77HqFdxDqDeckB77XCKL0Ew28H5JlM/WO31XR3Z4VBAgTe+BQLjrFV8WU5UX38hpBJ
PMJyRsK72ZUDDaGQ==
-----END OPENSSH PRIVATE KEY-----
```
## Learn more
* [Supported SSH key types](/ssh/manage-keys#supported-ssh-key-types)
* [Use 1Password for SSH & Git](/ssh/)
* [Manage your SSH keys in the 1Password app](/ssh/manage-keys/)
* [Sign your Git commits with SSH](/ssh/git-commit-signing/)
# Uninstall 1Password CLI
Source: https://www.1password.dev/cli/uninstall
Make sure you have access to your Secret Key and account password before removing 1Password account information from your device.
## Step 1: Remove your 1Password account information
Your 1Password CLI configuration file contains account details for accounts you've signed in to on the command line using your account password and Secret Key. It does not contain information for accounts you've signed in to using the 1Password desktop app integration.
Your config file can be found in one of the following locations: `~/.op/config`, `~/.config/op/config`, or `~/.config/.op/config`.
To remove all account information from your config file:
```shell theme={null}
op account forget --all
```
## Step 2: Uninstall 1Password CLI
To uninstall 1Password CLI with homebrew:
```shell theme={null}
brew uninstall 1password-cli
```
To manually uninstall 1Password CLI, run:
```shell theme={null}
rm /usr/local/bin/op
```
To uninstall 1Password CLI with Scoop:
```powershell theme={null}
scoop uninstall 1password-cli
```
To uninstall 1Password CLI with winget:
```powershell theme={null}
winget uninstall 1password-cli
```
To uninstall 1Password CLI on a Windows PC:
1. Open Powershell **as an administrator**.
2. Run the following command:
```shell theme={null}
Remove-Item -Recurse -Force "C:\Program Files\1Password CLI"
```
To uninstall 1Password CLI on Linux, run:
```shell theme={null}
rm /usr/local/bin/op
```
The 1Password CLI directory and all of its contents will be deleted.
# Upgrade to 1Password CLI 2
Source: https://www.1password.dev/cli/upgrade
*Learn how to [upgrade to 1Password CLI 2](#step-1-choose-an-upgrade-strategy) from an earlier version, and [update your scripts](#step-2-update-your-scripts) to the new command syntax.*
**1Password CLI 1 is deprecated**
1Password CLI 1 is deprecated as of **October 1, 2024**. Upgrade to 1Password CLI 2 to avoid disruptions with scripts or integrations that use version 1.
### About 1Password CLI 2
We released version 2 of the 1Password CLI in March 2022. Since then, more than 96% of users have adopted the latest version.
1Password CLI 2 includes a number of changes to the schema to make the tool easier to use as well as new features to help you provision secrets.
#### New schema
1Password CLI 2 introduces a noun-verb command structure that groups commands by topic rather than by operation. You can find all available topics with `op --help`, and see the commands avaialble for each topic with `op --help`. Topics include:
* [vault](/cli/reference/management-commands/vault/)
* [item](/cli/reference/management-commands/item/)
* [document](/cli/reference/management-commands/document/)
* [user](/cli/reference/management-commands/user/)
* [group](/cli/reference/management-commands/group/)
* [account](/cli/reference/management-commands/account/)
* [connect](/cli/reference/management-commands/connect/)
* [events-api](/cli/reference/management-commands/events-api/)
Other schema changes include:
* The default output is now a human-friendly, tabular schema. Learn how to change the default output to JSON.
* The JSON output schema now contains more useful information.
* Improved stdin processing allows you to chain more commands together.
* The new schema uses flags instead of positional arguments.
#### Secrets provisioning
To help you provision secrets locally, 1Password CLI 2 allows you to load secrets directly from 1Password in environment variables and configuration files. With secrets provisioning, you can replace your plaintext secrets with references to the secrets stored in 1Password and load them at runtime in your scripts, applications, and other workflows.
#### Integrate 1Password CLI with the 1Password desktop app
You can sign in to 1Password CLI 2 with the accounts you've added to the 1Password desktop app, then authenticate your accounts on the command line with biometrics.
#### Shell plugins
To simplify and secure your workflow, 1Password CLI 2 introduces shell plugins that allow you to securely authenticate third-party command-line tools using biometrics.
#### Package manager installation
1Password CLI 2 supports easier installation with package managers including Apt, Yum, Alpine, and tar.
You can [find all changes in the changelog](https://releases.1password.com/developers/cli/).
To share feedback with us, [visit the support community forum](https://1password.community/categories/cli-beta).
## Step 1: Choose an upgrade strategy
There are multiple ways to upgrade to 1Password CLI 2. You can upgrade immediately or gradually, depending on your workflow and toolchain.
### Upgrade immediately
The quickest way to upgrade to 1Password CLI 2 is to overwrite your existing installation. This is a good option if you have a small team who can upgrade their local installations simultaneously.
1. Use `which op` (or `(Get-Command op).Path` on Windows) to get the directory of the current installation.
2. [Download 1Password CLI 2](https://app-updates.agilebits.com/product_history/CLI2) and move `op` to the same directory, overwriting the existing copy.
3. To verify the installation, check the version number:
```shell theme={null}
op --version
```
4. [Update your scripts to use the 1Password CLI 2 syntax.](#step-2-update-your-scripts)
Make sure everyone on your team upgrades to 1Password CLI 2. After you update your scripts, they won't work with earlier versions of 1Password CLI.
### Upgrade gradually
If you're not ready to upgrade immediately, you can use Docker to upgrade individual projects or use both versions of 1Password CLI side-by-side. We will continue to support version 1 for one year after version 2 is released.
#### Use Docker to upgrade individual projects
If you want to upgrade project by project, you can Dockerize your workflow so that each team member uses the version of 1Password CLI in a Docker image for a specific project. This is a good option for large teams, because it doesn't require each team member to update a local installation.
1. [Use the 1Password CLI Docker image](https://hub.docker.com/r/1password/op) or use your own image and [add the CLI](/cli/get-started/). Your Dockerfile should look like this:
```
FROM 1password/op:2
COPY ./your-script.sh /your-script.sh
CMD ["/your-script.sh"]
```
2. After upgrading to 1Password CLI 2, [update your scripts](#step-2-update-your-scripts) to use the new command syntax.
This approach also sets you up to move your scripts to headless environments
such as CI/CD pipelines.
#### Use both versions of 1Password CLI
If your scripts depend on the local installation on each team member's machine, and you still want to migrate gradually, this is your best option.
Each team member should do the following:
1. Rename the earlier version of 1Password CLI `op1`.
2. Find and replace all occurences of `op` with `op1`.
3. Install [1Password CLI 2](https://app-updates.agilebits.com/product_history/CLI2) inside your `$PATH`.
For macOS 1Password CLI 2 has to be moved *exactly* to `/usr/local/bin/op`.
For Linux, it is recommended to be moved to `/usr/local/bin/op`.
4. [Update your scripts](#step-2-update-your-scripts) one-by-one to use the new `op`. You can continue to use your current scripts with the earlier version of 1Password CLI installed as `op1`.
5. When you've updated all your scripts and are ready to upgrade, uninstall the earlier version of 1Password CLI.
6. Find and replace all occurrences of `op1` in your scripts to `op`.
## Step 2: Update your scripts
If you've been using an earlier version of 1Password CLI in scripts, you'll need to update your scripts to the new syntax.
After you install 1Password CLI 2, use the following table to update your scripts. It shows all the updated commands and associated changes to arguments or flags.
| Old command | CLI 2 command | Notes |
| --------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [create vault](/cli/v1/reference/#create-vault) | [vault create](/cli/reference/management-commands/vault/#vault-create) | |
| [get vault](/cli/v1/reference/#get-vault) | [vault get](/cli/reference/management-commands/vault/#vault-get) | |
| [edit vault](/cli/v1/reference/#edit-vault) | [vault edit](/cli/reference/management-commands/vault/#vault-edit) | `--travel-mode=on/off` flag introduced |
| [delete vault](/cli/v1/reference/#delete-vault) | [vault delete](/cli/reference/management-commands/vault/#vault-delete) | allows piped input when the `-` argument is provided |
| [list vaults](/cli/v1/reference/#list-vaults) | [vault list](/cli/reference/management-commands/vault/#vault-list) |
by default, lists vaults you have read access to
to see all the vaults you can manage, include `--permission manage`
|
| [list users --vault](/cli/v1/reference/#list-users) | [vault user list](/cli/reference/management-commands/vault/#vault-user-list) | |
| [add group](/cli/v1/reference/#add-group) | [vault group grant](/cli/reference/management-commands/vault/#vault-group-grant) |
`--permission` flag must be used to specify the permissions to grant
granting allow\_viewing, allow\_editing and allow\_managing is equivalent to granting all permissions
`group` and `vault` arguments changed to `--group` and `--vault` flags
|
| [remove group](/cli/v1/reference/#remove-group) | [vault group revoke](/cli/reference/management-commands/vault/#vault-group-revoke) |
`--permission` flag must be used to specify the permissions to revoke
revoking allow\_viewing, allow\_editing, and allow\_managing is equivalent to revoking all permissions
`group` and `vault` arguments changed to `--group` and `--vault` flags
the password can be piped in if email, address, and secret key are provided via flag
|
| [signin](/cli/v1/reference/#signin) --list | [account list](/cli/reference/management-commands/account/#account-list) | account list will format its output based on output format selection (JSON vs human readable) |
| [forget account](/cli/v1/reference/#forget) | [account forget](/cli/reference/management-commands/account/#account-forget) | new `-—all` flag for forgetting all accounts |
| [get account](/cli/v1/reference/#get-account) | [account get](/cli/reference/management-commands/account/#account-get) | |
| [confirm user](/cli/v1/reference/#confirm) | [user confirm](/cli/reference/management-commands/user/#user-confirm) | allows piped input when the `-` argument is provided |
| [create user](/cli/v1/reference/#create-user) | [user provision](/cli/reference/management-commands/user/#user-provision) | `email` and `name` arguments changed to `--email` and `--name` flags |
| [delete user](/cli/v1/reference/#delete-user) | [user delete](/cli/reference/management-commands/user/#user-delete) | allows piped input when the `-` argument is provided |
| [edit user](/cli/v1/reference/#edit-user) | [user edit](/cli/reference/management-commands/user#user-edit) | allows piped input when the `-` argument is provided |
| [reactivate user](/cli/v1/reference/#reactivate) | [user reactivate](/cli/reference/management-commands/user/#user-reactivate) | allows piped input when the `-` argument is provided |
| [suspend user](/cli/v1/reference/#suspend) | [user suspend](/cli/reference/management-commands/user/#user-suspend) | `--deauthorize-devices-after` flag accepts any duration unit, not just seconds |
| [list users](/cli/v1/reference/#list-users) | [user list](/cli/reference/management-commands/user#user-list) | |
| [get user](/cli/v1/reference/#get-user) | [user get](/cli/reference/management-commands/user/#user-get) |
added `-—me` flag to get the currently authenticated user
`—publickey` changed to `—public-key`
|
| [create connect server](/cli/v1/reference/#create-connect-server) | [connect server create](/cli/reference/management-commands/connect/#connect-server-create) | add `—-server` flag instead of using an argument for specifying the related server |
| [delete connect server](/cli/v1/reference/#delete-connect-server) | [connect server delete](/cli/reference/management-commands/connect/#connect-server-delete) | allows piped input when the `-` argument is provided |
| [edit connect server](/cli/v1/reference/#edit-connect-server) | [connect server edit](/cli/reference/management-commands/connect/#connect-server-edit) | |
| [list connect servers](/cli/v1/reference/#list-connect-servers) | [connect server list](/cli/reference/management-commands/connect/#connect-server-list) | |
| - | [connect server get](/cli/reference/management-commands/connect/#connect-server-get) | |
| [create connect token](/cli/v1/reference/#create-connect-token) | [connect token create](/cli/reference/management-commands/connect/#connect-token-create) | |
| [delete connect token](/cli/v1/reference/#delete-connect-token) | [connect token delete](/cli/reference/management-commands/connect/#connect-token-delete) | |
| [edit connect token](/cli/v1/reference/#edit-connect-token) | [connect token edit](/cli/reference/management-commands/connect/#connect-token-edit) | argument name changed from `jti` to `token` |
| [list connect tokens](/cli/v1/reference/#list-connect-tokens) | [connect token list](/cli/reference/management-commands/connect/#connect-token-list) | ConnectVault.ACL is now displayed in lowercase\_with\_underscores |
| [add connect server](/cli/v1/reference/#add-connect-server) | [connect vault grant](/cli/reference/management-commands/connect/#connect-vault-grant) | `server` and `vault` arguments changed to `--server` and `--vault` flags |
| [remove connect server](/cli/v1/reference/#remove-connect-server) | [connect vault revoke](/cli/reference/management-commands/connect/#connect-vault-revoke) | `server` and `vault` arguments changed to `--server` and `--vault` flags |
| [manage connect add group](/cli/v1/reference/#manage-connect-add) | [connect group grant](/cli/reference/management-commands/connect/#connect-group-grant) | `server` and `group` arguments changed to `--server` and `--group` flags |
| [manage connect remove group](/cli/v1/reference/#manage-connect-remove) | [connect group revoke](/cli/reference/management-commands/connect/#connect-group-revoke) | `server` and `group` arguments changed to `--server` and `--group` flags |
| [create item](/cli/v1/reference/#create-item) | [item create](/cli/reference/management-commands/item/#item-create) |
`--template` flag to specify item template file replaces encode item as an argument
`category` argument changed to `--category` flag
Template JSON format has changed. [Learn more about the new format.](#appendix-json)
|
| [delete item](/cli/v1/reference/#delete-item) | [item delete](/cli/reference/management-commands/item/#item-delete) | allows piped input when the `-` argument is provided |
| [edit item](/cli/v1/reference/#edit-item) | [item edit](/cli/reference/management-commands/item/#item-edit) | new `--tags`, `--title`, `--url` flags |
| [get item](/cli/v1/reference/#get-item) | [item get](/cli/reference/management-commands/item/#item-get) | |
| [list items](/cli/v1/reference/#list-items) | [item list](/cli/reference/management-commands/item/#item-list) | |
| [list templates](/cli/v1/reference/#list-templates) | [item template list](/cli/reference/management-commands/item/#item-template-list) | |
| [get template](/cli/v1/reference/#get-template) | [item template get](/cli/reference/management-commands/item/#item-template-get) | |
| [create group](/cli/v1/reference/#create-group) | [group create](/cli/reference/management-commands/group/#group-create) | |
| [delete group](/cli/v1/reference/#delete-group) | [group delete](/cli/reference/management-commands/group/#group-delete) | allows piped input when the `-` argument is provided |
| [edit group](/cli/v1/reference/#edit-group) | [group edit](/cli/reference/management-commands/group/#group-edit) | allows piped input when the `-` argument is provided |
| [list groups](/cli/v1/reference/#list-groups) | [group list](/cli/reference/management-commands/group/#group-list) | |
| [get group](/cli/v1/reference/#get-group) | [group get](/cli/reference/management-commands/group/#group-get) | |
| [add user](/cli/v1/reference/#add-user) \ \ | [group user grant](/cli/reference/management-commands/group/#group-user-grant) | `user` and `group` arguments changed to `--user` and `--group` flags |
| [remove user](/cli/v1/reference/#remove-user) \ \ | [group user revoke](/cli/reference/management-commands/group/#group-user-revoke) | `user` and `group` args changed to `--user` and `--group` flags |
| [op list users --group \](/cli/v1/reference/#list-users) | [group user list](/cli/reference/management-commands/group/#group-user-list) | op list users `--group GROUP` still works |
| [delete trash](/cli/v1/reference/#delete-trash) | - | deprecated |
| [create document](/cli/v1/reference/#create-document) | [document create](/cli/reference/management-commands/document/#document-create) | `--filename` flag changed to `--file-name` flag |
| [edit document](/cli/v1/reference/#edit-document) | [document edit](/cli/reference/management-commands/document/#document-edit) | `--filename` flag changed to `--file-name` flag |
| [list documents](/cli/v1/reference/#list-documents) | [document list](/cli/reference/management-commands/document/#document-list) | |
| [get document](/cli/v1/reference/#get-document) | [document get](/cli/reference/management-commands/document/#document-get) | |
| [delete document](/cli/v1/reference/#delete-document) | [document delete](/cli/reference/management-commands/document/#document-delete) | |
| [create integration events-api](/cli/v1/reference/#create-integration-events-api) | [events-api create](/cli/reference/management-commands/events-api/#events-api-create) | |
| [list events](/cli/v1/reference/#list-events) | - | Use [1Password Events API](/events-api/) instead. |
| [encode](/cli/v1/reference/#encode) | - | deprecated, use `create item --template=file.json` instead |
| [get totp](/cli/v1/reference/#get-totp) | [item get --otp](/cli/reference/management-commands/item/#item-get) | |
## Appendix: Change default output to JSON
The default output format for 1Password CLI 2 is a human-readable, tabular schema. You can change the default to machine-readable JSON in two ways:
* For a single command, include the `--format json` flag with your command. For example, `op item get --format json`.
* To always default to JSON, set the `$OP_FORMAT` environment variable to `json`.
Appendix: Item JSON template
You can expect to see several formatting improvements and field name changes in 1Password CLI 2 [item JSON templates](/cli/item-template-json/).
This is how 1Password CLI 1 template fields correspond to 1Password CLI 2:
**Item**
| 1Password CLI 1 | 1Password CLI 2 | Notes |
| --------------- | --------------- | ----------------------------------- |
| `uuid` | | |
| `templateUuid` | `category` | |
| `details` | - | replaced by `sections` and `fields` |
**Section**
| 1Password CLI 1 | 1Password CLI 2 | Notes |
| --------------- | --------------- | ---------------- |
| `name` | `id` | |
| `title` | `label` | |
| `fields` | - | moved separately |
**Field**
| 1Password CLI 1 | 1Password CLI 2 |
| --------------- | --------------- |
| `n` | `id` |
| `k` | `type` |
| `t` | `label` |
| `v` | `value` |
| - | `section` |
## Get help
If you need help upgrading to 1Password CLI 2, [contact 1Password Support](mailto:integrations@1password.com) or join our [Developer Slack workspace](/joinslack) and ask a question in the `#cli` channel.
## Learn more
* [Get started with 1Password CLI 2](/cli/get-started/)
* [1Password CLI 2 release notes](https://releases.1password.com/developers/cli/)
# Use cases
Source: https://www.1password.dev/cli/use-cases
1Password CLI allows you to securely provision secrets in development environments, use scripts to manage items and provision team members at scale, and authenticate with biometrics in the terminal.
Eliminate plaintext secrets in code
With 1Password CLI, you can store secrets securely in your 1Password vaults then use [secret references](/cli/secret-references/) to load them into [environment variables](/cli/secrets-environment-variables/), [configuration files](/cli/secrets-config-files/), and [scripts](/cli/secrets-scripts/) without putting any plaintext secrets in code.
Secret references are dynamic – if you update your credentials in 1Password, the changes will be reflected in your scripts without needing to update the script directly. You can also [use variables within secret references](/cli/secret-reference-syntax#externally-set-variables) to pass different sets of secrets for different environments using the same file.
For example, you can use a secret reference in place of your plaintext GitHub Personal Access Token in a `github.env` file:
Then use [`op run`](/cli/reference/commands/run/) to pass the file with the token provisioned from 1Password to your application or script when you need it. The script will run with the token provisioned, without the token ever appearing in plaintext.
Learn more
* [Get started with secret references](/cli/secret-references/)
* [Load secrets into the environment](/cli/secrets-environment-variables/)
* [Load secrets into config files](/cli/secrets-config-files/)
* [Load secrets into scripts](/cli/secrets-scripts/)
Automate administrative tasks
With 1Password CLI, IT administrators can set up scripts to automate common tasks, like [provisioning users](/cli/provision-users/), [managing permissions](/cli/grant-revoke-vault-permissions/), [managing items](/cli/reference/management-commands/item/), and generating custom reports.
For example, this script will loop through each vault the person who runs the script has access to and provide:
* the vault name
* the number of items in the vault
* the last time the vault's contents were updated
* the users and groups that have access to the vault along with their permissions
```bash vault_details.sh theme={null}
#!/usr/bin/env bash
for vault in $(op vault list --format=json | jq --raw-output '.[] .id')
do
echo ""
echo "Vault Details"
op vault get $vault --format=json | jq -r '.|{name, items, updated_at}'
sleep 1
echo ""
echo "Users"
op vault user list $vault
sleep 1
echo ""
echo "Groups"
op vault group list $vault
sleep 1
echo ""
echo "End of Vault Details"
sleep 2
clear
echo ""
echo ""
done
```
Learn more
See our [repository of example 1Password CLI scripts](https://github.com/1Password/solutions) for inspiration for your own projects. You'll find scripts that can help you:
* [Provision new users from a CSV](https://github.com/1Password/solutions/tree/main/1password/scripted-provisioning/)
* [Audit or manage existing users](https://github.com/1Password/solutions/tree/main/1password/user-management/)
* [Manage your vaults and groups](https://github.com/1Password/solutions/tree/main/1password/account-management/)
* [Create, update, and share items](https://github.com/1Password/solutions/tree/main/1password/item-management/)
To learn more about how to accomplish these tasks with 1Password CLI, see the following guides:
* [Create items](/cli/item-create/)
* [Add and remove team members](/cli/provision-users/)
* [Grant and revoke vault permissions](/cli/grant-revoke-vault-permissions/)
## Sign in to any CLI with your fingerprint
With our [shell plugin ecosystem](/cli/shell-plugins/), you can use 1Password to securely authenticate all your command-line tools. Store your CLI access credentials in your 1Password vaults then sign in to your CLIs with your fingerprint instead of entering your credentials manually or storing them in an unencrypted format on your computer.
Shell plugins unlock the ability to securely share credentials between team members. Store a token in a shared 1Password vault, and all people with access to the vault will be able to sign in with them. And you can use shell plugins across [multiple environments](/cli/shell-plugins/environments/), so you don't have to spend time signing in and out between projects.
For example, the [ngrok shell plugin](/cli/shell-plugins/ngrok/) can securely tunnel the local app to the internet for a web development project running on your computer. The ngrok authtoken is not stored anywhere on the computer. When the ngrok CLI is run, the shell plugin provisions the authtoken as an environment variable for the ngrok binary to consume, and when the process exits, the environment variable is cleared.
Learn more
Get started with one of our most popular shell plugins:
Or choose a plugin from [our library of more than 40 command-line tools](/cli/shell-plugins/) to get started with. If the tool you want to use isn't supported yet, you can [build your own plugin](/cli/shell-plugins/contribute/).
You can also:
* [Test shell plugins](/cli/shell-plugins/test/)
* [Use shell plugins to switch between environments](/cli/shell-plugins/environments/)
* [Use shell plugins with multiple accounts](/cli/shell-plugins/multiple-accounts/)
# Use multiple 1Password accounts with 1Password CLI
Source: https://www.1password.dev/cli/use-multiple-accounts
When you [use the 1Password desktop app integration to sign in to 1Password CLI](/cli/app-integration/), you can access any 1Password account you've added to the app on the command line.
By default, all 1Password CLI commands are executed with the account you most recently signed in to, unless an account is specified with the [`--account` flag](#specify-an-account-per-command-with-the-account-flag).
## Choose an account to sign in to with `op signin`
To choose an account to sign in to, run [`op signin`](/cli/reference/commands/signin/) and select the account you want to sign in to from the list of accounts added to your 1Password app.
```shell highlight={2} theme={null}
op signin
#code-result
Select account [Use arrows to move, type to filter]
> ACME Corp (acme.1password.com)
AgileBits (agilebits.1password.com)
Add another account
```
If you don't see the account you want to use, you may need to [add it to the 1Password app](https://support.1password.com/add-account/).
## Specify an account per command with the `--account` flag
You can execute a command with a specific account by including the `--account` flag along with the account's [sign-in address (with or without https://) or ID](#find-an-account-sign-in-address-or-id).
For example, to get a list of all vaults in an account with the sign-in address `my.1password.com`:
```shell theme={null}
op vault ls --account my.1password.com
```
You can use the `--account` flag to specify different accounts in scripts. For example:
```shell theme={null}
PASSWORD_1="$(op read --account agilebits-inc.1password.com op://my-vault/some-item/password)"
PASSWORD_2="$(op read --account acme.1password.com op://other-vault/other-item/password)"
```
## Set an account with the `OP_ACCOUNT` environment variable
If you only want to sign in to a specific account, set the `OP_ACCOUNT` environment variable to the account's [sign-in address or ID](#find-an-account-sign-in-address-or-id). You can also use this to specify an account in scripts.
```shell theme={null}
export OP_ACCOUNT=my.1password.com
```
```shell theme={null}
set -x OP_ACCOUNT my.1password.com
```
```powershell theme={null}
$Env:OP_ACCOUNT = "my.1password.com"
```
## Find an account sign-in address or ID
To find details about all the accounts you've added to the 1Password app, run `op account list`.
```shell theme={null}
op account list
#code-result
$ op account list
URL EMAIL USER ID
my.1password.com wendy.c.appleseed@gmail.com JDFU...
agilebits-inc.1password.com wendy_appleseed@agilebits.com ASDU...
```
You can use the sign-in address listed under `URL` or the unique identifier listed under `USER ID` to refer to the account.
## Learn more
* [Use the 1Password desktop app to sign in to 1Password CLI](/cli/app-integration/)
# User states
Source: https://www.1password.dev/cli/user-states
When you fetch information about users with [`op user list`](/cli/reference/management-commands/user#user-list) or [`op user get`](/cli/reference/management-commands/user#user-get), 1Password CLI returns each person's current account state.
| User state | Description |
| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `ACTIVE` | The user is active. |
| `RECOVERY_STARTED` | [Account recovery](/cli/recover-users) has been started for the user. |
| `RECOVERY_ACCEPTED` | The user has created their new account password and is waiting to be [confirmed again by an administrator](https://support.1password.com/recovery/#complete-recovery). |
| `SUSPENDED` | The user is suspended. |
| `TRANSFER_STARTED` | The user has been provisioned, but hasn't set up their account. |
| `TRANSFER_SUSPENDED` | The user was provisioned and didn't set up their account before they were deprovisioned. |
# About vault permissions
Source: https://www.1password.dev/cli/vault-permissions
When using scripts to [grant or revoke vault permissions](/cli/grant-revoke-vault-permissions/), you must include any dependent permissions in the command.
The vault permissions available to you depend on your 1Password account type.
1Password Business includes the following permissions:
* **view\_items**: view items in a vault.
* **create\_items**: create items in a vault.
* **edit\_items**: edit items in a vault.
* **archive\_items**: archive items in a vault.
* **delete\_items**: delete items in a vault.
* **view\_and\_copy\_passwords**: view concealed passwords and copy them to the clipboard.
* **view\_item\_history**: view and restore previous versions of items in the vault.
* **import\_items**: move or copy items into the vault.
* **export\_items**: save items in the vault to an unencrypted file that other apps can read.
* **copy\_and\_share\_items**: copy items between vaults, or share them outside of 1Password.
* **print\_items**: print the contents of items in the vault
* **manage\_vault**: allows a team member to grant and revoke access to the vault, change permissions for others, and delete the vault. Owners will always have permission to manage vaults.
1Password Business also includes the broader permissions available in 1Password Teams:
* **allow\_viewing**: view items in a vault, view concealed passwords and copy them to the clipboard.
* Includes the granular permissions: `view_items`, `view_and_copy_passwords`, `view_item_history`.
* **allow\_editing**: create, edit, move, print, copy, archive, and delete items in the vault.
* Includes the granular permissions: `create_items`, `edit_items`, `archive_items`, `delete_items`, `import_items`, `export_items`, `copy_and_share_items`, `print_items`.
* **allow\_managing**: grant and revoke access to the vault, change permissions for others, and delete the vault. Owners will always have permission to manage vaults.
* Includes the granular permission: `manage_vault`.
The vault permission `move_items` is automatically added when the permissions below are all added:
```
view_items, edit_items, archive_items, view_and_copy_passwords,
view_item_history, copy_and_share_items
```
In order to move an item, a user must have access to both the vault where an item is located and the destination vault.
**Permission dependencies**
In 1Password Business, all vault permissions have a hierarchical relationship in which narrower permissions require broader permissions to be granted alongside them. Permission dependencies are cumulative, so if a narrower permission is several levels down, it requires all of the broader permissions above it.
For example, to grant the narrower permission `delete_items` you must also grant the permissions `edit_items`, `view_and_copy_passwords`, and `view_items`.
Similarly, to revoke a broader permission like `view_items`, any narrower dependent permissions that have already been granted must be revoked alongside it.
| permission | requirements |
| ------------------------- | ------------------------------------------------------------ |
| `create_items` | `view_items` |
| `view_and_copy_passwords` | `view_items` |
| `edit_items` | `view_and_copy_passwords` , `view_items` |
| `archive_items` | `edit_items`, `view_and_copy_passwords`, `view_items` |
| `delete_items` | `edit_items`, `view_and_copy_passwords`, `view_items` |
| `view_item_history` | `view_and_copy_passwords`, `view_items` |
| `import_items` | `create_items`, `view_items` |
| `export_items` | `view_item_history`, `view_and_copy_passwords`, `view_items` |
| `copy_and_share_items` | `view_item_history`, `view_and_copy_passwords`, `view_items` |
| `print_items` | `view_item_history`, `view_and_copy_passwords`, `view_items` |
1Password Teams includes three permissions:
* **allow\_viewing**: view items in a vault, view concealed passwords and copy them to the clipboard.
* Includes the granular permissions: `view_items`, `view_and_copy_passwords`, `view_item_history`.
* **allow\_editing**: create, edit, move, print, copy, archive, and delete items in the vault.
* Includes the granular permissions: `create_items`, `edit_items`, `archive_items`, `delete_items`, `import_items`, `export_items`, `copy_and_share_items`, `print_items`.
* **allow\_managing**: grant and revoke access to the vault, change permissions for others, and delete the vault. Owners will always have permission to manage vaults.
* Includes the granular permission: `manage_vault`.
**Permission dependencies**
| permission | requirements |
| ---------------- | --------------- |
| `allow_editing` | `allow_viewing` |
| `allow_managing` | |
To grant the permission `allow_editing`, you must also grant the broader permission `allow_viewing`. Similarly, to revoke `allow_viewing`, you must also revoke `allow_editing`.
1Password Families includes three permissions:
* **allow\_viewing**: view items in a vault, view concealed passwords and copy them to the clipboard.
* Includes the granular permissions: `view_items`, `view_and_copy_passwords`, `view_item_history`.
* **allow\_editing**: create, edit, move, print, copy, archive, and delete items in the vault.
* Includes the granular permissions: `create_items`, `edit_items`, `archive_items`, `delete_items`, `import_items`, `export_items`, `copy_and_share_items`, `print_items`.
* **allow\_managing**: grant and revoke access to the vault, change permissions for others, and delete the vault. Owners will always have permission to manage vaults.
* Includes the granular permission: `manage_vault`.
**Permission dependencies**
| permission | requirements |
| ---------------- | --------------- |
| `allow_editing` | `allow_viewing` |
| `allow_managing` | |
To grant the permission `allow_editing`, you must also grant the broader permission `allow_viewing`. Similarly, to revoke `allow_viewing`, you must also revoke `allow_editing`.
## Learn more
* [Grant and revoke vault permissions](/cli/grant-revoke-vault-permissions/)
* [Work with vaults](/cli/reference/management-commands/vault/)
# Verify the authenticity of 1Password CLI
Source: https://www.1password.dev/cli/verify
To confirm the authenticity of 1Password CLI, the tool and all its updates are digitally signed and offered exclusively by 1Password. Always get updates directly from 1Password, and always [check to make sure that you have the latest version](/cli/reference/update/).
### ZIP file
To confirm that the contents of the 1Password CLI ZIP file are authentic, unzip the file, then run the following command in the unzipped folder:
```shell theme={null}
gpg --keyserver keyserver.ubuntu.com --receive-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
gpg --verify op.sig op
```
### Package file
To confirm the 1Password CLI installer file is authentic, you can verify the digital signature before installation.
1. Open the 1Password CLI installer. If you see "This package will run a program to determine if the software can be installed", select **Continue**. This will not begin the installation.
2. Select the lock icon in the top right corner of the installer window. If you don't see the lock icon, the package is unsigned, and you shouldn't install it.
3. Select **Developer ID Installer: AgileBits Inc. (2BUA8C4S2C)**. If you see a different developer ID, or the certificate doesn't have a green checkmark indicating that it's valid, don't install the package.
4. Select the triangle next to Details and scroll down.
5. Make sure that the SHA-256 fingerprint in the installer matches one of the following fingerprints. If they match, the signature is verified. Select **OK** and continue installation.
| Hash | Fingerprint |
| ------- | ----------------------------------------------------------------------------------------------- |
| SHA‑256 | CA B5 78 06 1B 02 09 FB 70 93 4D A3 44 EF 6F EB CD 32 79 B1 C0 74 C5 4B 0D 7D 55 57 43 B9 D8 9F |
| SHA‑256 | 14 1D D8 7B 2B 23 12 11 F1 44 08 49 79 80 07 DF 62 1D E6 EB 3D AB 98 5B C9 64 EE 97 04 C4 A1 C1 |
The installer automatically verifies the files in the package. If any file has an issue, installation stops without changes to your system, and you'll see a message that the installer encountered an error.
To confirm the 1Password CLI installer for Windows is authentic, verify that the signing certificate for `op.exe` was issued to AgileBits by Microsoft Corporation, and that the [Extended Key Usage (EKU)](https://learn.microsoft.com/en-us/azure/trusted-signing/concept-trusted-signing-cert-management#subscriber-identity-validation-eku) is correct.
1. Open PowerShell as an Administrator.
2. Verify that the certificate was issued to AgileBits:
```powershell theme={null}
Get-AuthenticodeSignature -FilePath .\op.exe | Select-Object -ExpandProperty SignerCertificate | Select-Object Subject
#code-result open
Subject
-------
CN=Agilebits, O=Agilebits, L=Toronto, S=Ontario, C=CA
```
3. Verify the certificate was issued by Microsoft Corporation:
```powershell theme={null}
Get-AuthenticodeSignature -FilePath .\op.exe | Select-Object -ExpandProperty SignerCertificate | Select-Object Issuer
#code-result open
Issuer
------
CN=Microsoft ID Verified CS AOC CA 02, O=Microsoft Corporation, C=US
```
4. Verify the EKU matches 1Password's EKU of `1.3.6.1.4.1.311.97.661420558.769123285.207353056.500447802`:
```powershell theme={null}
Get-AuthenticodeSignature -FilePath .\op.exe | Select-Object -ExpandProperty SignerCertificate | Select-Object -ExpandProperty EnhancedKeyUsageList
#code-result open
FriendlyName ObjectId
------------ --------
1.3.6.1.4.1.311.97.1.0
Code Signing 1.3.6.1.5.5.7.3.3
1.3.6.1.4.1.311.97.661420558.769123285.207353056.500447802
```
# 1Password Connect
Source: https://www.1password.dev/connect
1Password Connect Servers allow you to securely access your 1Password items and vaults in your company's apps and cloud infrastructure using a private REST API.
Because Connect servers cache your data in your infrastructure, they allow unlimited re-requests after the server fetches your secrets.
The only request quotas that apply to Connect servers are the internal rate limits 1Password employs to keep our services stable and available. These only apply when a Connect server fetches secrets for the first time, like when the Connect server starts.
You can integrate a Connect server into your infrastructure and communicate with it over HTTP using one of the Connect SDK libraries (such as [Go](https://github.com/1Password/connect-sdk-go), [Python](https://github.com/1Password/connect-sdk-python), or [JavaScript](https://github.com/1Password/connect-sdk-js)) or using a custom integration.
**Not sure if Connect servers are for you?**
See the [Secrets Automation comparison table](/secrets-automation/#comparison).
## Use cases
You can use 1Password Connect to accomplish a variety of tasks:
Deploy a Connect server in your infrastructure, giving you complete control. Self-hosting also reduces latency and has security benefits, as only your services can interact with Connect.
You can also deploy redundant Connect servers to further increase availability.
Use a Connect server to automatically access your secrets in continuous integration environments.
You can use a Connect server to use 1Password items in your CI/CD pipeline for testing and deploying code. Doing so maintains security and avoids using sensitive information with a personal account.
Use a Connect server to provision an account with a secret stored in 1Password.
If a web service needs access to a database (and the credentials for the database are in 1Password), you can use a Connect server to provision an account with the needed secret and allow the web service to access the secret during test runs.
Use a Connect server to make sure infrastructure secrets aren't tied to a personal user account.
Use a Connect server to automate scripts to manage secrets.
Using a Connect server helps you implement the principle of least privilege and avoid the limitations of personal accounts (for example, SSO and MFA requirements).
Use a Connect server to securely share and manage infrastructure secrets to streamline development workflows.
Use a Connect server to access and sync 1Password secrets in a Kubernetes environment.
## Get started
Learn how to get started and how to create, manage, and integrate with Connect servers.
# Ansible
Source: https://www.1password.dev/connect/ansible
The [1Password Connect Ansible collection ](https://github.com/1Password/ansible-onepasswordconnect-collection) contains modules that allow you to interact with your 1Password Connect deployment from [Ansible ](https://docs.ansible.com/ansible/latest/getting_started/basic_concepts.html) playbooks. The modules communicate with the [Connect API](/connect/api-reference/) to support managing 1Password vaults and items through create, read, update, and delete operations.
## Requirements
You must complete the following requirements before you can use the 1Password Connect Ansible collection:
* [Create and deploy a Connect server.](/connect/get-started/#step-1)
* Install [Ansible ](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html) version 7.x or later.
* Install [Ansible Core ](https://docs.ansible.com/core.html) version 2.14 or later.
* Install [Python ](https://www.python.org/downloads/) version 3.8 or later.
## Get started
Use the following instructions to get started with the 1Password Ansible collection:
1. [Install the 1Password collection.](#step-1-install-the-collection)
2. [Use the 1Password collection in an Ansible playbook.](#step-2-use-the-collection-in-an-ansible-task)
3. Explore the [example playbooks](#examples).
### Step 1: Install the collection
Install the `onepassword.connect` collection from [Ansible Galaxy. ](https://galaxy.ansible.com/onepassword/connect)
```shell theme={null}
ansible-galaxy collection install onepassword.connect
```
The 1Password Ansible collection is also available for the [Red Hat Ansible Automation Platform. ](https://www.redhat.com/en/technologies/management/ansible)
### Step 2: Use the collection in an Ansible task
Use the `onepassword.connect` collection in an Ansible task:
1. Add `onepassword.connect` to the task `collections`.
```yaml playbook.yaml highlight={2} theme={null}
collections:
- onepassword.connect # Specify the 1Password collection
```
2. Provide the [Connect server access token](/connect/concepts#connect-server-access-token) using the `token` variable in the Ansible task or the `OP_CONNECT_TOKEN` environment variable. You must set this value in each Ansible task.
It's [best practice](#sensitive-data) to use a local variable to provide the Connect server access token because it's [more secure. ](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_environment.html#working-with-language-specific-version-managers) The following example sets the `connect_token` variable to the Connect token value, then references it for the `token` field.
```yaml playbook.yaml highlight={2,7} theme={null}
vars:
connect_token: "" # Set the Connect server access token
collections:
- onepassword.connect # Specify the 1Password collection
tasks:
- onepassword.connect.generic_item:
token: "{{ connect_token }}"
```
3. Provide the Connect server hostname, IP address, or URL through the `hostname` variable in the Ansible task or the `OP_CONNECT_HOST` environment variable. You must set this value in each Ansible task.
```yaml playbook.yaml highlight={2} theme={null}
environment:
OP_CONNECT_HOST: # Set the Connect server hostname
collections:
- onepassword.connect # Specify the 1Password collection
```
## Examples
Explore the following examples to learn how to perform specific tasks:
* [Create an item.](#create-an-item)
* [Update an item.](#update-an-item)
* [Find an item by name.](#find-an-item-by-name)
* [Get the value of a field.](#get-the-value-of-a-field)
### Create an item
The following example uses the [`generic_item` module](#generic_item) to create a 1Password item. It also creates the `Random Code` value with a custom `generator_recipe`.
```yaml playbook.yaml theme={null}
- name: Create 1Password Secret
hosts: localhost
vars:
connect_token: "" # Set the Connect server access token
environment:
OP_CONNECT_HOST: # Set the Connect server hostname
collections:
- onepassword.connect # Specify the 1Password collection
tasks:
- onepassword.connect.generic_item:
token: "{{ connect_token }}" # Pass the Connect server access token variable
vault_id: "" # Set the 1Password vault ID
title: Club Membership
state: present
fields:
- label: Codeword
value: "hunter2"
section: "Personal Info"
field_type: concealed
- label: Random Code
generate_value: on_create # Generate the value on creation
generator_recipe:
length: 16
include_symbols: no
no_log: true # Turn off logs to avoid logging sensitive data
register: op_item # Note: register is Ansible syntax
```
### Update an item
The following example uses the [`generic_item` module](#generic_item) to update a 1Password item. It also sets the `generate_value` setting to `always`, which means 1Password generates a new value for the field each time you run the playbook.
The update operation completely replaces the item matching the `title` or `uuid` field. You will lose any properties that you don't provide in the task definition.
To avoid losing data, store the items created by Ansible in a vault that's scoped in a way that only the Connect server can access it.
```yaml playbook.yaml theme={null}
- name: Update a 1Password Secret
hosts: localhost
vars:
connect_token: "" # Set the Connect server access token
environment:
OP_CONNECT_HOST: # Set the Connect server hostname
OP_VAULT_ID: "" # Set the 1Password vault ID
collections:
- onepassword.connect # Specify the 1Password collection
tasks:
- onepassword.connect.generic_item:
token: "{{ connect_token }}" # Pass the Connect server access token variable
title: Club Membership
# uuid: 1ff75fa9fexample -- or use an Item ID to locate an item instead
state: present
fields:
- label: Codeword
field_type: concealed
- label: Dashboard Password
generate_value: always # Generate a new value every time the playbook runs
generator_recipe: # Provide a custom password recipe
length: 16
include_symbols: no
no_log: true # Turn off logs to avoid logging sensitive data
```
### Find an item by name
The following example uses the [`item_info` module](#item_info) to find a 1Password item by name.
```yaml playbook.yaml theme={null}
hosts: localhost
vars:
connect_token: "" # Set the Connect server access token
environment:
OP_CONNECT_HOST: # Set the Connect server hostname
collections:
- onepassword.connect # Specify the 1Password collection
tasks:
- name: Find the item with the label "Staging Database" in the vault "Staging Env"
item_info:
token: "{{ connect_token }}"
item: Staging Database
vault: Staging Env
no_log: true # Turn off logs to avoid logging sensitive data
register: op_item
```
### Get the value of a field
The following example uses the [`field_info` module](#field_info) to get the value of a specific field in a 1Password item.
```yaml playbook.yaml theme={null}
hosts: localhost
vars:
connect_token: "" # Set the Connect server access token
environment:
OP_CONNECT_HOST: # Set the Connect server hostname
collections:
- onepassword.connect # Specify the 1Password collection
tasks:
- name: Find a field labeled "username" in an item named "MySQL Database" in a specific vault
field_info:
token: "{{ connect_token }}" # Pass the Connect token variable
item: MySQL Database
field: username
vault: # Set the 1Password vault ID
no_log: true # Turn off logs to avoid logging sensitive data
register: op_item
- name: Print the field definition
ansible.builtin.debug:
msg: "{{ op_item.field }}"
```
## Reference
Refer to the following sections to learn about the available [variables](#variables) and [modules](#modules).
### Variables
All [modules](#modules) support the following variable definitions. You can either explicitly define the value on the Ansible task or let Ansible fall back to an environment variable to use the same value across all tasks.
| Module variable | Environment variable | Description |
| --------------- | -------------------- | ---------------------------------------------------------------------------------------------------- |
| `hostname` | `OP_CONNECT_HOST` | Specifies the hostname, IP address, or URL where your Connect server is deployed. |
| `token` | `OP_CONNECT_TOKEN` | Specifies the string value of your Connect server access token. |
| `vault_id` | `OP_VAULT_ID` | (Optional) The UUID of a 1Password vault. It must be a vault the Connect server token has access to. |
Module variables take precedence over environment variables. If you plan to use an environment variable, make sure the corresponding module variable is absent.
### Modules
The 1Password Ansible collection has the following modules:
* [`generic_item` module](#generic_item)
* [`item_info` module](#item_info)
* [`field_info` module](#field_info)
#### `generic_item`
You can use the `generic_item` module to create, update, and delete 1Password items.
**State is important**
The `generic_item` module follows [Ansible's `present`/`absent` state pattern. ](https://docs.ansible.com/ansible/2.8/user_guide/playbooks_best_practices.html#always-mention-the-state)
Behavior when the state is `present` (`state: present`):
* If the module can't find a matching item by its `uuid` or `title`, it creates a new item with the defined values.
* If the module finds a matching item on the server, it completely replaces the old item with a new item defined by the playbook values.
Behavior when the state is `absent` (`state: absent`):
* If the module can't find the item by its `uuid` or `title`, no action is taken.
* If the module finds an item matching the `uuid` or `title`, it deletes the item. Otherwise, no action is taken.
When you use the `generic_item` module to create or update a 1Password item, you can have 1Password generate a field's value. You can specify one of three settings for `generate_value`:
| `generate_value` setting | Effect |
| ------------------------ | ---------------------------------------------------------------------------------------------------- |
| `never` **(Default)** | Don't generate the field value. Use the `value` parameter instead. |
| `on_create` | Generate the value when creating the field. |
| `always` | Generate a new value for the field every time the playbook is run. Overwrites the `value` parameter. |
The following example generates a value (with a custom recipe) for the `Random Code` field by using the `on_create` setting and supplying a custom `generator_recipe`.
```yaml playbook.yaml highlight={20-24} theme={null}
- name: Create 1Password Secret
hosts: localhost
vars:
connect_token: "" # Set the Connect server access token
environment:
OP_CONNECT_HOST: # Set the Connect server hostname
collections:
- onepassword.connect # Specify the 1Password collection
tasks:
- onepassword.connect.generic_item:
token: "{{ connect_token }}" # Pass the Connect token variable
vault_id: "" # Set the 1Password vault ID (optional)
title: Club Membership
state: present
fields:
- label: Codeword
value: "hunter2"
section: "Personal Info"
field_type: concealed
- label: Random Code
generate_value: on_create # Generate the field value on creation
generator_recipe: # Provide a custom password recipe
length: 16
include_digits: no
no_log: true # Turn off logs to avoid logging sensitive data
register: op_item
```
#### `item_info`
Use the `item_info` module to search for or get information about a 1Password item (such as the fields or metadata).
When you search for an item, 1Password first searches for the `uuid` (if it's provided), then searches for the `title`. When searching for an item by its `title`, the module uses a case-sensitive, exact-match query.
#### `field_info`
Use the `onepassword.connect.field_info` module to get the value of an item field.
The `field_info` module first finds the item by title or UUID, then searches for the requested field by name. If you provide a `section`, the module only searches within that item section. If you don't provide a section, the field name must be unique within the item.
The search method compares field names using the [`unicodedata.normalize` ](https://docs.python.org/3/library/unicodedata.html#unicodedata.normalize) function and the `NKFD` form.
## Best practices
Consider the following best practices when using the 1Password Ansible collection.
* [Turn off task logging.](#turn-off-task-logging)
* [Avoid using environment variables for sensitive information.](#sensitive-data)
### Turn off task logging
It's best practice to turn off task logging for any tasks that interact with 1Password Connect. Ansible might print sensitive information if `no_log` is unset or set to `false`.
To turn off logging, set `no_log` to `true`:
```yaml playbook.yaml highlight={9} theme={null}
collections:
- onepassword.connect # Specify the 1Password collection
tasks:
- name: Find the item with the label "Staging Database" in the vault "Staging Env"
item_info:
token: "{{ connect_token }}" # Pass the Connect token variable
item: Staging Database
vault: Staging Env
no_log: true # Turn off logs to avoid logging sensitive data
register: op_item
```
Avoid using environment variables for sensitive information
It's best practice to use a local variable to set sensitive information, such as the Connect server access token, because [Ansible environment variables ](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_environment.html) are normally passed in plain text.
# Use Connect with Ansible
Source: https://www.1password.dev/connect/ansible-collection
The [1Password Connect Ansible collection ](https://github.com/1Password/ansible-onepasswordconnect-collection) contains modules that allow you to interact with your 1Password Connect deployment from [Ansible ](https://docs.ansible.com/ansible/latest/getting_started/basic_concepts.html) playbooks. The modules communicate with the [Connect API](/connect/api-reference/) to support managing 1Password vaults and items through create, read, update, and delete operations.
## Requirements
You must complete the following requirements before you can use the 1Password Connect Ansible collection:
* [Create and deploy a Connect server.](/connect/get-started/#step-1)
* Install [Ansible ](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html) version 7.x or later.
* Install [Ansible Core ](https://docs.ansible.com/core.html) version 2.14 or later.
* Install [Python ](https://www.python.org/downloads/) version 3.8 or later.
## Get started
Use the following instructions to get started with the 1Password Ansible collection:
1. [Install the 1Password collection.](#step-1-install-the-collection)
2. [Use the 1Password collection in an Ansible playbook.](#step-2-use-the-collection-in-an-ansible-task)
3. Explore the [example playbooks](#examples).
### Step 1: Install the collection
Install the `onepassword.connect` collection from [Ansible Galaxy. ](https://galaxy.ansible.com/onepassword/connect)
```shell theme={null}
ansible-galaxy collection install onepassword.connect
```
The 1Password Ansible collection is also available for the [Red Hat Ansible Automation Platform. ](https://www.redhat.com/en/technologies/management/ansible)
### Step 2: Use the collection in an Ansible task
Use the `onepassword.connect` collection in an Ansible task:
1. Add `onepassword.connect` to the task `collections`.
```yaml playbook.yaml highlight={2} theme={null}
collections:
- onepassword.connect # Specify the 1Password collection
```
2. Provide the [Connect server access token](/connect/concepts#connect-server-access-token) using the `token` variable in the Ansible task or the `OP_CONNECT_TOKEN` environment variable. You must set this value in each Ansible task.
It's [best practice](#sensitive-data) to use a local variable to provide the Connect server access token because it's [more secure. ](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_environment.html#working-with-language-specific-version-managers) The following example sets the `connect_token` variable to the Connect token value, then references it for the `token` field.
```yaml playbook.yaml highlight={2,7} theme={null}
vars:
connect_token: "" # Set the Connect server access token
collections:
- onepassword.connect # Specify the 1Password collection
tasks:
- onepassword.connect.generic_item:
token: "{{ connect_token }}"
```
3. Provide the Connect server hostname, IP address, or URL through the `hostname` variable in the Ansible task or the `OP_CONNECT_HOST` environment variable. You must set this value in each Ansible task.
```yaml playbook.yaml highlight={2} theme={null}
environment:
OP_CONNECT_HOST: # Set the Connect server hostname
collections:
- onepassword.connect # Specify the 1Password collection
```
## Examples
Explore the following examples to learn how to perform specific tasks:
* [Create an item.](#create-an-item)
* [Update an item.](#update-an-item)
* [Find an item by name.](#find-an-item-by-name)
* [Get the value of a field.](#get-the-value-of-a-field)
### Create an item
The following example uses the [`generic_item` module](#generic_item) to create a 1Password item. It also creates the `Random Code` value with a custom `generator_recipe`.
```yaml playbook.yaml theme={null}
- name: Create 1Password Secret
hosts: localhost
vars:
connect_token: "" # Set the Connect server access token
environment:
OP_CONNECT_HOST: # Set the Connect server hostname
collections:
- onepassword.connect # Specify the 1Password collection
tasks:
- onepassword.connect.generic_item:
token: "{{ connect_token }}" # Pass the Connect server access token variable
vault_id: "" # Set the 1Password vault ID
title: Club Membership
state: present
fields:
- label: Codeword
value: "hunter2"
section: "Personal Info"
field_type: concealed
- label: Random Code
generate_value: on_create # Generate the value on creation
generator_recipe:
length: 16
include_symbols: no
no_log: true # Turn off logs to avoid logging sensitive data
register: op_item # Note: register is Ansible syntax
```
### Update an item
The following example uses the [`generic_item` module](#generic_item) to update a 1Password item. It also sets the `generate_value` setting to `always`, which means 1Password generates a new value for the field each time you run the playbook.
The update operation completely replaces the item matching the `title` or `uuid` field. You will lose any properties that you don't provide in the task definition.
To avoid losing data, store the items created by Ansible in a vault that's scoped in a way that only the Connect server can access it.
```yaml playbook.yaml theme={null}
- name: Update a 1Password Secret
hosts: localhost
vars:
connect_token: "" # Set the Connect server access token
environment:
OP_CONNECT_HOST: # Set the Connect server hostname
OP_VAULT_ID: "" # Set the 1Password vault ID
collections:
- onepassword.connect # Specify the 1Password collection
tasks:
- onepassword.connect.generic_item:
token: "{{ connect_token }}" # Pass the Connect server access token variable
title: Club Membership
# uuid: 1ff75fa9fexample -- or use an Item ID to locate an item instead
state: present
fields:
- label: Codeword
field_type: concealed
- label: Dashboard Password
generate_value: always # Generate a new value every time the playbook runs
generator_recipe: # Provide a custom password recipe
length: 16
include_symbols: no
no_log: true # Turn off logs to avoid logging sensitive data
```
### Find an item by name
The following example uses the [`item_info` module](#item_info) to find a 1Password item by name.
```yaml playbook.yaml theme={null}
hosts: localhost
vars:
connect_token: "" # Set the Connect server access token
environment:
OP_CONNECT_HOST: # Set the Connect server hostname
collections:
- onepassword.connect # Specify the 1Password collection
tasks:
- name: Find the item with the label "Staging Database" in the vault "Staging Env"
item_info:
token: "{{ connect_token }}"
item: Staging Database
vault: Staging Env
no_log: true # Turn off logs to avoid logging sensitive data
register: op_item
```
### Get the value of a field
The following example uses the [`field_info` module](#field_info) to get the value of a specific field in a 1Password item.
```yaml playbook.yaml theme={null}
hosts: localhost
vars:
connect_token: "" # Set the Connect server access token
environment:
OP_CONNECT_HOST: # Set the Connect server hostname
collections:
- onepassword.connect # Specify the 1Password collection
tasks:
- name: Find a field labeled "username" in an item named "MySQL Database" in a specific vault
field_info:
token: "{{ connect_token }}" # Pass the Connect token variable
item: MySQL Database
field: username
vault: # Set the 1Password vault ID
no_log: true # Turn off logs to avoid logging sensitive data
register: op_item
- name: Print the field definition
ansible.builtin.debug:
msg: "{{ op_item.field }}"
```
## Reference
Refer to the following sections to learn about the available [variables](#variables) and [modules](#modules).
### Variables
All [modules](#modules) support the following variable definitions. You can either explicitly define the value on the Ansible task or let Ansible fall back to an environment variable to use the same value across all tasks.
| Module variable | Environment variable | Description |
| --------------- | -------------------- | ---------------------------------------------------------------------------------------------------- |
| `hostname` | `OP_CONNECT_HOST` | Specifies the hostname, IP address, or URL where your Connect server is deployed. |
| `token` | `OP_CONNECT_TOKEN` | Specifies the string value of your Connect server access token. |
| `vault_id` | `OP_VAULT_ID` | (Optional) The UUID of a 1Password vault. It must be a vault the Connect server token has access to. |
Module variables take precedence over environment variables. If you plan to use an environment variable, make sure the corresponding module variable is absent.
### Modules
The 1Password Ansible collection has the following modules:
* [`generic_item` module](#generic_item)
* [`item_info` module](#item_info)
* [`field_info` module](#field_info)
#### `generic_item`
You can use the `generic_item` module to create, update, and delete 1Password items.
**State is important**
The `generic_item` module follows [Ansible's `present`/`absent` state pattern. ](https://docs.ansible.com/ansible/2.8/user_guide/playbooks_best_practices.html#always-mention-the-state)
Behavior when the state is `present` (`state: present`):
* If the module can't find a matching item by its `uuid` or `title`, it creates a new item with the defined values.
* If the module finds a matching item on the server, it completely replaces the old item with a new item defined by the playbook values.
Behavior when the state is `absent` (`state: absent`):
* If the module can't find the item by its `uuid` or `title`, no action is taken.
* If the module finds an item matching the `uuid` or `title`, it deletes the item. Otherwise, no action is taken.
When you use the `generic_item` module to create or update a 1Password item, you can have 1Password generate a field's value. You can specify one of three settings for `generate_value`:
| `generate_value` setting | Effect |
| ------------------------ | ---------------------------------------------------------------------------------------------------- |
| `never` **(Default)** | Don't generate the field value. Use the `value` parameter instead. |
| `on_create` | Generate the value when creating the field. |
| `always` | Generate a new value for the field every time the playbook is run. Overwrites the `value` parameter. |
The following example generates a value (with a custom recipe) for the `Random Code` field by using the `on_create` setting and supplying a custom `generator_recipe`.
```yaml playbook.yaml highlight={20-24} theme={null}
- name: Create 1Password Secret
hosts: localhost
vars:
connect_token: "" # Set the Connect server access token
environment:
OP_CONNECT_HOST: # Set the Connect server hostname
collections:
- onepassword.connect # Specify the 1Password collection
tasks:
- onepassword.connect.generic_item:
token: "{{ connect_token }}" # Pass the Connect token variable
vault_id: "" # Set the 1Password vault ID (optional)
title: Club Membership
state: present
fields:
- label: Codeword
value: "hunter2"
section: "Personal Info"
field_type: concealed
- label: Random Code
generate_value: on_create # Generate the field value on creation
generator_recipe: # Provide a custom password recipe
length: 16
include_digits: no
no_log: true # Turn off logs to avoid logging sensitive data
register: op_item
```
#### `item_info`
Use the `item_info` module to search for or get information about a 1Password item (such as the fields or metadata).
When you search for an item, 1Password first searches for the `uuid` (if it's provided), then searches for the `title`. When searching for an item by its `title`, the module uses a case-sensitive, exact-match query.
#### `field_info`
Use the `onepassword.connect.field_info` module to get the value of an item field.
The `field_info` module first finds the item by title or UUID, then searches for the requested field by name. If you provide a `section`, the module only searches within that item section. If you don't provide a section, the field name must be unique within the item.
The search method compares field names using the [`unicodedata.normalize` ](https://docs.python.org/3/library/unicodedata.html#unicodedata.normalize) function and the `NKFD` form.
## Best practices
Consider the following best practices when using the 1Password Ansible collection.
* [Turn off task logging.](#turn-off-task-logging)
* [Avoid using environment variables for sensitive information.](#sensitive-data)
### Turn off task logging
It's best practice to turn off task logging for any tasks that interact with 1Password Connect. Ansible might print sensitive information if `no_log` is unset or set to `false`.
To turn off logging, set `no_log` to `true`:
```yaml playbook.yaml highlight={9} theme={null}
collections:
- onepassword.connect # Specify the 1Password collection
tasks:
- name: Find the item with the label "Staging Database" in the vault "Staging Env"
item_info:
token: "{{ connect_token }}" # Pass the Connect token variable
item: Staging Database
vault: Staging Env
no_log: true # Turn off logs to avoid logging sensitive data
register: op_item
```
Avoid using environment variables for sensitive information
It's best practice to use a local variable to set sensitive information, such as the Connect server access token, because [Ansible environment variables ](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_environment.html) are normally passed in plain text.
# 1Password Connect Server API reference
Source: https://www.1password.dev/connect/api-reference
If you're new to 1Password Secrets Automation and 1Password Connect Server, [learn how to get started with a Secrets Automation workflow](/connect/get-started/).
You can use the Connect API to work with the vaults and items in your account, and to list API activity on a Connect server:
* [List vaults](#list-vaults)
* [Get vault details](#get-vault-details)
* [List items](#list-items)
* [Add an item](#add-an-item)
* [Get item details](#get-item-details)
* [Replace an item](#replace-an-item)
* [Delete an item](#delete-an-item)
* [Update a subset of item attributes](#update-a-subset-of-item-attributes)
* [List files](#list-files)
* [Get file details](#get-file-details)
* [Get file content](#get-file-content)
* [List API activity](#list-api-activity)
To view the API in another tool, download the [1Password Connect API specification file (1.8.1)](https://i.1password.com/media/1password-connect/1password-connect-api_1.8.1.yaml).
## Requirements
Before you can use the 1Password Connect Server API, you'll need to:
* [Sign up for 1Password.](https://1password.com/pricing/password-manager)
* [Set up a Secrets Automation workflow.](/connect/get-started/#step-1).
* [Deploy 1Password Connect](/connect/get-started/#step-2-deploy-1password-connect-server) in your infrastructure.
## Request headers
Each request to the API has to be authenticated with an [access token](/connect/manage-connect/#manage-access-tokens). Provide it and specify the content type:
```
Authorization: Bearer
Content-type: application/json
```
## List vaults
```
GET /v1/vaults
```
### Path parameters
No path parameters
### Query parameters
Parameter
Type
Description
filter
string
Filter the vault collection using SCIM-style filters. Vaults can only be filtered by name. Optional.
For example: name eq "Demo Vault"
### Responses
200
Returns an array of vault names and IDs
401
Invalid or missing token
## Get vault details
```
GET /v1/vaults/{vaultUUID}
```
### Path parameters
Parameter
Type
Description
vaultUUID
string
The UUID of the vault to retrieve items from.
### Query parameters
No query parameters.
### Responses
## List items
```
GET /v1/vaults/{vaultUUID}/items
```
### Path parameters
Parameter
Type
Description
vaultUUID
string
The UUID of the vault to get the details of.
### Query parameters
Parameter
Type
Description
filter
string
Filter the item collection using SCIM-style filters . Items can only be filtered by title or tag. Optional.
For example: title eq "Example Item" or tag eq "banking"
### Responses
200
Returns an array of Item objects that don't include sections and fields
### Query parameters
No query parameters.
### Responses
204
Successfully deleted an item
401
Invalid or missing token
403
Unauthorized access
404
Item not found
## Update a subset of item attributes
```
PATCH /v1/vaults/{vaultUUID}/items/{itemUUID}
```
Applies an `add`, `remove`, or `replace` operation on an item or the fields of an item. Uses the [RFC6902 JSON Patch](https://tools.ietf.org/html/rfc6902) document standard.
Parameter
Type
Description
op
string
The kind of operation to perform. One of:
add
remove
replace
path
string
An RFC6901 JSON Pointer to the item, an item attribute, an item field by field ID, or an item field attribute. For example: "/fields/vy09gd8EXAMPLE/label"
value
any
The new value to apply at the path.
### Path parameters
Parameter
Type
Description
vaultUUID
string
The UUID of the vault the item is in.
itemUUID
string
The UUID of the item to update.
### Query parameters
No query parameters.
### Responses
## List files
```
GET /v1/vaults/{vaultUUID}/items/{itemUUID}/files
```
### Path parameters
Parameter
Type
Description
vaultUUID
string
The UUID of the vault to get the details of.
itemUUID
string
The UUID of the item to retrieve.
### Query parameters
Parameter
Type
Description
inline\_content
boolean
Whether to return the Base-64 encoded file content. The file size must be less than OP\_MAX\_INLINE\_FILE\_SIZE\_KB, or 100 kilobytes if the file size isn't defined. Optional.
## Get File details
```
GET /v1/vaults/{vaultUUID}/items/{itemUUID}/files/{fileUUID}
```
### Path parameters
Parameter
Type
Description
vaultUUID
string
The UUID of the vault to retrieve the item from.
itemUUID
string
The UUID of the item to retrieve the file from.
fileUUID
string
The UUID of the file to retrieve.
### Query parameters
Parameter
Type
Description
inline\_content
boolean
Whether to return the Base-64 encoded file content. The file size must be less than OP\_MAX\_INLINE\_FILE\_SIZE\_KB, or 100 kilobytes if the file size isn't defined. Optional.
## Get file content
```
GET /v1/vaults/{vaultUUID}/items/{itemUUID}/files/{fileUUID}/content
```
### Path parameters
Parameter
Type
Description
vaultUUID
string
The UUID of the vault to retrieve the item from.
itemUUID
string
The UUID of the item to retrieve the file from.
fileUUID
string
The UUID of the file to retrieve.
### Query parameters
No query parameters.
### Responses
200
Returns the content of the file
401
Invalid or missing token
403
Unauthorized access
404
File not found
## List API activity
```
GET /v1/activity
```
Retrieve a list of API Requests that have been made.
### Query parameters
Parameter
Type
Description
limit
integer
How many API Events should be retrieved in a single request. Optional.
offset
integer
How far into the collection of API Events should the response start. Optional.
## Server Heartbeat
```
GET /heartbeat
```
Simple "ping" endpoint to check whether server is active.
### Query parameters
No query parameters.
### Responses
200
Returns a `text/plain` response with a single "."
## Server Health
```
GET /health
```
Query the state of the server and its service dependencies.
### Query parameters
No query parameters.
### Responses
Use purpose for the username, password, and notes fields. Possible values:
"USERNAME"
"PASSWORD"
"NOTES"
Use type for all other fields. Possible values are:
"STRING"
"EMAIL"
"CONCEALED"
"URL"
"OTP" (format: otpauth://)
"DATE" (format: YYYY-MM-DD)
"MONTH\_YEAR" (format: YYYYMM or YYYY/MM)
"MENU"
value
string
The value to save for the field.
You can specify a generate field instead of value to create a password or other random information for the value.
generate
boolean
Generate a password and save in the value for the field. By default, the password is a 32-characters long, made up of letters, numbers, and symbols. To customize the password, include a recipe field.
The Base64-encoded contents of the file, if inline\_files is set to true.
section
object
An object containing the UUID of a section in the item.
#### Item: GeneratorRecipe object
The recipe is used in conjunction with the "generate" property to set the character set used to generate a new secure value.
```json theme={null}
{
"length": 55,
"characterSets": [
"LETTERS",
"DIGITS"
]
}
```
Name
Type
Description
length
integer
The length of the password to generate. Optional.
characterSets
array
An array containing of the kinds of characters to include. Optional. Possible values:
"LETTERS"
"DIGITS"
"SYMBOLS"
excludeCharacters
string
A list of all characters that should be excluded from generated passwords. Optional.
Extra information about the dependency's status. Optional.
# Create a new Item
Source: https://www.1password.dev/connect/api-reference/create-vault-item
/openapi/connect_server_api.yaml post /vaults/{vaultUuid}/items
# Delete an Item
Source: https://www.1password.dev/connect/api-reference/delete-vault-item
/openapi/connect_server_api.yaml delete /vaults/{vaultUuid}/items/{itemUuid}
# Get the content of a File
Source: https://www.1password.dev/connect/api-reference/download-item-file-by-id
/openapi/connect_server_api.yaml get /vaults/{vaultUuid}/items/{itemUuid}/files/{fileUuid}/content
# Retrieve a list of API Requests that have been made.
Source: https://www.1password.dev/connect/api-reference/get-api-activity
/openapi/connect_server_api.yaml get /activity
# Ping the server for liveness
Source: https://www.1password.dev/connect/api-reference/get-heartbeat
/openapi/connect_server_api.yaml get /heartbeat
# Get the details of a File
Source: https://www.1password.dev/connect/api-reference/get-item-file-by-id
/openapi/connect_server_api.yaml get /vaults/{vaultUuid}/items/{itemUuid}/files/{fileUuid}
# Get all the files inside an Item
Source: https://www.1password.dev/connect/api-reference/get-item-files
/openapi/connect_server_api.yaml get /vaults/{vaultUuid}/items/{itemUuid}/files
# Query server for exposed Prometheus metrics
Source: https://www.1password.dev/connect/api-reference/get-prometheus-metrics
/openapi/connect_server_api.yaml get /metrics
See Prometheus documentation for a complete data model.
# Get state of the server and its dependencies.
Source: https://www.1password.dev/connect/api-reference/get-server-health
/openapi/connect_server_api.yaml get /health
# Get Vault details and metadata
Source: https://www.1password.dev/connect/api-reference/get-vault-by-id
/openapi/connect_server_api.yaml get /vaults/{vaultUuid}
# Get the details of an Item
Source: https://www.1password.dev/connect/api-reference/get-vault-item-by-id
/openapi/connect_server_api.yaml get /vaults/{vaultUuid}/items/{itemUuid}
# Get all items for inside a Vault
Source: https://www.1password.dev/connect/api-reference/get-vault-items
/openapi/connect_server_api.yaml get /vaults/{vaultUuid}/items
# Get all Vaults
Source: https://www.1password.dev/connect/api-reference/get-vaults
/openapi/connect_server_api.yaml get /vaults
# Update a subset of Item attributes
Source: https://www.1password.dev/connect/api-reference/patch-vault-item
/openapi/connect_server_api.yaml patch /vaults/{vaultUuid}/items/{itemUuid}
Applies a modified [RFC6902 JSON Patch](https://tools.ietf.org/html/rfc6902) document to an Item or ItemField. This endpoint only supports `add`, `remove` and `replace` operations.
When modifying a specific ItemField, the ItemField's ID in the `path` attribute of the operation object: `/fields/{fieldId}`
# Update an Item
Source: https://www.1password.dev/connect/api-reference/update-vault-item
/openapi/connect_server_api.yaml put /vaults/{vaultUuid}/items/{itemUuid}
# AWS ECS Fargate
Source: https://www.1password.dev/connect/aws
# Deploy 1Password Connect Server on AWS ECS Fargate with CloudFormation
Source: https://www.1password.dev/connect/aws-ecs-fargate
1Password Connect works with [AWS Fargate ](https://docs.aws.amazon.com/AmazonECS/latest/userguide/what-is-fargate.html). AWS Fargate lets you leverage Amazon Elastic Container Service (ECS) to run containers without the need to manage clusters.
## Requirements
Before you can use 1Password CLI with your Connect server, you must:
* [Sign up for 1Password](https://1password.com/pricing/password-manager).
* [Create a 1Password Connect server](/connect/get-started/#step-1) in your infrastructure.
* Sign up with [AWS Fargate ](https://docs.aws.amazon.com/AmazonECS/latest/userguide/what-is-fargate.html).
## Example
You can use 1Password's [example CloudFormation template (`connect-server.yaml`) ](https://github.com/1Password/connect/blob/main/examples/aws-ecs-fargate/connect-server.yaml) as a starting place for deploying Connect on AWS Fargate.
The example [CloudFormation template ](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-whatis-concepts.html#cfn-concepts-templates) creates the necessary networking resources, ECS resources, rules, groups, and policies. See [Resources](#resources) for more details.
The result is a publicly accessible hostname that routes requests to a 1Password Connect Server deployment running in AWS Fargate.
You can also use this example CloudFormation file to deploy into an existing [AWS virtual private cloud (VPC) ](https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html) or an existing [Amazon Elastic Container (AWS ECS) ](https://docs.aws.amazon.com/ecs/) cluster. You can modify it using a text editor or using Amazon's [CloudFormation Designer ](https://console.aws.amazon.com/cloudformation/designer) tool.
### Resources
The example CloudFormation template creates the following network resources:
* A virtual private cloud (VPC)
* Two public subnets
* An [Internet gateway ](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-internetgateway.html)
* An [Application Load Balancer (ALB) ](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html)
The example CloudFormation template creates the following ECS resources:
* An [ECS cluster ](https://docs.aws.amazon.com/AmazonECS/latest/userguide/clusters-concepts.html)
* Two [task definitions ](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/fargate-tasks-services.html)
* A `1password/connect-api` container
* A `1password/connect-sync` container
## Get started
To use the example `connect-server.yaml` file to deploy a Connect server on AWS Fargate (using CloudFormation):
1. [Start the **AWS Create Stack** wizard. ](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-create-stack.html#cfn-using-console-initiating-stack-creation)
2. Select the example [`connect-server.yaml` file ](https://github.com/1Password/connect/blob/main/examples/aws-ecs-fargate/connect-server.yaml) as the stack template. See [Selecting a stack template ](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-using-console-create-stack-template.html).
3. Provide a Base64 URL encoded version of your Connect server's `1password-credentials.json` file.
When importing this CloudFormation template, it prompts you to provide a Base64 URL encoded version of the `1password-credentials.json`. You can generate this encoded value with the following shell command:
```shell theme={null}
cat 1password-credentials.json | base64 | tr '/+' '_-' | tr -d '=' | tr -d '\n'
```
# CI/CD integrations
Source: https://www.1password.dev/connect/ci-cd
# Use 1Password CLI with a Connect server
Source: https://www.1password.dev/connect/cli
You can use 1Password CLI with a [Connect server](/connect/) to provision secrets and retrieve items on the command line.
## Requirements
Before you can use 1Password CLI with a Connect server, you must:
* [Sign up for 1Password](https://1password.com/pricing/password-manager).
* [Deploy 1Password Connect](/connect/get-started/#step-2-deploy-1password-connect-server).
* Make a Connect server accessible to your production environment.
* [Install 1Password CLI in your production environment.](/cli/install-server/)
* Set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` environment variables to a Connect server's credentials in your production environment.
## Get started
After you complete the requirement steps, you can use the following 1Password CLI commands with a Connect server:
* [`op run`](/cli/reference/commands/run/)
* [`op inject`](/cli/reference/commands/inject/)
* [`op read`](/cli/reference/commands/read/)
* [`op item get --format json`](/cli/reference/management-commands/item/#item-get)
Vist the command documentation for more information.
## Continuous integration (CI) environments
You can also use 1Password CLI with a Connect server in a continuous integration (CI) pipeline. 1Password CLI allows you to use [secret references](/cli/secret-references/) in place of plaintext secrets in code. You can configure a CI environment to pass different sets of secrets for different environments.
Secret references work well within infrastructure as code tools and CI configurations because you can define them alongside other configurations.
### GitLab CI example
The following code block shows an example GitLab CI configuration file that implements a MySQL service. See [GitLabs `.gitlab-ci.yml` documentation ](https://docs.gitlab.com/ee/ci/yaml/).
```yaml .gitlab-ci.yml theme={null}
services:
- mysql
variables:
# Configure mysql service (https://hub.docker.com/_/mysql/)
MYSQL_DATABASE: op://prod/mysql/database
MYSQL_USERNAME: op://prod/mysql/username
MYSQL_PASSWORD: op://prod/mysql/password
connect:
image: mysql
script:
- echo "SELECT 'OK';" | op run -- mysql --user="$MYSQL_USERNAME" --password="$MYSQL_PASSWORD" --host=mysql "$MYSQL_DATABASE"
```
To authenticate 1Password CLI in the CI pipeline, add the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` environment variables to a CI configuration file. The presence of these environment variables tells 1Password CLI to use the Connect server to fetch secrets.
The following code block expands the GitLab CI example to include the Connect environment variables.
```yaml .gitlab-ci.yml theme={null}
services:
- mysql
variables:
# Configure mysql service (https://hub.docker.com/_/mysql/)
MYSQL_DATABASE: op://prod/mysql/database
MYSQL_USERNAME: op://prod/mysql/username
MYSQL_PASSWORD: op://prod/mysql/password
# Configure 1Password CLI to use Connect
OP_CONNECT_HOST: :8080
OP_CONNECT_TOKEN: token
connect:
image: mysql
script:
- echo "SELECT 'OK';" | mysql --user="$MYSQL_USERNAME" --password="$MYSQL_PASSWORD" --host=mysql "$MYSQL_DATABASE"
```
## Learn more
### [Replace plaintext secrets with secret references](/cli/secret-references/)
Learn how to create and use secret references to avoid putting plaintext secrets in code.
### [Load secrets into the environment](/cli/secrets-environment-variables/)
Learn how to source secrets from the environment into your applications.
### [Load secrets into config files](/cli/secrets-config-files/)
Learn how to load secrets automatically into config files without putting any plaintext secrets in code.
# Connect concepts
Source: https://www.1password.dev/connect/concepts
Learn about the concepts involved with 1Password Connect.
## Connect servers
A Connect server is a tool you can deploy in your network that allows you to manage and sync 1Password items from within your infrastructure.
## Credentials
There are two important pieces of information for authenticating Connect servers:
* The `1password-credentials.json` file
* The Connect server access token
### `1password-credentials.json`
When you create a Connect server, a credentials file named `1password-credentials.json` is generated uniquely for that Connect server. It contains all the information you need to [deploy the Connect server](/connect/get-started/#step-2-deploy-1password-connect-server).
### Connect server access token
A Connect server access token is an authentication string that allows the Connect server to authenticate with 1Password services, such as the [Connect REST API](/connect/api-reference/).
When you create a Connect server, you select the vaults that it can access. Connect servers can only access the vaults you explicitly allow them to access through a Connect server token.
Each Connect server can have one or more access tokens, which allows for more fine-tuned [access control](/connect/security/#access-control). Connect server access tokens can only access information in the vaults you grant them access to. This allows you more granular control over the vaults a Connect server deployment can access. For example, you can grant a Connect token access to a specific subset of the vaults the Connect server has access to.
Learn more about [how to manage access tokens](/connect/manage-connect#manage-access-tokens).
Learn more about [1Password Connect server security](/connect/security/).
## Connect containers
Each Connect server deployment consists of two Docker containers running in the same network:
* The [Connect sync container](#connect-sync-container)
* The [Connect API container](#connect-api-container)
Both containers require a shared volume to store an encrypted copy of your data. Learn more about [configuring your Connect server](/connect/server-configuration/).
### Connect sync container
The Connect sync container keeps information on the Connect server in sync with 1Password.com. View it on Docker Hub: [`1password/connect-sync`](https://hub.docker.com/r/1password/connect-sync).
### Connect API container
The Connect API container serves [Connect REST API](/connect/api-reference/). View it on Docker Hub: [`1password/connect-api`](https://hub.docker.com/r/1password/connect-api).
## Environment variables
Connect servers have a collection of environment variables you can use to provide information about the Connect server to integrations, such as [1Password CLI](/connect/cli/) or [CI/CD pipeline tools](/ci-cd/). These environment variables are distinct from the [configuration environment variables](/connect/server-configuration/#environment-variables).
| Environment variable | Description | Example |
| -------------------- | --------------------------------------------------------------------------------- | ----------------------- |
| `OP_CONNECT_HOST` | Specifies the hostname, IP address, or URL where your Connect server is deployed. | `http://localhost:8080` |
| `OP_CONNECT_TOKEN` | Specifies the string value of your Connect server token. | N/A |
# Get started with a 1Password Connect server
Source: https://www.1password.dev/connect/get-started
1Password Connect servers are a type of [Secrets Automation workflow](/secrets-automation/) that allows you to securely access your 1Password items and vaults in your company's apps and cloud infrastructure.
## Requirements
Before you can create a 1Password Secrets Automation workflow as a Connect server, make sure you complete the prerequisite tasks. The tasks vary depending on how you plan to deploy.
* [Sign up for a 1Password account](https://1password.com/pricing/password-manager).
* [Create a vault](https://support.1password.com/create-share-vaults/) for the Connect server to access. Connect servers can't access your built-in [Personal](https://support.1password.com/1password-glossary/#personal-vault), [Private](https://support.1password.com/1password-glossary/#private-vault), or [Employee](https://support.1password.com/1password-glossary/#employee-vault) vault, or your default [Shared](https://support.1password.com/1password-glossary/#shared-vault) vault.
* Make sure you belong to [a group with permission to manage Secrets Automation](/connect/manage-connect/).
* Make sure you have a deployment environment for Docker. You can use a cloud service provider or your local machine.
* [Sign up for a 1Password account](https://1password.com/pricing/password-manager).
* [Create a vault](https://support.1password.com/create-share-vaults/) for the Connect server to access. Connect servers can't access your built-in [Personal](https://support.1password.com/1password-glossary/#personal-vault), [Private](https://support.1password.com/1password-glossary/#private-vault), or [Employee](https://support.1password.com/1password-glossary/#employee-vault) vault, or your default [Shared](https://support.1password.com/1password-glossary/#shared-vault) vault.
* Make sure you belong to [a group with permission to manage Secrets Automation](/connect/manage-connect/).
* Make sure you have a deployment environment for Kubernetes with [kubectl ](https://kubernetes.io/docs/tasks/tools/install-kubectl/), and [Helm ](https://helm.sh/) installed. You can use a cloud service provider or your local machine.
## Deployment
Use the following instructions to deploy a 1Password Connect Server.
Step 1: Create a Secrets Automation workflow
You can create a Connect server Secrets Automation workflow through the 1Password.com dashboard or 1Password CLI. Following these instructions creates:
* A `1password-credentials.json` file. It contains the credentials necessary to deploy 1Password Connect Server.
* An access token. Use this in your applications or services to authenticate with the [Connect REST API](/connect/api-reference/). You can [issue additional tokens later](/connect/manage-connect/#create-a-token).
1. [Sign in](https://start.1password.com/signin) to your account on 1Password.com.
2. Open the [Secrets Automation workflow creation wizard](https://start.1password.com/developer-tools/infrastructure-secrets/connect). Or, navigate to **Developer** > **Directory**, select **Other** under Infrastructure Secrets Management, then select **Create a Connect server**.
3. Follow the onscreen instructions to create a Secrets Automation environment, set up your first access token, and deploy a Connect server. Make sure to save your credentials file and token in 1Password.
You can find your new Secrets Automation workflow under "Connect servers" on the [**Developer**](https://start.1password.com/developer-tools/active) page.
You can use the [1Password CLI](https://1password.com/downloads/command-line) [`op connect` command](/cli/reference/management-commands/connect/) to set up a Secrets Automation workflow with a Connect server.
1. Make sure you have the latest version of [1Password CLI](/cli/get-started/) on your machine.
2. Switch to the directory where you want to create the `1password-credentials.json`.
Creating a Connect server automatically generates the `1password-credentials.json` file in the current directory. This file contains the credentials you'll need to deploy the Connect server. If a `1password-credentials.json` file already exists in the current directory, 1Password CLI will ask if you want to overwrite it.
3. Create a Connect server and grant it access to a shared vault using the [`op connect server create` command](/cli/reference/management-commands/connect/#connect-server-create).
```shell theme={null}
op connect server create --vaults
```
Omit the `--vaults` flag to create a Connect server without granting it access to a vault. You can grant the Connect server access to shared vaults later using the [`op connect vault grant` command](/cli/reference/management-commands/connect/#connect-vault-grant).
If the Connect server or vault name contains one or more spaces, enclose the name in quotation marks (for example, `“My Server Name”`). You don't need to enclose strings in quotation marks if they don't contain spaces (for example, `myServerName`).
```
op connect server create "My Server Name" --vault "My Vault Name"
```
4. Create a token for the Connect server using the [`op connect token create` command](/cli/reference/management-commands/connect/#connect-token).
```shell theme={null}
op connect token create --server --vault
```
Looking up a Connect server by its ID is more efficient than using the Connect server's name. See [Unique identifiers (IDs)](/cli/reference/#unique-identifiers-ids).
You can find the ID of a Connect server by running [`op connect server list`](/cli/reference/management-commands/connect/#connect-server-list).
If successful, 1Password CLI returns a token string that you can use in your applications or services to authenticate with the [Connect server REST API](/connect/api-reference/). You can [issue additional tokens later.](/connect/manage-connect/#create-a-token)
5. Save the token in 1Password so you don't lose it.
You can have multiple tokens for the same Connect server but each Connect server has its own distinct set of tokens. See the [`op connect token` command reference](/cli/reference/management-commands/connect/#connect-token).
Export your Connect server access token as an environment variable. Doing so might prove useful if you decide to configure another tool like the [Kubernetes Injector](/k8s/injector/), [Kubernetes Operator](/k8s/operator/), or other integrations. However, keep in mind that the recommended way to use the Connect server token with Kubernetes is as a Kubernetes Secret.
```shell theme={null}
export OP_CONNECT_TOKEN=
```
Step 2: Deploy a 1Password Connect Server
To deploy a Connect server using a Docker Compose file, you'll need to start two Docker images:
* [1password/connect-api ](https://hub.docker.com/r/1password/connect-api) serves the Connect server REST API.
* [1password/connect-sync ](https://hub.docker.com/r/1password/connect-sync) keeps the information available on the Connect server in sync with 1Password.com.
If you aren't familiar with Docker or Docker Compose, refer to the [Docker Compose documentation ](https://docs.docker.com/compose/) for more information.
1. Make sure you have [Docker ](https://docs.docker.com/engine/install/) and [Docker Compose ](https://docs.docker.com/compose/install/) on your machine.
2. Create a Docker Compose file to deploy the 1Password Connect Server containers in the directory where you saved your `1password-credentials.json` file. You can also use the example [`docker-compose.yaml` file](https://i.1password.com/media/1password-connect/docker-compose.yaml).
If the credentials file is in the other directory, update the `volumes` section to point to the correct credentials file location.
You can set any of the [Connect server environment variables](/connect/server-configuration/) in the `docker-compose.yaml` file by adding an environment attribute to each container. Doing so lets you specify things like the `1password-credentials.json` file location, the log level, and the HTTP port. Refer to the [Docker environment attribute documentation ](https://docs.docker.com/compose/environment-variables/set-environment-variables/) for more information.
3. Make sure Docker is running. You can [check if the Docker daemon is running ](https://docs.docker.com/config/daemon/troubleshoot/#check-whether-docker-is-running) with the `docker info` command in a terminal application.
4. Start the Docker containers with Docker Compose. Run the following command in the directory with the `docker-compose.yaml` file.
```shell theme={null}
docker compose up
```
You can run the containers in the background using the `-detach` flag or the `-d` flag. Refer to the [`docker compose up` reference ](https://docs.docker.com/engine/reference/commandline/compose_up/) for more information.
By default, you can access the Connect REST API through port `8080` on the local host. Refer to the [1Password Connect server API reference](/connect/api-reference/) for more information.
#### Test the Connect server REST API
You can make sure the [Connect server REST API](/connect/api-reference/) is accessible using a [`curl` ](https://curl.se/docs/manpage.html) command, one of the 1Password Connect server API endpoints, and the token you created.
1. Export the Connect server access token as an environment variable. This is the same token you created in [Step 1](#step-1). Alternatively, you can replace `$OP_API_TOKEN` with the token string in the `curl` request.
If you forgot your token, you can create another one with the [`op connect token create` command](/cli/reference/management-commands/connect/#connect-token-create).
```shell theme={null}
export OP_API_TOKEN=""
```
2. Use the following example [`curl` ](https://curl.se/docs/manpage.html) command to list the vaults connected to the Connect server.
```shell theme={null}
curl \
-H "Accept: application/json" \
-H "Authorization: Bearer $OP_API_TOKEN" \
http://localhost:8080/v1/vaults
```
To stop the Docker containers, run `docker compose down`.
You can deploy a Connect server with Kubernetes. The easiest way to do this is with the [1Password Connect and Operator Helm chart](/k8s/helm/).
Before you start, you must have a Kubernetes cluster deployed. If you don't already have a cluster, you can create one locally using [minikube ](https://minikube.sigs.k8s.io/docs/start/) or use the [Play with Kubernetes ](https://labs.play-with-k8s.com/) playground.
1. Make sure you have [Docker ](https://docs.docker.com/engine/install/) installed and running on your machine.
2. Install the latest [Helm ](https://helm.sh) release.
3. Add the 1Password Helm chart repository.
The following command adds the [1Password Helm chart repository](/k8s/helm/) to your local instance of Helm. This allows you to download and install all the charts from 1Password's GitHub repository.
```shell theme={null}
helm repo add 1password https://1password.github.io/connect-helm-charts/
```
4. Install the 1Password Connect server using Helm.
The following command deploys the 1Password Connect server using the `1password-credentials.json` file.
You can find the `1password-credentials.json` file in the directory where you created the Connect server.
```shell theme={null}
helm install connect 1password/connect --set-file connect.credentials=1password-credentials.json
```
#### Other ways to deploy
Here are some ways you can deploy a Connect server on a Kubernetes cluster:
##### Deploy without Helm
You can deploy a Connect server on a Kubernetes cluster without using Helm charts. See the [sample Kubernetes deployment ](https://github.com/1Password/connect/tree/main/examples/kubernetes) on 1Password's GitHub that uses [cert-manager](https://cert-manager.io/) to provision a TLS (transport layer security) certificate for an external domain.
Deploy alongside the Kubernetes Operator
The 1Password Connect Kubernetes Operator integrates [Kubernetes Secrets ](https://kubernetes.io/docs/concepts/configuration/secret/) with 1Password. It also auto-restarts deployments when 1Password items are updated. [Learn more about the Kubernetes Operator](/k8s/operator/).
### Step 3: Set up applications and services to get information from 1Password
Applications and services get information from 1Password through REST API requests to a Connect server. The requests are authenticated with an access token. [Create a new token](/connect/manage-connect/#create-a-token) for each application or service you use.
#### Languages
#### Plugins
If your language or platform isn't listed, you can [build your own client using the 1Password Connect Server REST API](/connect/api-reference/).
You can also [use 1Password CLI](/connect/cli/) with your Connect server to provision secrets and retrieve item information on the command line.
## Get help
To change the vaults a token has access to, [issue a new token](/connect/manage-connect/#create-a-token).
To get help and share feedback, join the discussion with the [1Password Support Community](https://1password.community/categories/secrets-automation/).
# Hashicorp Vault backend
Source: https://www.1password.dev/connect/hashicorp
# Kubernetes integrations
Source: https://www.1password.dev/connect/k8s
# Manage Connect servers
Source: https://www.1password.dev/connect/manage-connect
As of Feb 27, 2025, all 1Password customers have unlimited access to Connect.
A Connect server is a type of [Secrets Automation workflow](/secrets-automation/) that allows you to securely access your 1Password items and vaults in your company's apps and cloud infrastructure using a private REST API provided by 1Password Connect Server.
You can use 1Password.com or the [Connect REST API](/connect/api-reference/) to:
## Manage permissions
With 1Password Business or 1Password Teams, you can manage Connect server permissions with [groups](#manage-global-permissions), or more granularly, with [environments](#manage-environment-permissions). This allows for enforcement of security best practices. [Learn more about Connect security.](/connect/security/)
You can also manage group access using [automated provisioning](https://support.1password.com/scim/).
### Manage global permissions
Groups allow you to specify one or more users who can access Connect servers.
To assign groups (such as Owners and Administrators) to manage Connect servers:
1. [Sign in](https://start.1password.com/signin) to your account on 1Password.com.
2. Select [**Developer**](https://start.1password.com/developer-tools/active) in the sidebar.
3. Select [**Permissions**](https://start.1password.com/developer-tools/permissions) at the top of the page, then select [**Secrets Automation**](https://start.1password.com/developer-tools/permissions/C).
4. In the Managers section, select **Manage**, then choose the groups you want to manage Connect servers.
5. Select **Update Groups**.
### Manage environment permissions
Environments allow you to override global permissions (with groups) for a specific Connect server environment.
To assign groups (such as Owners and Administrators) to manage a specific Connect server:
1. [Sign in](https://start.1password.com/signin) to your account on 1Password.com.
2. Select [**Developer**](https://start.1password.com/developer-tools/) in the sidebar.
3. Select [**Permissions**](https://start.1password.com/developer-tools/permissions) at the top of the page, then select [**Secrets Automation**](https://start.1password.com/developer-tools/permissions/C).
4. In the Environments section, select **Manage**.
5. In the Permissions section, select **Manage**, then choose the groups you want to manage Connect servers in the environment.
6. Select **Update Groups**.
## Manage access tokens
You can use [Connect server access tokens](/connect/concepts#connect-server-access-token) to authenticate with your Connect server in your applications and services.
* [Create an access token.](#create-a-token)
* [Set an access token expiration.](#set-a-token-expiration)
* [Revoke an access token.](#revoke-a-token)
* [Rename an access token.](#rename-a-token)
### Create a token
To create a Connect server access token:
1. [Sign in](https://start.1password.com/signin) to your account on 1Password.com.
2. Select [**Developer**](https://start.1password.com/developer-tools/active) in the sidebar.
3. Select **Connect servers** at the top of the page, then choose the Secrets Automation environment where you want to create an access token.
4. Select **New Token**.
5. Follow the onscreen instructions to issue the token.
You can't edit the vaults a token can access after you create it. If you want to change the vaults a token can access, you must revoke the token and create a new one.
Connect server access tokens support up to 100 vaults each. If you grant a Connect token access to more than 100 vaults, the server may reject requests.
### Set a token expiration
When you create a Connect server access token, you can set the token's expiration time to 30, 90, or 180 days. When the expiration time elapses, 1Password revokes the token.
To create a token with an expiration date:
1. [Sign in](https://start.1password.com/signin) to your account on 1Password.com.
2. Select [**Developer**](https://start.1password.com/developer-tools/active) in the sidebar.
3. Select **Connect servers** at the top of the page, then choose the Secrets Automation environment where you want to create an access token.
4. Select **New Token**.
5. Set the "Expires After" to **30 days**, **90 days**, or **180 days**.
6. Follow the onscreen instructions.
### Revoke a token
To revoke a Connect server access token:
1. [Sign in](https://start.1password.com/signin) to your account on 1Password.com.
2. Select [**Developer**](https://start.1password.com/developer-tools/active) in the sidebar.
3. Select **Connect servers** at the top of the page, then choose the Secrets Automation environment where you want to manage access tokens.
4. Select next to the token you want to revoke, then select **Revoke**.
### Rename a token
To rename a Connect server access token:
1. [Sign in](https://start.1password.com/signin) to your account on 1Password.com.
2. Select [**Developer**](https://start.1password.com/developer-tools/active/) in the sidebar.
3. Select **Connect servers** at the top of the page, then choose the Secrets Automation environment where you want to manage access tokens.
4. Select next to the token you want to rename, then select **Rename** and enter a new name.
## Grant or revoke access to vaults
To grant or revoke access to vaults:
1. [Sign in](https://start.1password.com/signin) to your account on 1Password.com.
2. Select [**Developer**](https://start.1password.com/developer-tools/active) in the sidebar.
3. Select **Connect servers** at the top of the page, then choose the Secrets Automation environment where you want to grant or revoke access to vaults.
4. In the Vaults section, select **Manage** and choose the vaults you want to add or remove.
5. Select **Update Vaults**.
You can't grant Connect servers access to your built-in [Personal](https://support.1password.com/1password-glossary/#personal-vault), [Private](https://support.1password.com/1password-glossary/#private-vault), or [Employee](https://support.1password.com/1password-glossary/#employee-vault) vault, or your default [Shared](https://support.1password.com/1password-glossary/#shared-vault) vault.
## Monitor item usage
Connect servers send [reports about item usage](https://support.1password.com/reports/#create-a-usage-report-for-a-team-member-service-account-or-vault) to the 1Password server every time an item is accessed so you can monitor item usage.
Item usage information might take a few hours to sync with 1Password.com.
To view item usage for a Connect server:
1. [Sign in](https://start.1password.com/signin) to your account on 1Password.com.
2. Select [**Developer**](https://start.1password.com/developer-tools/active) in the sidebar.
3. Select **Connect servers** at the top of the page, then choose the Secrets Automation environment (Connect server) you want to monitor.
4. Under Version, select **More Actions** > **View Item Usage Report**.
For more information, visit [Create reports in 1Password Business](https://support.1password.com/reports/).
### About Connect server item usage
Items accessed through a Connect server update specific fields in the following manner:
* The **Action** field in the report always shows Display.
* The **Used by** field always includes the name of the Connect server (not the Connect server access token).
Connect servers only report item usage when they have a working connection to the 1Password server. If a Connect server can't reach the 1Password server (for example, when it updates or restarts), it might lose item usage information from that time period.
Item usage reporting continues when the Connect server has a working connection to the 1Password server again.
# Pulumi
Source: https://www.1password.dev/connect/pulumi
# Go
Source: https://www.1password.dev/connect/sdks/languages/golang
# Node.js
Source: https://www.1password.dev/connect/sdks/languages/javascript
# Python
Source: https://www.1password.dev/connect/sdks/languages/python
# About 1Password Connect Server security
Source: https://www.1password.dev/connect/security
You can deploy one or more 1Password Connect servers in your infrastructure to act as a bridge between your applications and the 1Password service. Connect servers allow you to securely share information from 1Password with your applications, tools, and pipelines through the [Connect REST API](/connect/api-reference/). Review the sections on the page to learn more about Connect server security. For information about 1Password security practices, visit the [1Password Security homepage](https://1password.com/security).
## Access control
When you [create a Connect server](/connect/get-started/), you select the vaults it can access. Connect servers can only access the vaults you explicitly allow them to access through a [Connect server access token](#connect-server-access-tokens).
### Authorization
Only authorized clients can get information from a Connect server.
When a client application, service, or API requests information from a Connect server, the HTTP request must have an `Authorization` header containing an authorization token. Otherwise, the Connect server rejects the request.
Authorization tokens are only valid for the Connect server they're created for. They're signed by the key for the 1Password account the Connect server uses, using the [ES256 signing algorithm ](https://datatracker.ietf.org/doc/html/rfc7518).
### Usage reports
[Usage reports](https://support.1password.com/reports/#create-a-usage-report-for-a-team-member-service-account-or-vault) can be created for users or vaults.
Usage reports for team members include information on the number of vaults, groups, and items a team member can access, an overview of vaults where a team member has accessed items, when those items were last accessed, and the action performed. Usage reports for vaults include a list of items showing when they were last accessed, the action performed, and the team member who performed the action. These reports can be helpful when offboarding team members.
## Connect server access tokens
A Connect server access token is an authentication string that allows the Connect server to authenticate with 1Password.
Each Connect server can have one or more Connect server access tokens, which allows for more fine tuned [access control](#access-control). Connect server tokens can only access information in the vaults you granted them access to. This allows you more granular control over the vaults a Connect server deployment can access. For example, you can grant a Connect server token access to a specific subset of the vaults the Connect server has access to.
### Token rotation
You can't change or update Connect server access tokens. If a Connect server token becomes compromised, you must create a new token.
To rotate a Connect server access token:
1. [Create a new Connect server access token.](/connect/manage-connect#create-a-token)
2. Update all references to the old Connect token.
3. [Revoke access to the old Connect token.](/connect/manage-connect/#revoke-a-token)
## Security model
The Connect server security model has the following guarantees:
* A Connect server access token can only read items from vaults you've explicitly given it `READ` access to.
* A Connect server access token can only update, delete, and create items for vaults it has you've given it `WRITE` access to.
* You can only give a Connect token access to vaults that you have access to.
* A Connect server access token associated with a deleted account can't authenticate.
* You can't use a Connect server access token to create another Connect server access token.
## Credentials file
Creating a Connect server generates a credentials file named `1password-credentials.json`. This file has the following components:
| Component | Description |
| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
| `verifier` | Connect servers use the `verifier` as part of an additional authentication of the bearer token. |
| `encCredentials` | The `encCredentials` contains the encrypted credentials necessary for the associated service account. |
| `uniqueKey` | The `uniqueKey` identifies the Connect server between its two running processes: the client-facing service and the synchronization service. |
| `version` | The `version` indicates the Connect server version number. |
| `deviceUuid` | The `deviceUuid` contains the UUID of the device. |
## Responsible disclosure
1Password requests you practice responsible disclosure if you discover a vulnerability. If you find a vulnerability in 1Password, [submit a report on HackerOne. ](https://hackerone.com/1password)
# Configure your Connect server
Source: https://www.1password.dev/connect/server-configuration
This article documents Connect server [environment variables](#environment-variables) and special configuration options, such as [TLS](#tls) and [manual bus configuration](#manual-bus-configuration).
1Password Connect Server consists of two containers running in the same network:
* The Connect API container ([`1password/connect-api` ](https://hub.docker.com/r/1password/connect-api))
* The Connect sync container ([`1password/connect-sync` ](https://hub.docker.com/r/1password/connect-sync))
Both containers require a shared volume to store an encrypted copy of your data.
## Requirements
Before you can configure your 1Password Connect Server, you must:
* [Sign up for 1Password](https://1password.com/pricing/password-manager).
* [Setup a Connect server](/connect/get-started/).
## Environment variables
The following table lists the available environment variables, their description, and the containers that support them. Most of the environment variables apply to the Connect API and Connect sync containers, but some only apply to the Connect API container.
| **Environment variable** | **Description** | **Container support** |
| ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- |
| `OP_SESSION` | The path to the `1password-credentials.json` file. You can also set the value to the [Base64-encoded content of the `1password-credentials.json` file](/connect/aws-ecs-fargate/#get-started).
**Acceptable values**: A full file path to the `1password-credentials.json` file. **Default value**: `~/.op/1password-credentials.json` | • Connect API • Connect sync |
| `OP_HTTP_PORT` | The port for the HTTP server.
**Acceptable values**: Any available port number. **Default value**: `8080` | • Connect API • Connect sync |
| `OP_LOG_LEVEL` | The logging level of the container.
**Acceptable values**: `info`, `error`, `debug` **Default value**: `info` | • Connect API • Connect sync |
| `XDG_DATA_HOME` | The path in which to create the `.op/data/` directory. See [Data volume](#data-volume).
**Acceptable values**: A valid file path. **Default value**: `/home/opuser/.op/data` | • Connect API • Connect sync |
| `OP_BUS_PORT` | The port for listening to incoming bus connections from other containers. See [Manual bus configuration](#manual-bus-configuration) for more details.
**Acceptable values**: Any available port number. **Default value**: A random free port | • Connect API • Connect sync |
| `OP_BUS_PEERS` | A comma-separated list of `[hostname]:[bus port]` pairs of other containers to connect to. See [Manual bus configuration](#manual-bus-configuration) for more details.
**Acceptable values**: A comma-separated list of `[hostname]:[bus port]` pairs. **Default value**: No default because this variable is optional. | • Connect API • Connect sync |
| `OP_HTTPS_PORT` | The port for the HTTP server when using [TLS](#tls).
**Acceptable values**: Any available port number. **Default value**: `8443` | • Connect API |
| `OP_SYNC_TIMEOUT` | The time (in seconds) to wait for the initial sync to complete.
**Acceptable values**: A time duration (for example, `1h`, `30m`, `20s`). **Default value**: `10s` (10 seconds) | • Connect API |
| `OP_TLS_KEY_FILE` | The path to the private key file. Only use this environment variable if you plan to [use TLS with your own certificate](#tls-custom).
**Acceptable values**: A valid file path. **Default value**: No default because this variable is optional. | • Connect API |
| `OP_TLS_CERT_FILE` | The path to the certificate file. This should be the full certificate chain. Only use this environment variable if you plan to [use TLS with your own certificate](#tls-custom).
**Acceptable values**: A valid file path. **Default value**: No default because this variable is optional. | • Connect API |
| `OP_TLS_USE_LETSENCRYPT` | Only use this environment variable if you want to [use TLS with a Lets Encrypt certificate](#tls-lets-encrypt).
**Acceptable values**: Any value (for example, `1`, `true`, or `yes`). **Default value**: No default because this variable is optional. | • Connect API |
| `OP_TLS_DOMAIN` | The (sub-)domain for which to request a certificate. The DNS records for this domain must point to the Connect server. See [TLS](#tls).
**Acceptable values**: Any domain (or subdomain) name. **Default value**: No default because this variable is optional. | • Connect API |
### Data volume
The default location of the shared volume is `/home/opuser/.op/data`. If you set the `XDG_DATA_HOME` environment variable to a path other than `/home/opuser/`, make sure you mount your data volume at the same path.
### TLS
By default, 1Password Connect Server is configured for use within a trusted network. If you plan to use Connect outside a trusted network, consider configuring [Transport Layer Security (TLS) ](https://www.cloudflare.com/learning/ssl/transport-layer-security-tls/). You can configure TLS for the connection between your application and Connect by [providing your own certificate](#tls-custom) or letting Connect request a certificate [using Let's Encrypt](#tls-lets-encrypt).
Connect listens on the port defined by the `OP_HTTPS_PORT` environment variable (default `8443`) when you use TLS.
Use your own certificate
Connect can use a PEM-encoded private key and certificate by setting the following two environment variables for the Connect API container:
1. Set `OP_TLS_KEY_FILE` to the path to the private key file.
2. Set `OP_TLS_CERT_FILE` to the path to the certificate file. This should be the full certificate chain.
Use Let's Encrypt
Connect can also request a certificate from the [Let's Encrypt ](https://letsencrypt.org/) Certificate Authority (CA). For this, you must set two environment variables for the Connect API container:
1. Set `OP_TLS_USE_LETSENCRYPT` to any value.
2. Set `OP_TLS_DOMAIN` to the (sub-)domain for which to request a certificate. The DNS records for this domain must point to the Connect server.
As long as Connect is running, its HTTPS listener must be reachable on a public IP at port `443` (either by setting `OP_HTTPS_PORT=443` or by forwarding traffic at port `443` to the Connect server's `OP_HTTPS_PORT` value). This makes sure the Connect server can refresh its Let's Encrypt certificate.
### Manual bus configuration
Manual bus configuration only works with Connect server [version 1.5.0 ](https://github.com/1Password/connect/blob/main/CHANGELOG.md#v150) and later.
By default, the two containers (Connect API and Connect sync) automatically discover and connect to the shared bus. This discovery mechanism requires the `NET_BROADCAST` capability, which you can't always grant to containers. However, it’s possible to manually configure the shared bus.
To manually configure the shared bus:
1. Assign a static port for the bus by setting the `OP_BUS_PORT` environment variable to a free port for both containers.
2. Set the `OP_BUS_PEERS` environment variable for the Connect API container to `[hostname]:[bus port]`, where `hostname` is the name of the Connect sync container and `bus port` the value of `OP_BUS_PORT` for the Connect sync container.
3. Set the `OP_BUS_PEERS` environment variable for the Connect sync container to `[hostname]:[bus port]`, where `hostname` is the name of the application container and `bus port` is the value of `OP_BUS_PORT` for the Connect API container.
The following examples show the configuration values necessary for the Connect API container and the Connect sync container.
The following example sets environment variables for a Connect API container called `op-connect-api`.
```txt theme={null}
OP_BUS_PORT=11223
OP_BUS_PEERS=op-connect-api:11223
```
The following example sets environment variables for a Connect sync container called `op-connect-sync`.
```txt theme={null}
OP_BUS_PORT=11223
OP_BUS_PEERS=op-connect-sync:11223
```
## Examples
The [1Password Connect repository ](https://github.com/1Password/connect) has example Connect server configurations using Kubernetes, Docker Compose, and AWS Fargate.
* [Example Kubernetes deployment ](https://github.com/1Password/connect/tree/main/examples/kubernetes)
* [Example Docker Compose deployment ](https://github.com/1Password/connect/tree/main/examples/docker/compose)
* [Example AWS Fargate deployment ](https://github.com/1Password/connect/tree/main/examples/aws-ecs-fargate)
# Terraform
Source: https://www.1password.dev/connect/terraform
# Environments (beta)
Source: https://www.1password.dev/environments
Beta
1Password Environments allow you to organize and manage your project's environment variables, separately from the rest of the items in your 1Password vaults. You can create an Environment for each project or development stage, then securely access your variables directly from 1Password when you need them. With Environments, you can:
* Make your Environment's variables available via [locally mounted `.env` files](/environments/local-env-file), without writing your credentials to disk.
* Validate your locally mounted `.env` file setup in supported agents and IDEs with [the 1Password agent hook](/environments/agent-hook-validate).
* Programmatically [read your environment variables](/environments/read-environment-variables) from 1Password in your terminal or in your Go, JavaScript, or Python integrations.
* Securely sync your environment variables to [AWS Secrets Manager](/environments/aws-secrets-manager).
* [Share Environments with your team members](#share-an-environment) for easier collaboration and onboarding.
You can import your project variables to Environments from your existing `.env` files, or by manually adding key-value pairs for each variable.
When sharing an Environment with others and reading its contents outside of 1Password, review the Environment's values carefully before using them in any program or workflow. What you store in 1Password is exactly what we provide when you read your Environment.
## Requirements
Before you can use Environments, you'll need to:
* [Sign up for 1Password](https://1password.com/pricing/password-manager).
* Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac), [Windows](https://1password.com/downloads/windows), or [Linux](https://1password.com/downloads/linux). This feature is not available in 1Password for iOS or Android.
* Have [1Password Developer turned on](#turn-on-1password-developer).
### Turn on 1Password Developer
1. Open and unlock the 1Password desktop app.
2. Select your account or collection at the top of the sidebar, then select **Settings** > [**Developer**](onepassword://settings/developers).
3. Turn on **Show 1Password Developer experience**.
## Create an Environment
1. In the 1Password desktop app, go to **Developer** > **View Environments**.
2. Select **New environment**.
3. Enter a name for the new environment, then select **Save**. If you have multiple 1Password accounts, you can select which account to save the environment to.
## Add variables to an Environment
After you create an Environment, you can add your project secrets as variables. 1Password Environment variables map to conventional [environment variables ](https://en.wikipedia.org/wiki/Environment_variable). Each variable is a key-value pair that includes a name (for example, `DB_HOST`, `DB_USER`, or `API_KEY`) and a value that holds the corresponding secret.
To add variables to an Environment, open and unlock the 1Password desktop app, navigate to **Developer** > **View Environments**, then select the Environment you want to update.
You can add variables in two ways:
* If you have an existing `.env` file for your project, select **Import .env file**. 1Password will automatically import your environment variables.
* To manually add environment variables, select **New variable**. Enter the environment variable name in the **Name** field and its secret in the **Value** field. Repeat this process for each environment variable you want to add.
Values are hidden by default, which means they'll be masked in the output of CLI and SDK operations. To change this, select the verticle ellipsis next to the variable, then select **Show value by default**.
You can add, edit, or remove variables from your Environment at any time. To update your variables, open the Environment and select **Edit**.
## Use your Environments in your workflows
In the 1Password desktop app, each Environment has a tab called Destinations where you can configure your Environment to use in your workflows. The following destinations are available:
* [**Local `.env` file**](/environments/local-env-file): Create a locally mounted `.env` file to make your environment variables available during local development without writing plaintext secrets to disk.
* [**Agent hook**](/environments/agent-hook-validate): Use 1Password's hook to validate your locally mounted `.env` files with supported IDEs and agents like Cursor and GitHub Copilot.
* [**Programmatically read Environments**](/environments/read-environment-variables): Read environments then pass environment variables to applications and scripts using 1Password CLI or 1Password SDKs.
* [**AWS Secrets Manager**](/environments/aws-secrets-manager): Sync secrets from 1Password to AWS Secrets Manager.
## Manage your Environments
1Password Environments return values exactly as they are entered. Format your values as you would in a standard `.env` file. For example:
* If a value contains a space, enclose the value in quotation marks: `"bar baz"`
* If a value contains special characters, escape them with a `\`: `\$100`
Values are hidden by default, but you can toggle the visibility on or off in the **Actions** column. You can also delete variables from this column. Select **Edit** within the environment to add, edit, or delete variables at a later time.
### Rename or remove an Environment
If you want to rename or remove an Environment:
1. In the 1Password desktop app, go to **Developer** > **View Environments**.
2. Select the Environment you want to manage, then select **Manage Environment**.
3. Choose **Rename environment** or **Delete environment**.
Deleted Environments cannot be restored and any associated integrations will stop working. 1Password will prompt you to confirm whether or not you want to delete your Environment before proceeding.
### Share an Environment
If you're using a shared account, such as for a team or business, you can share Environments with your team members. Each Environment remains independent, allowing you to work across multiple environments in different accounts while keeping environment variables separate. Access must be granted for each Environment.
To share an Environment:
1. In the 1Password desktop app, go to **Developer** > **View Environments**.
2. Select the Environment you want to share, then select **Manage environment** > **Manage access**.
3. Select **Add People**, then search for and select the team member you want to add to the Environment. Select **Next**.
4. Select **View & Edit**, and choose whether the person can view, edit, or manage the Environment.
To remove a team member from an Environment, return to the "Manage access" screen and select **Remove from environment** next to the person's name.
## Learn more
* [Access secrets from 1Password through local `.env` files](/environments/local-env-file)
* [Use 1Password's agent hook to validate local .env files from 1Password Environments](/environments/agent-hook-validate)
* [Sync secrets between 1Password and AWS Secrets Manager (beta)](/environments/aws-secrets-manager)
* [Programmatically read Environments with 1Password CLI or 1Password SDKs](/environments/read-environment-variables)
# Use 1Password's agent hook to validate local .env files from 1Password Environments
Source: https://www.1password.dev/environments/agent-hook-validate
You can use the [1Password local `.env` file validation hook ](https://github.com/1Password/agent-hooks/blob/main/hooks/1password-validate-mounted-env-files/README.md) with supported IDEs and agents to validate that [locally mounted `.env` files](/environments/local-env-file/) from 1Password Environments are properly set up before the agent executes shell commands. If any required `.env` files are missing or invalid, the hook prevents the agent from executing and the agent provides instructions for how to fix the issue.
The hook currently supports Claude Code, Cursor, GitHub Copilot, and Windsurf.
## Requirements
* [1Password subscription](https://1password.com/pricing/password-manager)
* 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux)
* [`sqlite3` ](https://sqlite.org/index.html) installed and available in your PATH
* [Claude Code ](https://code.claude.com/docs/en/overview), [Cursor ](https://cursor.com/home), [GitHub Copilot ](https://github.com/features/copilot), or [Windsurf ](https://windsurf.com/)
**Windows not supported**
Local `.env` files for 1Password Environments are currently only supported on Mac and Linux. If you're on Windows, the hook will skip the validation checks.
## Step 1: Set up your Environments
To use the hook, you'll first need to:
1. [Create one or more Environments](/environments) in 1Password to store your project secrets.
2. [Configure locally mounted `.env` files](/environments/local-env-file) for them.
## Step 2: Install the hook in your project
To install the 1Password hook for Claude Code, you'll need to:
1. Clone the [1Password Agent Hooks repository. ](https://github.com/1Password/agent-hooks)
2. Follow the instructions to [run the install script. ](https://github.com/1Password/agent-hooks/blob/main/README.md#initial-setup)
The 1Password hook is available as a plugin in the Cursor marketplace. To install it:
1. Open the [Cursor marketplace ](https://cursor.com/marketplace/1password).
2. Either select **Sign In To Add** (or **Add** if you're already signed in), or copy `/add-plugin 1password` from the marketplace page and run it in Cursor Agent window to install the 1Password plugin.
After you install the plugin, restart Cursor and tell the Cursor Agent to perform a task that requires running a shell command. If your `.env` files are properly configured, the command will proceed. Otherwise the Agent will guide you through fixing the issue.
To confirm the hook worked as expected, open Cursor, then navigate to **Settings** > **Hooks** > **Execution Log**.
You can also install the hook from the [1Password Agent Hooks repository ](https://github.com/1Password/agent-hooks/).
To install the 1Password hook for GitHub Copilot, you'll need to:
1. Clone the [1Password Agent Hooks repository. ](https://github.com/1Password/agent-hooks)
2. Follow the instructions to [run the install script. ](https://github.com/1Password/agent-hooks/blob/main/README.md#initial-setup)
To install the 1Password hook for Windsurf, you'll need to:
1. Clone the [1Password Agent Hooks repository. ](https://github.com/1Password/agent-hooks)
2. Follow the instructions to [run the install script. ](https://github.com/1Password/agent-hooks/blob/main/README.md#initial-setup)
## Step 3: Choose how you want the hook to validate your `.env` files
### Default mode
By default, the hook will check the 1Password desktop app to find `.env` files related to your project based on the file path destinations you configured in 1Password Environments.
### Configured mode
Alternatively, you can create a `.1password/environments.toml` file at the root of your project that specifies which locally mounted `.env` files to validate. The hook only validates the specified files.
To do this, the hook parses the TOML file to extract mount paths from the `mount_paths` array field. Mount paths can be relative to the project root or absolute. For example:
```toml .1password/environments.toml theme={null}
mount_paths = ["application.env", "billing.env"]
```
The `mount_paths` field must be explicitly defined in the TOML file. If the file exists but doesn't contain a `mount_paths` field, the hook will log a warning and fall back to default mode.
If no `.env` files are specified in the TOML file, all commands will be allowed to run.
## How it works
1Password hooks are custom scripts that run before or after specific stages of the agent loop. Each hook runs as a spawned process that communicates with the agent over standard input and output using JSON in both directions. Hooks can observe, block, or modify the agent's behavior as it runs.
The 1Password local `.env` file validation hook is designed to be used with the event that runs before command execution in your agent. When configured, the hook prevents the agent from proceeding when required environment files are not available. For example, in Cursor the hook works with the [`beforeShellExecution` event ](https://cursor.com/docs/agent/hooks#hook-events), while in GitHub Copilot it works with the [`preToolUse` event ](https://docs.github.com/en/copilot/tutorials/copilot-cli-hooks#5-enforce-policies-with-pretooluse).
When the agent tries to run a command, the hook first checks for a `.1password/environments.toml` file in the current project directory. If a TOML file exists and contains the required `mount_paths` field, the agent validates only the specified `.env` files. If no TOML file exists, the agent queries the 1Password desktop app for all `.env` files mounted in the project directory. The hook then confirms that each `.env` file discovered for the project is enabled, the mount file exists, and the file is a valid FIFO (named pipe).
If all required `.env` files are enabled and configured correctly, the command execution is allowed to proceed. If one or more required `.env` files are missing, disabled, or invalid, the hook prevents the agent from proceeding and the agent provides an error message with steps to fix the issue.
The hook uses a "fail open" approach in default mode. If it can't access the 1Password database, the hook logs a warning and allows subsequent commands to proceed. This makes sure development can proceed if the 1Password app is not installed or the database is unavailable. Similarly, if a TOML file exists but no `.env` files are specified, the command is allowed to proceed.
### Configuration examples
#### Single .env file
```toml .1password/environments.toml theme={null}
mount_paths = [".env"]
```
Only `.env` is validated. Other environment files are ignored.
#### Multiple `.env` files
```toml .1password/environments.toml theme={null}
mount_paths = [".env", "billing.env", "database.env"]
```
Only the three declared `.env` files are validated.
#### No validation
```toml .1password/environments.toml theme={null}
mount_paths = []
```
No `.env` files are validated. All commands are allowed.
#### Default mode
No `.1password/environments.toml` file exists or the `mount_paths` field has been improperly defined. The hook discovers and validates all mounts configured in 1Password that are within the project directory.
## Troubleshooting
The hook logs information to `/tmp/1password-hooks.log` for troubleshooting. Check this file if you encounter issues.
Log entries include timestamps and detailed information about:
* Database queries and results
* Mount validation checks
* Permission decisions
* Error conditions
Learn more about [troubleshooting agent hooks](https://github.com/1Password/agent-hooks/tree/main/hooks/1password-validate-mounted-env-files#debugging).
## Learn more
* [Access secrets from 1Password through local `.env` files](/environments/local-env-file)
* [1Password Agent Hooks repository ](https://github.com/1Password/agent-hooks/)
* [Cursor Hooks ](https://cursor.com/docs/agent/hooks)
* [GitHub Copilot hooks ](https://docs.github.com/en/copilot/how-tos/use-copilot-agents/coding-agent/use-hooks)
# Sync secrets from 1Password to AWS Secrets Manager (beta)
Source: https://www.1password.dev/environments/aws-secrets-manager
Beta
Use the 1Password AWS Secrets Manager integration to centralize secrets management and simplify your workflow. [Create an environment with variables in 1Password](/environments/), then securely sync those secrets to AWS Secrets Manager.
**Share your feedback**
To share your thoughts about the integration with us, submit your feedback using our [feedback form](https://forms.gle/3NUc7g3ywL4moksD7).
## Requirements
Before you can use the 1Password AWS Secrets Manager integration, you'll need to:
1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
2. [Install the 1Password desktop app.](https://1password.com/downloads)
3. [Turn on 1Password Developer and create an environment](/environments#turn-on-1password-developer) to use with AWS Secrets Manager.
4. Have an AWS account with the ability to create IAM resources.
## Set up the AWS Secrets Manager integration
### Step 1: Navigate to the AWS configuration page in 1Password
1. In the 1Password desktop app, select **Developer** in the sidebar, then select **View Environments**.
2. Find the name of the environment you created for AWS Secrets Manager and select **View environment**.
3. Go to the **Destinations** tab, then select **Configure destination** for AWS Secrets Manager.
This opens the AWS Secrets Manager configuration page, where you can set up the integration to sync the environment from 1Password to AWS Secrets Manager.
### Step 2: Register the 1Password Secrets Sync SAML provider
Authentication to your AWS account happens through SAML. You'll need to register the 1Password Secrets Sync SAML provider within your AWS account.
#### 2.1: Download the SAML metadata from 1Password
On the AWS Secrets Manager configuration page in 1Password, select **Download SAML metadata**. This will download a `saml-metadata.xml` file to your Downloads folder.
#### 2.2 Add the SAML provider in AWS
1. [Sign in to the AWS Management Console ](https://console.aws.amazon.com/) and navigate to the [Identity and Access Management (IAM) console. ](https://console.aws.amazon.com/iam/)
2. From the navigation pane, select **Identity providers**, then select **Add provider**.
3. Configure the following provider details:
* **Provider type**: Select **SAML** as the provider type, if it's not already selected.
* **Provider name**: Enter the name you want to use for the identity provider. For example: `1PasswordSecretsSync`.
* **Metadata document**: Select **Choose file**, then select the **`saml-metadata.xml`** file you saved to your Downloads folder in the previous step.
4. Scroll to the bottom of the page and select **Add provider**. You should see a message that says the provider was added.
#### 2.3 Add the SAML provider ARN to the 1Password configuration page
1. In the [identity providers area of the IAM console ](https://console.aws.amazon.com/iam/home#/identity_providers), search the list for the provider you added.
2. Select the provider name to open its details.
3. Copy the **ARN** from the **Summary** section.
4. In the 1Password app, paste the ARN you copied from AWS into the **SAML provider ARN** field.
### Step 3: Create an IAM policy for managing secrets
1. From the navigation pane of the [AWS IAM console ](https://console.aws.amazon.com/iam/), select **Policies**, then select **Create policy**.
2. Select **JSON** as the policy editor.
3. Copy the following permission statement and paste it into the policy editor window, replacing any default content already in the editor:
```json theme={null}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:RestoreSecret",
"secretsmanager:PutSecretValue",
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:TagResource",
"secretsmanager:UpdateSecret"
],
"Resource": "*"
}
]
}
```
4. Select **Next**.
5. On the "Review and create" page, enter a name for the policy in the **Policy name** field. For example: `1PasswordSecretsSync`.
You can optionally add a description in the **Description** field.
6. Scroll to the bottom of the page and select **Create policy**. You should see a message that says the policy was created.
### Step 4: Create an IAM role for the sync integration
#### 4.1: Create the IAM role in AWS
1. From the navigation pane of the [AWS IAM console ](https://console.aws.amazon.com/iam/), select **Roles**, then select **Create role**.
2. From the list of trusted entity types, select **SAML 2.0 federation**.
3. Select the **SAML 2.0–based provider** menu, then select the SAML provider you created in [step 2](#2-2-add-the-saml-provider-in-aws).
4. Under **Access to be allowed**, select **Add programmatic access only** and configure the following fields:
* **Attribute**: Select **SAML:sub** from the menu.
* **Value**: Go back to the 1Password configuration page and select **Copy SAML subject**. Then paste the SAML subject in the **Value** field.
5. Scroll to the bottom of the page and select **Next**.
6. Select the checkbox next to the policy you just created, then scroll to the bottom of the page and select **Next**. Only select the checkbox and not the name of the policy itself.
7. On the "Name, review, create" page, enter a name for the IAM role in the **Role name** field.
You can optionally add a description in the **Description** field.
8. Scroll to the bottom of the page and select **Create role**. You should see a message that says the policy was created.
#### 4.2 Add the IAM role ARN to the 1Password configuration page
1. In the [Roles area of the IAM console ](https://console.aws.amazon.com/iam/home#/roles), search the list for the role you added.
2. Select the role name to open its details.
3. Copy the **ARN** from the **Summary** section.
4. In the 1Password app, paste the ARN you just copied from AWS into the **IAM role ARN** field.
### Step 5: Configure the target region and secret name in 1Password
1. In the 1Password app, find the **Target region** field in the configuration page. Enter the AWS Secrets Manager region where you want to sync your Environment. For example: **`us-east-1`** or **`eu-central-1`**.
If you're not sure what region your account uses, [go to the AWS console ](https://console.aws.amazon.com/) and check which region is displayed in the URL. For example: `https://us-east-1.console.aws.amazon.com/console/home/`.
2. 1Password automatically populates the **Target secret name** field with the name of your environment.
You can edit this field if you want to change the name of the secret, or you can edit the name of the secret in AWS later. AWS Secrets Manager does not allow duplicate names, so make sure it’s unique.
3. (Optional) If you use a custom KMS key with AWS Secrets Manager, you can enter [the key's ID or ARN ](https://docs.aws.amazon.com/kms/latest/developerguide/find-cmk-id-arn.html) in the **KMS key ID** field. AWS will then encrypt your secrets with this key.
If you set a value for this field, make sure the IAM role has the [required KMS permissions. ](https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html)
### Step 6: Create the AWS Secrets Manager integration in 1Password
1. Review the configuration details in 1Password.
2. When you've finished, select **Create integration** in the 1Password app.
### Step 7: Test the connection and enable the integration in 1Password
You should now see a Destination card for AWS Secrets Manager. Select **Test connection** on the card to test the connection to AWS.
This creates and immediately deletes a placeholder value in AWS Secrets Manager, to ensure the correct permissions have been granted for the sync integration.
If everything is set up correctly and the test is successful, select the toggle to enable the integration and start syncing to AWS Secrets Manager.
### Step 8: Sync your secrets from 1Password to AWS
After you enable the AWS Secrets Manager integration, any variables saved in your Environment will be synced to AWS Secrets Manager.
With the secrets synced to AWS Secrets Manager, you can use one of the [methods provided by AWS ](https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html) to load the secrets into your application or workload on AWS.
## How the integration works
The secrets sync integration runs on 1Password's [Confidential Computing platform ](https://blog.1password.com/confidential-computing/), leveraging [AWS Nitro Enclaves ](https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html), to ensure a reliable, always-on sync to AWS Secrets Manager.
This allows you to set up the integration once per environment, only requiring AWS credentials to create the IAM resources. After the integration is set up, you can invite team members to edit the environment in 1Password without needing to provide AWS credentials to each person.
Learn more about some [limitations of the integration](#limitations).
## Manage the integration
### Update your environment secrets
If you need to add, update, or remove any environment variables, [make the changes in your 1Password Environment](/environments#manage-an-environment), then save your changes to trigger another sync from 1Password to AWS Secrets Manager.
### Stop using the integration
You can disable the AWS Secrets Manager integration to temporarily stop syncing your environment secrets from 1Password to AWS, or delete the integration to remove it.
In the 1Password desktop app, navigate to the environment you're using with AWS Secrets Manager and select the **Destinations** tab. Toggle the switch on the AWS Secrets Manager card to **Disabled** to stop syncing your environment. Or select the vertical ellipses > **Delete destination** to remove the integration.
## Troubleshooting
| Error | Troubleshooting steps |
| --------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| The IAM role doesn't have the necessary permissions to manage secrets in AWS Secrets Manager. | Check the policy attached to your IAM role in AWS and make sure the role's IAM policy is [configured correctly](#step-3-create-an-iam-policy-for-managing-secrets). |
| The sync integration failed to assume the IAM role. | Make sure that the [SAML provider is registered correctly](#step-2-register-the-1password-secrets-sync-saml-provider) and that the [IAM role](#step-4-create-an-iam-role-for-the-sync-integration) has the right [trust policy attached](#step-3-create-an-iam-policy-for-managing-secrets). |
| There's an outage or internal error within the AWS platform. | [Check the AWS Health Dashboard ](https://docs.aws.amazon.com/health/latest/ug/aws-health-account-views.html) for any events affecting AWS services in your account and try again later. [Contact 1Password support](mailto:support@1password.com) if the problem persists. |
| The KMS key is invalid or can’t be used. | [Verify the KMS key exists in AWS ](https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html) and that it has an IAM policy that allows it to be used with [AWS Secrets Manager. ](https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html) |
| The AWS Secrets Manager quota has been reached. | Try again later or remove resources to stay within the [AWS Secrets Manager quotas. ](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_limits.html) |
| The environment exceeds the maximum size allowed in AWS Secrets Manager (64 KB). | [Create additional environments](/environments#create-an-environment) so you can split the large environment into multiple smaller environments. Then set up a separate integration for each one so all your secrets are synced. |
| The SAML subject isn't set correctly in the IAM role's trust policy. | [Update the IAM role’s trust policy ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-trust-policy.html) to set the correct SAML subject as the `saml:sub` condition. |
| A secret with the configured name already exists in AWS Secrets Manager. | [Set a different target secret name](#step-5-configure-the-target-region-and-secret-name-in-1password) on the configuration page in 1Password, or [delete the secret ](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_delete-secret.html) in AWS Secrets Manager that uses the same name. |
If you encounter problems that you can't resolve with these steps, try [deleting the integration](#stop-using-the-integration) and setting it up again. Or [contact 1Password support](mailto:support@1password.com) for more help.
## Limitations
There are some limitations to consider if you use the beta integration.
* The integration supports unidirectional (one-way) syncing from 1Password to AWS Secrets Manager. Changes made to environment secrets in AWS Secrets Manager won't be synced to 1Password.
* If you have environment secrets in AWS Secrets Manager that require auto-rotation, you should continue to manage them there. This will prevent environment secrets becoming out of sync between AWS and 1Password.
* It's best practice to maintain one definitive copy of a secret in 1Password, either as a 1Password item or as a variable in a 1Password environment. Keeping multiple copies of the same secret could lead to different versions becoming out of sync.
* There's a 64KB size limit for environments synced to AWS Secrets Manager. An example of where you might run into this limit is if you're defining environment variables for a monolithic application. In this scenario, you could split variables out into separate environments, each with it's own sync integration.
## Learn more
* [1Password Environments](/environments)
* [Access secrets from 1Password through local `.env` files](/environments/local-env-file)
* [Get started with 1Password Developer ](https://support.1password.com/developer/)
# Access secrets from 1Password through local .env files (beta)
Source: https://www.1password.dev/environments/local-env-file
Beta
Locally mounted `.env` files allow secure access to the secrets you've stored in [1Password Environments](/environments) from your device, without needing to keep them in a plaintext `.env` file on your local device. By creating a local `.env` file [destination](/environments#destinations), your secrets become both safe and simple to access.
This feature is currently in beta and is only supported in 1Password for Mac and Linux at this time.
## Mount your `.env` file
To configure a local `.env` file destination, you'll need to use the 1Password desktop app to create a new [Environment](/environments#create-an-environment) or navigate to an existing one to configure the destination for. Within your Environment:
1. Select the **Destinations** tab, then select **Configure destination** for a "Local `.env` file".
2. Select **Choose file path** and choose the path on your device where you want to create your local `.env` file.
3. Select **Mount .env file**.
You can disable a local `.env` file to remove it from your device. In the Destinations tab of your environment, toggle the **Enabled** option on or off as needed. You can have up to ten enabled local `.env` files per device.
If you have an existing `.env` file tracked by Git at the path you want to mount a new `.env` file at, you'll first need to delete the existing file and commit the change. After this is done you can safely mount your new `.env` file at the desired path.
If you don’t delete and commit the existing file, Git operations may fail and indicate that the mounted `.env` file generated by 1Password is being tracked. In practice, the file can’t actually be committed and its contents will never enter the staging area, so your secrets remain safe. However, commands like `git status` may still show it as a change until you’ve committed the removal of the original file.
## Verify with your terminal
To confirm that you can access your environment variables on your device, you can read your secrets using the `cat` shell command.
1. From your terminal, navigate to the directory where your `.env` file is saved. Run the following command, replacing `.env` with the name you've given your file:
```shell theme={null}
cat .env
```
2. Select **Authorize** in the authorization prompt that pops up.
Upon approval, your Environment's contents will be returned. Your terminal only reads your environment variables one time, and doesn't write them to disk. Authorization lasts until 1Password locks so you won't have to re-approve additional read requests while 1Password remains unlocked.
### Dotenv library compatibility
You can use your language's supported `.env` libraries to load secrets into your projects and work with your environment variables.
Use of local `.env` files with 1Password Environments is compatible with the following libraries:
| Language / Tool | Library | Compatible |
| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------- |
| C# | [`DotNetEnv` ](https://github.com/tonerdo/dotnet-env) | Yes |
| Docker Compose | [Built-in support for `.env` files ](https://docs.docker.com/compose/how-tos/environment-variables/set-environment-variables/) | Yes |
| Go | [`godotenv` ](https://github.com/joho/godotenv) | Yes |
| Java | [`dotenv-java` ](https://github.com/cdimascio/dotenv-java) | Yes |
| JavaScript / Node.js | [`dotenv` ](https://github.com/motdotla/dotenv) | Yes |
| PHP | [`phpdotenv` ](https://github.com/vlucas/phpdotenv) | Yes |
| Python | [`python-dotenv` ](https://github.com/theskumar/python-dotenv) | Yes, as of `v1.1.2` |
| Ruby | [`dotenv` ](https://github.com/bkeepers/dotenv) | Yes |
| Rust | [`dotenvy` (main) ](https://github.com/allan2/dotenvy) | Yes |
| Rust | [`dotenvy` (v0.15.7) ](https://github.com/allan2/dotenvy/tree/v0.15.7) | Yes, but requires that you pass in the `.env` filename, path, or contents directly. |
## How it works
1Password makes your environment variables available as a `.env` file without actually storing the plaintext contents on your device. Instead, the file contents are passed directly to the reader process on demand through a UNIX-named pipe. 1Password mounts the `.env` file at the path you've specified on your device and automatically remounts it whenever 1Password restarts. This means that as long as 1Password is running, even if locked, the file is there and 1Password is ready to respond when you need to access your secrets.
When your application tries to read the file, you'll receive an authorization prompt asking for approval to populate the `.env` file. The file will lock again [when 1Password locks](https://support.1password.com/auto-lock/). There's no distinction made between different processes reading the file. Once the file is unlocked, every process can read it until you lock 1Password or disable the `.env` file in 1Password.
Although 1Password creates this file on your device, locally mounted `.env` files aren't tracked by Git and therefore your secrets aren't exposed by your version control system. The contents of these files are never stored on disk and are only available at the moment you access them, provided you've authenticated. Once read, the information is no longer available until you access it again.
## Limitations
* Local `.env` file destinations are only supported in 1Password for Mac and Linux at this time.
* Local `.env` file destinations aren't designed for concurrent access. If multiple processes try to read your local `.env` file at the same time, you may encounter delays or unexpected behaviors. For example, if you have the file open in an IDE while another application attempts to read it, this may result in conflicts. The first process to access the file will succeed in reading the secrets, while others may fail to read the contents. If you have the `.env` file open in an IDE or another application that is actively accessing it, you may need to close that session to allow other applications or terminal instances to read the file without interference.
* When you're offline, you'll only be able to access the most recent contents synced to your device or local changes you've made. When you're back online, your Environment will update to reflect the latest changes you've saved in 1Password.
* Some toolchains that aggressively watch `.env` files, such as Vite, can trigger a full dev server restart whenever a filesystem change event is detected and may not be compatible with local file mounts from 1Password Environments. Because FIFO mounts can emit filesystem events during open, close, or read operations, even when the underlying secret values haven't changed, these tools may incorrectly interpret this activity as a `.env` modification. This can cause an infinite restart loop.
If your project does not rely on reloading or reacting to changes in `.env` files during development, configure your tool to avoid watching the mounted `.env` file for changes.
For example, in Vite, add the following to your `vite.config.ts`. This prevents unnecessary dev server restarts while preserving normal HMR behavior for source files.
```typescript theme={null}
import { defineConfig } from 'vite'
export default defineConfig({
server: {
watch: {
ignored: ['**/.env'], // Replace with the name of your mounted env file
},
},
})
```
## Learn more
* [1Password Environments (beta)](/environments)
* [Use 1Password's agent hook to validate local .env files from 1Password Environments](/environments/agent-hook-validate)
* [Sync secrets between 1Password and AWS Secrets Manager (beta)](/environments/aws-secrets-manager)
* [Get started with 1Password Developer](https://support.1password.com/developer)
# Programmatically read 1Password Environments
Source: https://www.1password.dev/environments/read-environment-variables
Learn how to get secrets stored in 1Password Environments using 1Password SDKs and CLI.
Beta
You can programmatically retrieve environment variables from [1Password Environments](/environments) using [1Password SDKs](#sdks) or [1Password CLI](#cli). Both tools support local authentication with the 1Password desktop app or automated authentication with service accounts scoped to specific Environments.
## Choose your configuration
### Tool options
* **1Password CLI**: Best for quick testing, shell scripts, CI/CD pipelines, Infrastructure as Code, build tools and task runners.
* **1Password SDKs**: Best for native integrations with Go, Python, or JavaScript applications.
### Authentication options
* **Local authentication with the 1Password desktop app**: Authenticate in the same way you unlock your [1Password desktop app](https://1password.com/downloads/), like with biometrics or your 1Password account password. Requires minimal setup with no token management. Enables human-in-the-loop approval for sensitive workflows.
* **1Password Service Accounts**: Authenticate using a [service account token](/service-accounts/) scoped to the Environments you want to fetch. Best for shared building, automated access, and headless server authentication. Enables you to follow the [principle of least privilege ](https://csrc.nist.gov/glossary/term/least_privilege) in your project.
### Decision guide
Use the table below to find the best tool and authentication method for your specific use case.
| Use case | Recommended tool | Authentication method | Why this approach |
| ----------------------------------------------------- | --------------------------- | ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Local development** on your machine | [CLI](#cli) or [SDK](#sdks) | Desktop app | Uses existing 1Password account credentials, making it seamless for individual developers working locally. No token management. |
| **Quick testing** and exploration | [CLI](#cli) | Desktop app | Fastest way to test. Uses existing 1Password account credentials with minimal setup required. |
| **Desktop applications** | [SDK](#sdks) | Desktop app | Better integration with application code. Desktop app authentication allows end users to authenticate with their own 1Password accounts. |
| **Shell scripts** and automation tasks | [CLI](#cli) | Desktop app or service account | 1Password CLI is designed for shell scripting. Use 1Password desktop app for personal scripts, service accounts for shared/automated scripts. |
| **CI/CD pipelines** (GitHub Actions, GitLab CI, etc.) | [CLI](#cli) | Service account | Service accounts provide non-interactive authentication perfect for automated workflows. 1Password CLI is lightweight and easy to integrate into pipeline scripts. |
| **Application runtime** (production services) | [SDK](#sdks) | Service account | 1Password SDKs offer native language integration with better error handling and type safety. Service accounts enable secure, automated access without user interaction. |
| **Server-side applications** | [SDK](#sdks) | Service account | 1Password SDKs offer robust error handling and connection pooling. Service accounts enable headless server authentication. |
| **Docker containers and Kubernetes** | [SDK](#sdks) or [CLI](#cli) | Service account | Service accounts work well in containerized environments. Choose 1Password SDKs for application containers, 1Password CLI for init containers or sidecars. |
| **Infrastructure as Code** (Terraform, Pulumi, etc.) | [CLI](#cli) | Service account | 1Password CLI can be easily invoked from IaC tools. Service accounts enable automated infrastructure provisioning. |
| **Build tools and task runners** | [CLI](#cli) | Desktop app or service account | 1Password CLI integrates easily with build tools like Make, Gradle, or npm scripts. Use 1Password desktop app for developer builds. Service accounts support shared building. |
Get an Environment's ID
To fetch environment variables from a 1Password Environment, you'll need its unique identifier (ID). You can get an Environment's ID in the [1Password desktop app](https://1password.com/downloads/):
1. Open and unlock the 1Password desktop app, then navigate to **Developer** > **View Environments**.
2. Select **View environment** next to the Environment you want to fetch.
3. Select **Manage environment** > **Copy environment ID**.
Read Environments with 1Password SDKs
### Before you get started
To use this feature, you'll need to install the beta version of the Go, JS, or Python SDK:
Then [follow the steps](/sdks#get-started) to set up your project to authenticate with your 1Password desktop app or a service account token.
### Get environment variables
With [1Password SDKs](/sdks), you can retrieve environment variables from your 1Password Environments using the `get_variables()` function with the [Environment's ID](#get-an-environments-id).
The function returns a `GetVariablesResponse` object that contains a list of the environment variables stored in the Environment.
Each environment variable in the response contains the environment variable's name (for example, `DB_HOST`), value, and whether the value is hidden by default.
By default, 1Password Environment variables have **"Hide value by default"** turned on. To change this, open an Environment, select the verticle ellipsis next to the variable, then select **Show value by default**.
#### Examples
Before running the following example:
* Set `OP_SERVICE_ACCOUNT_TOKEN` to the token for a service account that has access to the Environment you want to fetch.
* Set `OP_ENVIRONMENT_ID` to the ID for your 1Password Environment.
Before running the following example:
* Replace `OP_ACCOUNT_NAME` in the code below with your 1Password account name as it appears at the top left sidebar in the 1Password desktop app.
* Set `OP_ENVIRONMENT_ID` to the ID for your 1Password Environment.
Read Environments with 1Password CLI
With [1Password CLI](/cli), you can retrieve environment variables from your 1Password Environments with `op environment read` and pass them to an application or script using `op run --environment`.
### Before you get started
Before you get started, install the [latest beta build of 1Password CLI](https://app-updates.agilebits.com/product_history/CLI2#beta), version `2.33.0-beta.02` or later. Then choose your authentication method:
* **Local authentication with the 1Password desktop app**: Authenticate in the same way you unlock your [1Password desktop app](https://1password.com/downloads/), like with biometrics or your 1Password account password. To set up local authentication, [turn on the 1Password CLI desktop app integration](/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration).
* **Service account**: Authenticate using a service account token that can only access the Environments you want to fetch. To authenticate using a service account token, [create a new service account](https://start.1password.com/developer-tools/infrastructure-secrets/serviceaccount/) with read access to the appropriate Environments. Then export your service account token:
### Get environment variables
To read environment variables from a 1Password Environment, use `op environment read` with the [Environment's ID](#get-an-environments-id). 1Password CLI will return a list of environment variables for the Environment formatted as key-value pairs.
```shell theme={null}
op environment read
```
#### Examples
To get the environment variables for a local development Environment with the ID `blgexucrwfr2dtsxe2q4uu7dp4`:
```shell theme={null}
op environment read blgexucrwfr2dtsxe2q4uu7dp4
#code-result
DB_HOST=localhost
DB_USER=admin
API_KEY=sk-abc123
```
After you fetch the Environment, you can pipe the results to other tools. For example:
```shell theme={null}
op environment read blgexucrwfr2dtsxe2q4uu7dp4 | grep DB_
```
### Pass environment variables to an application or script
To pass environment variables from a 1Password Environment to an application or script, use [`op run`](/cli/reference/commands/run) with the `--environment` flag and the [Environment's ID](#get-an-environments-id), then pass the results to the application or script. 1Password CLI runs the application or script as a subprocess with your secrets loaded into the environment for the duration of the process.
```shell theme={null}
op run --environment --
```
By default, 1Password Environment variables have **"Hide value by default"** turned on. Hidden variables are automatically concealed in stdout and stderr output. To change this, open an Environment, select the verticle ellipsis next to the variable, then select **Show value by default**. Or use the `--no-masking` flag with `op run`.
#### Use with environment variables from multiple sources
You can also use `op run` with multiple environments, or in combination with `.env` files or shell environment variables. When the same environment variable exists in multiple sources, 1Password CLI gives them the following precedence:
1. 1Password Environments (highest priority)
2. Environment files
3. Shell environment variables (lowest priorities)
If the same variable exists in multiple 1Password Environments, the last Environment specified takes precedence.
#### Examples
To run the `printenv` command with the environment variables from a 1Password Environment loaded into the environment:
```shell theme={null}
op run --environment blgexucrwfr2dtsxe2q4uu7dp4 -- printenv
#code-result
DB_HOST=localhost
DB_USER=admin
API_KEY=sk-abc123
```
To run a script provisioned with the environment variables from an Environment:
```shell theme={null}
op run --environment blgexucrwfr2dtsxe2q4uu7dp4 -- ./my-script.sh
```
## Learn more
* [Access secrets from 1Password through local .env files](/environments/local-env-file)
* [Use 1Password's agent hook to validate local .env files from 1Password Environments](/environments/agent-hook-validate)
* [Sync secrets from 1Password to AWS Secrets Manager](/environments/aws-secrets-manager)
# 1Password Events API
Source: https://www.1password.dev/events-api
The 1Password Events API allows you to retrieve information about activity in your 1Password Business account and send it to your security information and event management (SIEM) system. With the Events API, you can keep track of:
* Actions team members take in the account, such as changes to vaults, groups, users, and more.
* How and when items in shared vaults are used, like when an item is viewed, copied, or edited.
* Attempts to sign in to the 1Password account, including when and where a user signed in to the account, and detailed information about failed sign in attempts.
## Quick start
To create an Events Reporting integration to connect your 1Password Business account with your SIEM, [start here](/events-api/get-started).
After you set up the integration in your 1Password account, read more [about the 1Password Events API](/events-api/introduction) and look at some [example scripts](/events-api/generic-scripts).
## Reference documentation
* Read the full [1Password Events API reference](/events-api/reference/).
* Learn about [audit events](/events-api/audit-events/).
* Learn about [item usage actions](/events-api/item-usage-actions).
* Track [version changes](/events-api/changelog/).
# Audit events
Source: https://www.1password.dev/events-api/audit-events
You can use the [1Password Events API](/events-api/reference/) to return audit events from the [audit log](https://support.1password.com/activity-log/) of your 1Password Business account and send them to your security information and event management (SIEM) system. Audit event data includes actions performed by team members in a 1Password account, such as changes made to the account, vaults, groups, users, and more.
## Read an event object
When you use the 1Password Events API to fetch audit events from your 1Password Business account, the API will return a JSON array of [audit event objects](/events-api/reference#post-api-v2-auditevents). Event objects can include the following properties:
* **`uuid`**: The unique identifier for the event.
* **`timestamp`**: When the action was performed.
* **`actor_uuid`**: The unique identifier for the team member who performed the action.
* **`actor_details`**: The details of the team member who performed the action (including their UUID, name, and email address).
* **`action`**: The type of action that was performed.
* **`object_type`**: The type of object that the action was performed on.
* **`object_uuid`**: The unique identifier for the object the action was performed on.
* **`object_details`**: The details of the team member who is the object of the action (including their UUID, name, and email address). This property is only returned for events where the object of the action is a team member.
* **`aux_id`**: The identifier that relates to additional information about the activity.
* **`aux_uuid`**: The unique identifier that relates to additional information about the activity.
* **`aux_details`**: The details of the team member who relates to the additional information about the activity (including their UUID, name, and email address). This property is only returned for events where the additional information about an activity relates to a team member.
* **`aux_info`**: Additional information about the activity.
* **`session`**: The information about the session, including the date and time the client signed in and started the session, the unique identifier of the device that signed into the session, and the IP address used.
* **`location`**: The geolocation information of the client based on their IP address at the time the event was performed.
To understand the activity an audit event object is describing, look at the `action`, `actor`, and `object` fields, as well as any `aux` fields that may be included. For example:
```json Example audit event object theme={null}
{
"uuid": "56YE2TYN2VFYRLNSHKPW5NVT5E",
"timestamp": "2023-03-15T16:33:50-03:00",
"actor_uuid": "4HCGRGYCTRQFBMGVEGTABYDU2V",
"actor_details": {
"uuid:": "4HCGRGYCTRQFBMGVEGTABYDU2V",
"name": "Jeff Shiner",
"email": "jeff_shiner@agilebits.com"
},
"action": "join",
"object_type": "gm",
"object_uuid": "pf8soyakgngrphytsyjed4ae3u",
"aux_id": 9277034,
"aux_uuid": "K6VFYDCJKHGGDI7QFAXX65LCDY",
"aux_details": {
"uuid": "K6VFYDCJKHGGDI7QFAXX65LCDY",
"name": "Wendy Appleseed",
"email": "wendy_appleseed@agilebits.com"
},
"aux_info": "A",
"session": {
"uuid": "A5K6COGVRVEJXJW3XQZGS7VAMM",
"login_time": "2023-03-15T16:33:50-03:00",
"device_uuid": "lc5fqgbrcm4plajd8mwncv2b3u",
"ip": "192.0.2.254"
},
"location": {
"country": "Canada",
"region": "Ontario",
"city": "Toronto",
"latitude": 43.5991,
"longitude": -79.4988
}
}
```
This example event shows that `Jeff Shiner` is the actor who performed the `"join" action` on a `[group membership](#group-membership)` (Jeff added someone to a group). And `Wendy Appleseed` is the team member who joined (was added to) the `Administrator group` as a `[group manager](#group-membership)`.
To get more information about an object, such as the name of a group, you can check the description of the event in the [audit log](https://support.1password.com/activity-log/), or use the `object UUID` to [retrieve information about an object with 1Password CLI](/cli/reference#unique-identifiers-ids).
Use the audit event tables below to learn more about what the different actions and objects mean and what output is returned for each type of event. A complete list of actions and objects can be found in the [appendix](#appendix).
## Audit events
### Accounts
Actions related to updating and confirming accounts.
Event
Description
Action
Object Type
Aux Info
Activate Account
The account was activated.
activate
account
Update Account
Account attributes, such as the name, were changed.
update
account
Delete Account
The account was deleted.
delete
account
Update Account Domain
The account domain was changed.
update
account
domain
Change Account Type
The account type was changed.
convert
account
old account type, new account type
I: Individual account
F: Family account
B: Business account
Enable Duo
Duo was enabled for the account.
enblduo
account
Update Duo Configuration
The Duo configuration for the account was updated.
updatduo
account
Disable Duo
Duo was disabled for the account.
disblduo
account
### Delegate sessions
Actions related to delegating sessions.
Event
Description
Action
Object type
Aux info
Delegate Session
A new delegated session was added.
dlgsess
dlgdsess
session UUID
### Devices
Actions related to authorizing and removing devices.
Event
Description
Action
Object Type
Aux Info
Add Device
A device was added to the account.
create
device
user ID, user UUID, user name, user email
Update Device
A device was updated.
update
device
user ID, user UUID, user name, user email
Delete Device
A device was deleted.
delete
device
user ID, user UUID, user name, user email
Delete Old Devices
Old devices were deleted.
deolddev
user
Delete All Devices
All devices were deleted.
dealldev
user
Reauthorize Device
A device was reauthorized after being deauthorized
reauth
device
user ID, user UUID, user name, user email
### Email changes
Actions related to beginning and completing email changes for team members.
Event
Description
Action
Object Type
Aux Info
Begin Email Change
An email change was requested by a user.
begin
ec
Complete Email Change
A user's email was changed.
complete
ec
Propose Email Change
An email change was proposed by an admin.
propose
ec
### Family accounts
Actions related to linking and unlinking family accounts.
Event
Description
Action
Object Type
Aux Info
Add Family Member Account
A team member linked their free family account.
rdmchild
famchild
Remove Family Member Account
A team member unlinked their free family account.
detchild
famchild
### Files
Actions related to creating documents.
Event
Description
Action
Object Type
Aux Info
Add File
A file was uploaded to the account.
create
file
### Firewall rules
Actions related to firewall settings.
Event
Description
Action
Object type
Aux info
Update Firewall Rules
A firewall rule was added or updated.
updatfw
account
### Groups
Actions related to creating, updating, and removing groups.
Event
Description
Action
Object Type
Aux Info
Create Group
A group was created.
create
group
group name
Available for events that occurred after June 11, 2025.
Delete Group
A group was deleted.
delete
group
group name
Update Group
A group was updated.
update
group
group name
Purge Deleted Group
A group was marked to be purged.
purge
group
Update Group Keyset
A group keyset was replaced.
changeks
group
### Group membership
Actions related to updating team members' group membership.
Event
Description
Action
Object Type
Aux Info
Join Group
A user joined a group.
join
gm
user ID, user UUID, user name, user email, user role
R: Group member
A: Group manager
Leave Group
A user left a group.
leave
gm
user ID, user UUID, user name, user email
Change Group Membership Role
A user's group membership role was changed.
role
gm
user ID, user UUID, user name, user email, user role
R: Group member
A: Group manager
### Group vault access
Actions related to modifying groups' access to vaults.
Event
Description
Action
Object Type
Aux Info
Grant Group Vault Access
A group was granted access to a vault.
grant
gva
group ID, group UUID, Access Control List
Revoke Group Vault Access
A group's access to a vault was revoked.
revoke
gva
group ID, group UUID
Update Group Vault Access
A group's vault access was updated.
update
gva
group ID, group UUID, Access Control List
### Invites
Actions related to inviting team members and guests.
Event
Description
Action
ObjectType
AuxInfo
Create Invite
An invite was created.
create
invite
The email address the invite was sent to.
Update Invite
An invite was updated.
update
invite
The email address the invite was sent to.
### Items
Actions related to creating, editing, archiving, and deleting items.
Event
Description
Action
ObjectType
AuxInfo
Patch Vault Items
Vault items were added or updated.
patch
items
Vault Content Version, number of items added or updated.
Delete Trashed Vault Items
Vault items in the trash were deleted.
delete
items
Vault Content Version, number of items deleted.
Purge Deleted Vault Items
Deleted vault items were marked to be purged.
purge
items
Number of items that were marked to be purged.
Purge Vault Item History
Archived vault items were marked to be purged.
purge
itemhist
item ID, item UUID
### Item sharing
Actions related to [sharing items](https://support.1password.com/share-items/).
Event
Description
Action
Object Type
Aux Info
Share Item
An item was shared externally.
share
item
vault ID, vault UUID, shared item UUID
Delete Item Share
A shared item link was deleted.
delshare
item
vault ID, vault UUID, shared item UUID
Update Item Share Settings
The account's item sharing settings were updated.
uisas
account
### Managed companies
Actions related to a managed service provider (MSP) creating, launching into, and unlinking managed companies.
Event
Description
Action
Object Type
Aux Info
Add Managed Company
A managed company was added to an MSP account.
create
mngdacc
Launch Into Managed Company
An MSP technician launched into a managed company.
launchi
mngdacc
The ID and UUID of the launched session.
Unlink Managed Company
A managed company was unlinked from an MSP account.
unlink
mngdacc
### Multi-factor authentication
Actions related to enabling, updating, and removing multi-factor authentication.
Event
Description
Action
Object Type
Aux Info
Enable Multi-Factor Authentication
Multi-factor authentication was enabled.
enblmfa
user
multi-factor authentication ID, multi-factor authentication type
Update Multi-Factor Authentication
Multi-factor authentication was updated.
updatmfa
user
multi-factor authentication ID, multi-factor authentication type
Disable Multi-Factor Authentication
Multi-factor authentication was disabled.
disblmfa
user
multi-factor authentication ID, multi-factor authentication type
Disable Multi-Factor Authentication For All Users
Multi-factor authentication was disabled for everyone in the account.
disblmfa
account
Disable Multi-Factor Authentication Type For All Users
Multi-factor authentication of a certain type was disabled for everyone in the account.
disblmfa
account
multi-factor authentication type
### Packages
Actions related to team members sending a copy of an item within 1Password.
Event
Description
Action
Object Type
Aux Info
Send Package
A user sent an item to another user.
sendpkg
user
package UUID
### Provisioning
Actions related to provisioning new team members.
Event
Description
Action
Object Type
Aux Info
Send Provisioning Email
A provisioning email was sent.
sendts
user
Resend Provisioning Email
A provisioning email was resent.
resendts
user
Resend All Provisioning Emails
All provisioning emails were resent.
prsndall
invite
### Reports
Actions related to viewing and exporting reports.
Event
Description
Action
ObjectType
AuxInfo
Export Report
A user exported a report.
export
report
report UUID, report type
View Report
A user viewed a report.
view
report
report UUID, report type
### Service accounts
Actions related to adding service accounts.
Event
Description
Action
Object Type
Aux Info
Create Integration
A service account was created.
create
sa
The type of service account.
Set Expiration Integration
An expiration time was set for a user-managed service account.
expire
sa
The type of service account.
### Service account tokens
Actions related to registering, updating, and revoking access tokens for service accounts.
Event
Description
Action
Object Type
Aux Info
Create Token
A service account token was registered.
create
satoken
token name
Rename Token
A service account token name was updated.
trename
satoken
token name
Verify Token
A service account token signature was registered.
tverify
satoken
token name
Revoke Token
A service account token was revoked.
trevoke
satoken
token name
### Sign-in tokens
Actions related to creating, ratcheting, and signing in with sign-in tokens for Unlock with SSO.
Event
Description
Action
Object Type
Aux Info
Sign In With Sign-In Token
A sign-in token was used to log in.
ssotknv
ssotkn
### Slack app
Actions related to connecting or removing a Slack app.
Event
Description
Action
Object Type
Aux Info
Enable Slack App
A Slack app was connected to the account.
create
slackapp
Disable Slack App
A Slack app was removed from the account.
delete
slackapp
Update Slack App
A connected Slack app was updated.
update
slackapp
### SSO settings
Actions related to setting up [Unlock with SSO](https://support.1password.com/sso-get-started/).
Event
Description
Action
Object Type
Aux Info
Enable SSO
Unlock with SSO was enabled.
enblsso
sso
Disable SSO
Unlock with SSO was disabled.
disblsso
sso
Change SSO Authentication Policy
The SSO authentication policy was changed.
chngpsso
sso
Change SSO Grace Period Authentication Count
The SSO grace period authentication count was changed.
chngasso
sso
Change SSO Grace Period Duration
The SSO grace period duration was changed.
chngdsso
sso
Add an SSO Group.
An SSO group was added.
addgsso
sso
group UUID
Delete an SSO Group.
An SSO group was deleted.
delgsso
sso
group UUID
### Stripe cards
Actions related to creating, updating, and removing Stripe cards.
Event
Description
Action
Object Type
Aux Info
Add Card
A new Stripe card was created.
create
card
card ID, card UID
Update Card
A Stripe card was updated.
update
card
card ID, card UID
Delete Card
A Stripe card was deleted.
delete
card
card ID, card UID
### Stripe payment methods
Actions related to adding Stripe payment methods.
Event
Description
Action
Object Type
Aux Info
Add Payment Method
A new Stripe payment method was created.
create
pm
payment method ID, payment method UUID
Delete Payment Method
A Stripe payment method was deleted.
delete
pm
payment method ID, payment method UUID
### Stripe subscriptions
Actions related to creating, updating, and canceling Stripe subscriptions.
Event
Description
Action
Object Type
Aux Info
Create Subscription
A new Stripe subscription was created.
create
sub
subscription ID, subscription UUID
Update Subscription
A Stripe subscription was updated.
update
sub
subscription ID, subscription UUID
Cancel Subscription
A Stripe subscription was canceled.
cancel
sub
subscription ID, subscription UUID
### Templates
Actions related to adding, updating, hiding, and deleting templates.
Event
Description
Action
Object Type
Aux Info
Add Template
A template was added.
create
template
template name
Update Template
A template was updated.
update
template
template name
Hide Template
A template was hidden.
hide
template
template name
Unhide Template
A template was shown (after being hidden).
unhide
template
template name
Delete Template
A template was deleted.
delete
template
template name
### Unknown
Unknown events.
Event
Description
Action
ObjectType
AuxInfo
Unknown Events
An unknown action occurred.
unknown
unknown
### Users
Actions related to changes to team members' accounts attributes.
Event
Description
Action
Object Type
Aux Info
Upgrade User
A guest was promoted to a family or team member.
upguest
user
Change User State From
A user's state was changed.
verify, join, activate, reactive, suspend, delete, or beginr
user
Begin User Recovery
A user recovery was initiated.
beginr
user
Complete User Recovery
A user recovery was completed.
completr
user
Cancel User Recovery
A user recovery was canceled.
cancelr
user
Mark User Away For Travel
A user was marked as away for travel.
trvlaway
user
Mark User Back From Travel
A user was marked as back from travel.
trvlback
user
Change User Keyset
A user's keyset changed.
changeks
user
Change 1Password Account Password
A user changed their 1Password account password.
changemp
user
Change Secret Key
A user changed their Secret Key.
changesk
user
Change Name
A user changed their name.
changenm
user
Change Language
A user changed their preferred language.
changela
user
Enroll Trusted Device
A user set up a trusted device to unlock with SSO.
tdvcsso
user
device UUID
Set up Single Sign-On Authentication
A user set up their 1Password account to unlock with SSO.
sdvcsso
user
### User migration
Actions related to migrating users.
Event
Description
Action
Object Type
Aux Info
Migrating User Created
A user migration was started.
create
miguser
user email
Migrating User Complete
A user migration was marked complete.
musercom
miguser
Migrating User Declined
A user migration was marked declined.
muserdec
miguser
### User vault access
Actions related to changes to team members' access to vaults.
Event
Description
Action
Object Type
Aux Info
Grant User Vault Access
A user was granted access to a vault.
grant
uva
user ID, user UUID, user name, user email, Access Control List
Revoke User Vault Access
A user's access to a vault was revoked.
revoke
uva
user ID, user UUID, user name, user email
Update User Vault Access
A user's vault access was updated.
update
uva
user ID, user UUID, user name, user email, Access Control List
User WebAuthn credentials (passkeys)
Actions relating to creating and deleting [passkeys](https://support.1password.com/save-use-passkeys/) used to sign in to 1Password.
Event
Description
Action
Object Type
Aux Info
Create User Webauthn Credential
A passkey was created to sign in to 1Password.
create
cred
Delete User Webauthn Credential
A passkey used to sign in to 1Password was deleted.
delete
cred
### Vaults
Actions related to creating, updating, and removing vaults.
Event
Description
Action
Object Type
Aux Info
Add Vault
A vault was added.
create
vault
Delete Vault
A vault was deleted.
delete
vault
Mark Vault To Be Purged
A vault was marked for purging.
purge
vault
Update Client Access
The client access value for a vault was updated.
update
vault
The new client access value.
Update Attributes
A vault name or description was changed.
updatea
vault
Export Vault
A vault was exported.
export
vault
### Verified domain
Actions related to verifying domains.
Event
Description
Action
ObjectType
AuxInfo
Add Verified Domain
A domain was verified.
vrfydmn
account
domain
Update Verified Domain
A verified domain was updated.
uvrfydmn
account
domain
Delete Verified Domain
A verified domain was removed.
dvrfydmn
account
domain
## Appendix
### Action values
Possible values for `action` include:
API output
Action
activate
Activate
addgsso
Add an SSO group
begin
Begin
beginr
Begin recovery
cancel
Cancel
cancelr
Cancel recovery
changeks
Change keyset
changela
Change language
changemp
Change 1Password account password
changenm
Change name
changesk
Change Secret Key
chngasso
Change SSO grace period authentication count
chngdsso
Change SSO authentication policy
chngpsso
Change SSO grace period duration
complete
Complete
completr
Complete recovery
convert
Convert
create
Create
dealldev
Deauthorize all devices
delete
Delete
delgsso
Delete an SSO Group
delshare
Delete shared item link
deolddev
Deauthorize old devices
detchild
Remove family member account
disblduo
Disable Duo
disblmfa
Disable multi-factor authentication
disblsso
Disable SSO
dlgsess
Delegate a new session
dvrfydmn
Delete verified domain
enblduo
Enable Duo
enablmfa
Enable multi-factor authentication
enblsso
Enable SSO
expire
Expire
export
Export
grant
Grant
hide
Hide
join
Join
launchi
Launch into managed company
leave
Leave
musercom
Complete migrating user
API output
Action
muserdec
Decline migrating user
patch
Modify or update
propose
Propose
provsn
Provision
prsndall
Resend all provisioning emails
purge
Permanently delete
rdmchild
Add family member account
reactive
Reactivate
reauth
Reauthorize
resendts
Resend provisioning email
revoke
Revoke
role
Update group membership role
sdvcsso
Set up SSO authentication
sendpkg
Send an item to another user
sendts
Send provisioning email
share
Share an item externally
ssotkn
Create sign-in token
ssotknr
Ratchet sign-in token
ssotknv
Sign in with sign-in token
suspend
Suspend
tdvcsso
Enroll trusted device
trename
Rename token
trevoke
Revoke token
trvlaway
Set as away for travel
trvlback
Set as back from travel
tverify
Verify token signature
uisas
Update item sharing administrator settings
unhide
Unhide
unknown
Unknown
unlink
Unlink managed company
updatduo
Update Duo
update
Update
updatea
Update attributes
updatfw
Update firewall rules
updatmfa
Update multi-factor authentication
upguest
Update guest
uvrfydmn
Update verified domain
view
View
verify
Verify
vrfydmn
Add verified domain
### Object values
Possible values for `objectType` include:
API output
Object
account
1Password account
card
Stripe card
cred
Credentials
device
Device
dlgdsess
Delegated session
ec
Email change
famchild
Linked family account
file
File
gm
Group membership
group
Group
gva
Group vault access
invite
Invite
item
Item
itemhist
Item history
items
Items
mngdacc
Managed account
miguser
Migrating user
API output
Object
mngdacc
Managed account
miguser
Migrating user
plan
Plan
pm
Stripe payment method
report
Report
sa
Service account
satoken
Service account token
slackapp
Slack app
sso
SSO
ssotkn
SSO token
sub
Stripe subscription
template
Template
user
User
uva
User vault access
vault
Vault
vaultkey
Vault key
# Authorization
Source: https://www.1password.dev/events-api/authorization
Every call to the 1Password Events API must be authorized with a valid [JWT-encoded ](https://datatracker.ietf.org/doc/html/rfc7519) bearer token in the HTTP [request header](/events-api/request-headers/). The token authenticates the client and authorizes it to access specific resources (events), without exposing 1Password account credentials.
## Pass bearer tokens in your API requests
Bearer tokens are passed to the Events API through the `Authorization` header in your request.
### Step 1: Get a bearer token
You'll get a bearer token when you [set up a new Events Reporting integration](/events-api/get-started#step-1-set-up-an-events-reporting-integration), or when you [issue a new token](#issue-a-bearer-token) in an existing integration.
When you generate the token, you'll choose which events the token is scoped to, then save the token in 1Password.
After you set up the integration, you can also [issue or revoke tokens](#manage-bearer-tokens) at any time.
### Step 2: Create an API request
When you make a call to the Events API, you must include the `Authorization` [request header](/events-api/request-headers/) with your bearer token.
The following example uses [curl ](https://curl.se/) on the command line to make a GET request to the [`introspect` endpoint](/events-api/reference#get-%2Fapi%2Fv2%2Fauth%2Fintrospect). API calls to this endpoint allow you to check that your bearer token is valid and confirm which events it's authorized to access.
1. In your terminal, format your curl request using the following structure:
```shell theme={null}
curl --request GET \
--url /api/v2/auth/introspect \
--header 'Authorization: Bearer '
```
2. Replace the `{''}` placeholder in the endpoint with the [events URL for your 1Password account](/events-api/servers/).
3. Replace `{''}` in the `Authorization` header with the token for your Events Reporting integration.
* Option 1: Copy the credential field from the bearer token you saved in 1Password, then paste it in the authorization header. For example:
```shell theme={null}
--header 'Authorization: Bearer eyJhbGciOiJFUzI1NiIsImtpZCI6IjNyaTN0NDR0anZvZmNmbWc0Z2tsNWk2b2FpIiwidHlwIjoiSldUIn0...'
```
The `...` at the end of the bearer token here indicates it's been truncated for the example. You'll need to include the full credential string for your token.
* Option 2: [Use an environment variable to load your API token](/events-api/generic-scripts#usage) to avoid revealing your bearer token in plaintext. You'll need to use double quotes for the authorization header to allow for variable expansion. For example:
```shell theme={null}
--header "Authorization: Bearer ${EVENTS_API_TOKEN}"
```
### Step 3: Send the API request
Send the API request from the terminal. For example:
```shell theme={null}
curl --request GET \
--url https://events.1password.com/api/v2/auth/introspect \
--header "Authorization: Bearer ${EVENTS_API_TOKEN}"
```
If you've installed [jq ](https://jqlang.github.io/jq/), you can add `| jq` at the end of your request to pretty-print the JSON response.
If your token is authenticated, the API will return a [`200` response](/events-api/reference#responses) that includes the events (features) scoped to your token. For example:
```json theme={null}
{
"uuid": "OK41XEGLRTH4YKO5YRTCPNX3IU",
"issued_at": "2025-10-17T16:32:50-03:00",
"features": [
"auditevents",
"itemusages",
"signinattempts"
],
"account_uuid": "M4E2SWNZAZFTRGQGDNS2E5A4MU"
}
```
If you get a `401 Unauthorized` error, make sure your bearer token is in the `Authorization` header and is formatted correctly.
Learn more about [status codes in the Events API](/events-api/status-codes/).
## Manage bearer tokens
After you set up your Events Reporting integration, you can [issue](#issue-a-bearer-token) additional bearer tokens, [revoke](#revoke-a-bearer-token) tokens, and [verify the scope](#verify-the-scope-of-a-bearer-token) of existing tokens.
### Issue a bearer token
To issue a new bearer token for an existing integration:
1. [Sign in](https://start.1password.com/signin) to your account on 1Password.com and select **[Integrations](https://start.1password.com/integrations/active)** in the sidebar.
2. Choose the Events Reporting integration where you want to issue a token and select **Add a token**.
3. Set up a new bearer token:
* **Token Name**: Enter a name for the token.
* **Expires After**: (Optional) Choose when the token will expire: 30 days, 90 days, or 180 days. The default setting is Never.
* **Events to Report**: Choose which events the token can access. The default setting includes all events: sign-in attempts, item usages, and audit events.
4. Select **Issue Token**.
5. On the "Save your token" page, select **Save in 1Password**. Choose the vault where you want to save your token, then select **Save**. Your bearer token will be saved as an API Credential item in 1Password.
If you set a bearer token to expire, you can also edit the item you saved in 1Password if you want to add the token's expiry date.
### Revoke a bearer token
Your SIEM will stop ingesting events after a token is revoked. To minimize downtime, issue a replacement token before you revoke one.
To revoke a bearer token:
1. [Sign in](https://start.1password.com/signin) to your account on 1Password.com and select **[Integrations](https://start.1password.com/integrations/active)** in the sidebar.
2. Choose the Events Reporting integration where you want to revoke a token.
3. Select the gear button next to the token you want to revoke, then select **Revoke**.
### Verify the scope of a bearer token
To verify a bearer token's scope, check the integration details on 1Password.com:
1. [Sign in](https://start.1password.com/signin) to your account on 1Password.com and select **[Integrations](https://start.1password.com/integrations/active)** in the sidebar.
2. Choose the Events Reporting integration where you want to verify the scope of a token.
3. Locate your bearer token in the Tokens section and check which events it can access. You will also see when or if the token is set to expire.
Alternatively, you can make a [GET request to the introspection endpoint](/events-api/reference#get-%2Fapi%2Fv2%2Fauth%2Fintrospect) to verify which events are scoped to the token.
# About the Events API beta
Source: https://www.1password.dev/events-api/beta/about-v3-beta
The 1Password Events API v3 (version 3) beta is a REST-style HTTP API that follows the [OpenAPI 3.0 ](https://spec.openapis.org/oas/latest.html) specification. All requests are made over HTTPS and return JSON responses.
The beta introduces a [new v3 versioned endpoint](/events-api/beta/reference/get-v3-audit-events):
* `GET /api/v3/auditevents`
This endpoint returns audit events for actions performed by team members in a 1Password account. Each event describes:
* Who performed the action (the actor).
* What was affected (one or more target entities).
* Where and how the action occurred (context about the account, location, client, device, and session).
The beta API can be used alongside the existing Events API. The v1 and v2 endpoints for audit events, item usages, and sign-in attempts remain available.
## Request methods
The beta API currently supports a single HTTP method (GET) to retrieve audit events and uses query parameters for pagination and time filters.
The `/api/v3/auditevents` beta endpoint uses GET with query parameters for pagination and time filters.
The v1 and v2 API endpoints continue to use POST requests with a cursor object in the request body.
## Servers and URLs
The v3 beta endpoint is currently hosted on the same Events API servers as the production API. Your base URL depends on the [region](https://support.1password.com/regions/) where your 1Password account is hosted:
| If your account is hosted on: | Your base URL is: |
| ----------------------------- | ---------------------------------- |
| `1password.com` | `https://events.1password.com` |
| `ent.1password.com` | `https://events.ent.1password.com` |
| `1password.ca` | `https://events.1password.ca` |
| `1password.eu` | `https://events.1password.eu` |
To call the beta endpoint, append the v3 path to your base URL:
```text theme={null}
$BASE_URL/api/v3/auditevents
```
All requests must be made over HTTPS.
It's possible these servers could change during the beta or when the v3 endpoint moves to production. You can use the [Events API beta roadmap and changelog](/events-api/beta/roadmap) to track changes.
## Endpoints
The v3 beta API uses the following endpoint:
* [`GET /api/v3/auditevents`](/events-api/beta/reference/get-v3-audit-events): Retrieve audit events for actions performed by team members within a 1Password account.
Item usage and sign-in attempt events remain available through the existing v1 and v2 endpoints.
## Authorization
All calls to the v3 beta endpoint must be authorized with a valid [JWT-encoded ](https://datatracker.ietf.org/doc/html/rfc7519) bearer token in the [`Authorization` header](#request-headers). The token must be scoped to include audit events.
## Request headers
Requests to the beta endpoint require the `Authorization` header:
```shell theme={null}
Authorization: Bearer $EVENTS_API_TOKEN.
```
If your bearer token is missing, malformed, or invalid, the API will return a `401 Unauthorized` response.
## Pagination
The beta API uses cursor-based pagination passed in the query string.
### Query parameters
The v3 `auditevents` endpoint accepts the following optional query parameters:
* `page_size`: The maximum number of events to return in a single response.
* `start_time`: The earliest timestamp to include in the result set (inclusive).
* `end_time`: The latest timestamp to include in the result set (inclusive).
* `next_page_token`: An opaque token that identifies the next page of results to retrieve.
Data collection for the `/api/v3/auditevents` beta endpoint started December 1, 2025. To access event data prior to that date, you'll need to use the [`/api/v2/auditevents` production endpoint](/events-api/reference#post-%2Fapi%2Fv2%2Fauditevents).
### Response metadata
Every `200` successful response includes a `meta` object with pagination metadata:
* `next_page_token`: A token you can pass to the next request to retrieve the next page of results.
* `has_more`: A boolean value that indicates whether additional pages are available (`true` or `false`).
When `has_more` is `true`, you can continue making requests with `next_page_token` until there are no more events, indicated by `"has_more": false`.
### Pagination workflow
The following example shows a typical pagination workflow:
1. Initial request: Make A GET call to `/api/v3/auditevents` with any combination of `page_size`, `start_time`, and `end_time` parameters you need. Note that data collection for this endpoint started December 1, 2025.
2. Check the response: Process the `audit_events` and check the `has_more` and `next_page_token` metadata.
3. Subsequent requests: If `has_more` is `true`, call the endpoint again. For example:
```shell theme={null}
curl --request GET \
--url "https://events.1password.com/api/v3/auditevents?next_page_token=eyJQYWdlU2l6ZSI6NSwiU3RhcnRUaW1lIjoiMjAyNS0xMC0wMVQwMDowMDowMFoiLCJFbmRUaW1lIjoiMjAyNi0wMS0wNlQyMTozMzo0Ny44NDA2MjA3NFoiLCJTZWFyY2hBZnRlciI6MTc2MzA2MjYxMjQ0MCwiVGllQnJlYWtlciI6IkpaUjdaNDNMN1ZGVDVLVE0zRURBRURSRlBRIn0" \
--header "Authorization: Bearer $EVENTS_API_TOKEN"
```
Repeat until `has_more` is `false` and you’ve retrieved all events for the requested interval.
Make sure not to use the `start_time` and `end_time` query parameters with the `next_page_token` query parameter. Doing so will result in a `400` bad request error.
## Rate limits
Requests to the beta endpoint are rate limited to:
* 600 requests per minute
* 30,000 requests per hour
The API uses standard HTTP headers to communicate your current rate limit window and remaining quota. Responses from `GET /api/v3/auditevents` may include the following headers:
* `RateLimit-Limit`: The total number of requests allowed for the current time window.
* `RateLimit-Remaining`: How many requests you can still make in the current window.
* `RateLimit-Reset`: The Unix timestamp (in seconds) that indicates when the current rate limit window will reset.
If you exceed the allowed rate, the API returns a `429 Too Many Requests` response. The `429` response includes the following header:
`Retry-After`: Indicates how many seconds to wait before making another request.
When you receive `429 Too Many Requests`, you should:
1. Stop sending additional requests to the endpoint.
2. Wait for the number of seconds specified in the `Retry-After` header.
3. Resume requests, ideally with backoff and retry logic in your client.
# Get started with the 1Password Events API
Source: https://www.1password.dev/events-api/beta/get-started
Beta
This content is for testing the v3 audit events beta endpoint. See how to [get started with the production version (v2)](/events-api/get-started/) if you don't want to use the beta.
You can use the 1Password Events beta API to retrieve audit events from your 1Password Business account and send them to your security information and event management (SIEM) system.
The beta API introduces a [new audit events endpoint](/events-api/beta/reference/get-v3-audit-events) (`/api/v3/auditevents`) that uses the HTTP GET method and cursor-based pagination with query parameters. This beta endpoint returns structured audit event data beginning December 1, 2025. The data includes information about the actor, the affected entities, and contextual information about the account, where the session originated, and more for each event.
[Learn more about the Events API v3 beta.](/events-api/beta/about-v3-beta)
## Requirements
Before you get started with the beta API, you’ll need to have:
* [A 1Password Business account.](https://1password.com/pricing/password-manager)
* An [owner](https://support.1password.com/groups/#owners) or [administrator](https://support.1password.com/groups/#administrators) role in your 1Password account.
* A [JWT bearer token (Events API token)](/events-api/authorization#manage-bearer-tokens) that’s authorized to access audit events for your account.
If you already use the Events API with other endpoint versions, you can reuse the same Events Reporting integration and bearer token with the v3 beta endpoint. Make sure your bearer token is scoped for audit events.
## Step 1: Set up an Events Reporting integration
If you haven’t set up Events Reporting yet, [create a new integration](/events-api/get-started#step-1-set-up-an-events-reporting-integration) in your 1Password Business account and issue a bearer token. Save the token in 1Password, then load it into your environment when making API calls.
If you already have Events Reporting set up for your 1Password account, review the integration details to confirm:
* The integration is active.
* Your bearer token is active and scoped to access audit events.
## Step 2: Find your Events API base URL
The `/api/v3/auditevents` beta endpoint currently uses the same Events API servers as the v2 production endpoint.
Choose the base URL that matches the [region](https://support.1password.com/regions/) where your 1Password account is hosted:
| If your account is hosted on: | Your base URL is: |
| ----------------------------- | ---------------------------------- |
| `1password.com` | `https://events.1password.com` |
| `ent.1password.com` | `https://events.ent.1password.com` |
| `1password.ca` | `https://events.1password.ca` |
| `1password.eu` | `https://events.1password.eu` |
You’ll use this base URL together with the v3 `auditevents` path. For example:
```text theme={null}
https://events.1password.com/api/v3/auditevents
```
## Step 3: Send a test request with curl
You can send a test request with [curl ](https://curl.se/) on the command line to confirm your integration is working.
The v3 beta endpoint uses a different HTTP method for requests:
* v3 beta endpoint: `GET /api/v3/auditevents`
* v2 production endpoint: `POST /api/v2/auditevents`
### 3.1: Create a curl request
In your terminal, format your request using the following structure:
```shell theme={null}
curl --request GET \
--url "$BASE_URL/api/v3/auditevents?page_size={events_per_page}&start_time={start_time}&end_time={end_time}" \
--header "Authorization: Bearer $EVENTS_API_TOKEN"
```
Replace the placeholders with your own values:
* `$BASE_URL`: The Events API base URL for your 1Password account. For example: `https://1password.com`.
* `$EVENTS_API_TOKEN`: The bearer token for your Events Reporting integration.
* `{events_per_page}`: (Optional) The maximum number of events to return in a single response. Use a value from `1` to `1000`. If you don’t include the `page_size` parameter, a default of `100` will be used.
* `{start_time}`: (Optional) The date and time for when you want to start retrieving events, in [RFC 3339 format ](https://datatracker.ietf.org/doc/html/rfc3339). For example: `2026-01-01T00:00:00Z`.
* `{end_time}`: (Optional) The date and time for when you want to stop retrieving events, in [RFC 3339 format ](https://datatracker.ietf.org/doc/html/rfc3339). For example: `2026-01-12T23:59:59Z`.
If you omit the `start_time` and `end_time` parameters, the endpoint will return a page of events using the service-defined default time range.
Data collection for the `/api/v3/auditevents` beta endpoint started December 1, 2025. To access event data prior to that date, you'll need to make a [`POST` request to the `/api/v2/auditevents` production endpoint](/events-api/reference#post-%2Fapi%2Fv2%2Fauditevents).
### 3.2: Send a curl request
The following example sends a GET request to the [`/api/v3/auditevents` endpoint](/events-api/beta/reference/get-v3-audit-events), using the curl command structure from the example above. Adjust the query parameters as needed.
```json theme={null}
curl --request GET \
--url "$BASE_URL/api/v3/auditevents?page_size=1&start_time=2026-01-01T00:00:00Z&end_time=2026-01-12T23:59:59Z" \
--header "Authorization: Bearer $EVENTS_API_TOKEN"
#code-result
{
"data": {
"audit_events": [
{
"action": "vault.vault-item.update",
"actor": {
"email": "wendy_appleseed@agilebits.com",
"name": "Wendy Appleseed",
"type": "user",
"uuid": "4HCGRGYCTRQFBMGVEGTABYDU2V"
},
"category": "vault",
"context": {
"account": {
"name": "AgileBits",
"uuid": "VZSYVT2LGHTBWBQGUJAIZVRABM"
},
"client": {
"name": "1Password Extension",
"version": "81118003"
},
"device": {
"model": "142.0.7444.23",
"uuid": "katnz37usfc5i67fqekylwmcde"
},
"location": {
"city": "Toronto",
"country": "Canada",
"ip_address": "192.0.2.254",
"latitude": 43.5991,
"longitude": -79.4988,
"region": "Ontario"
},
"origin": "Admin Console",
"os": {
"name": "MacOSX",
"version": "10.15"
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.1 Safari/605.1.15"
},
"session": {
"login_time": "2025-11-13T18:52:10.706588504Z",
"uuid": "X6TARAEE2NGKFLMK5POQBZ4U2Q"
}
},
"targets": [
{
"payload": {
"type": "P",
"uuid": "lc5fqgbrcm4plajd8mwncv2b3u"
},
"type": "vault"
}
],
"timestamp": "2026-01-01T19:01:20.110679321Z",
"uuid": "A5K6COGVRVEJXJW3XQZGS7VAMM"
}
]
},
"meta": {
"has_more": true,
"next_page_token": "eyLMNWdlU2l6ZSI6NSwiU3RhcnRUaW1lIjoiMjAyNS0xMC0wMVQwMDowMDowMFoiLCJFbmRUaW1lIjoiMjAyNi0wMS0wNlQyMTozMzo0Ny44NDA2MjA3NFoiLOPTZWFyY2hBZnRlciI6MTc2MzA2MjYxMjQRSTwiVGllQnJlYWtlciI6IkpaUjdaUVWMN1ZGVDVLVE0zRXYZRURSRlBRIn0"
}
}
```
For better readabilty, you can also provide the query parameters on separate lines using `--data-urlencode` flags.
```shell theme={null}
curl --request GET \
--url "$BASE_URL/api/v3/auditevents" \
--header "Authorization: Bearer $EVENTS_API_TOKEN" \
--data-urlencode "page_size=1" \
--data-urlencode "start_time=2026-01-01T00:00:00Z" \
--data-urlencode "end_time=2026-01-12T23:59:59Z"
```
### 3.3: Review the response
Review the response to confirm that the `audit_events` array contains the expected event data. If the response body is empty, try adjusting your `start_time` and `end_time` parameters.
If there are more events available than can be returned in a single response, the beta endpoint returns a meta object that includes:
* `next_page_token`: An opaque token you can pass in the next request to retrieve the next page of results.
* `has_more`: A boolean value that indicates whether more pages are available (`true` or `false`).
For example, the response to the curl request above includes the following meta object:
```json theme={null}
"meta": {
"next_page_token": "eyLMNWdlU2l6ZSI6NSwiU3RhcnRUaW1lIjoiMjAyNS0xMC0wMVQwMDowMDowMFoiLCJFbmRUaW1lIjoiMjAyNi0wMS0wNlQyMTozMzo0Ny44NDA2MjA3NFoiLOPTZWFyY2hBZnRlciI6MTc2MzA2MjYxMjQRSTwiVGllQnJlYWtlciI6IkpaUjdaUVWMN1ZGVDVLVE0zRXYZRURSRlBRIn0",
"has_more": true
}
```
To request the next page of results, use the `next_page_token` value as a query parameter. For example:
```shell theme={null}
curl --request GET \
--url "$BASE_URL/api/v3/auditevents?next_page_token=eyLMNWdlU2l6ZSI6NSwiU3RhcnRUaW1lIjoiMjAyNS0xMC0wMVQwMDowMDowMFoiLCJFbmRUaW1lIjoiMjAyNi0wMS0wNlQyMTozMzo0Ny44NDA2MjA3NFoiLOPTZWFyY2hBZnRlciI6MTc2MzA2MjYxMjQRSTwiVGllQnJlYWtlciI6IkpaUjdaUVWMN1ZGVDVLVE0zRXYZRURSRlBRIn0" \
--header "Authorization: Bearer $EVENTS_API_TOKEN"
```
You can continue calling the endpoint with each `next_page_token` value that gets returned until `has_more` is `false`.
Make sure not to include the `start_time` or `end_time` parameters in requests that use a `next_page_token`. Doing so will result in a `400` bad request error.
To view HTTP status codes and rate limit in the responses, you can use the `--include` flag in your request. For example:
```shell theme={null}
curl --include --request GET...
```
## Step 4: Test the beta endpoint
After you’ve confirmed your Events API integration is working, you can test the beta `/api/v3/auditevents` endpoint with your SIEM.
The v3 beta endpoint is stable for testing, but it's possible changes could be made during the beta that will break integrations.
We don't recommend the beta for production use, but we do encourage beta testers to use v3 beta endpoint alongside the v2 production version and provide feedback. You can also use the [Events API beta roadmap and changelog](/events-api/beta/roadmap) to track changes.
# GET v3 audit events
Source: https://www.1password.dev/events-api/beta/reference/get-v3-audit-events
Beta
This API reference documents the latest version of the [1Password Events API beta specifications (3.0.0)](https://i.1password.com/media/1password-events-reporting/1password-events-api_3.0.0.yaml). Learn more [about the beta API](/events-api/beta/about-v3-beta).
Retrieve v3 (version 3) audit events for actions performed by team members within a 1Password account.
Method
Endpoint URL
GET
\/api/v3/auditevents
You can use this endpoint to determine who performed an action and when, like when a team member edits an item's password or invites another team member to a shared vault.
## Make a request
### Request header
To make a request to the `/api/v3/auditevents` endpoint, you'll need to use the `Authorization` header with a [bearer token](/events-api/authorization/) scoped to access audit events.
```
Authorization: Bearer YOUR_BEARER_TOKEN
```
### Query parameters
You can optionally use any of the following query parameters in your request:
* `page_size`: Specify the number of events records to return per page, between 1 and 1000.
* `start_time`: The date and time from which to start retrieving events.
* `end_time`: The date and time to stop retrieving events.
* `next_page_token`: Add a cursor token from a previous response to go to the next page of results.
See the [query parameters schema](#query-parameters-schema) for more details.
### Example requests
Example request with page size and start and end time parameters:
```shell theme={null}
curl --request GET \
--url https://events.1password.com/api/v3/auditevents?page_size=50&start_time=2026-01-01T00:00:00Z&end_time=2026-01-13T17:30:00Z \
--header 'Authorization: Bearer YOUR_BEARER_TOKEN'
```
Example request that includes a token to return the next page of events:
```shell theme={null}
curl --request GET \
--url "https://events.1password.com/api/v3/auditevents?next_page_token=aGVsbG8hIGlzIGl0IG1lIHlvdSBhcmUgbG9va2luZyBmb3IK" \
--header "Authorization: Bearer YOUR_BEARER_TOKEN"
```
## Receive a response
A successful response will include a subset of events matching your query parameters (if any exist), along with pagination metadata that indicates if there are more results (`true` or `false`). If true, the response will include a token you can use to request subsequent pages of events.
If the response is successful but there aren't any events for the parameters you requested, the `audit_events` array will be empty (`[]`).
### HTTP status code
Every request returns an [HTTP status code](/events-api/status-codes) that indicates if the response was successful or there was a problem.
### Response headers
The response may also include one or more of the following `RateLimit` response headers, as defined by the [IETF standards ](https://www.ietf.org/archive/id/draft-polli-ratelimit-headers-02.html#name-header-specifications):
* `Content-Type: application/json`
* `RateLimit-Limit`
* `Ratelimit-Remaining`
* `RateLimit-Reset`
* `Retry-After` (only in responses with a `429 Too Many Requests` error)
You can use the `--include` flag in your request to view the HTTP status code and your remaining rate limit in the response. For example:
```shell theme={null}
curl --include --request GET...
```
### Example responses
A successful `200` response returns an array of [`AuditEventsResponse` objects](#auditeventsresponse-object) with the following high-level structure:
```json theme={null}
{
"data": {
"audit_events": [
{
"uuid": "56YE2TYN2VFYRLNSHKPW5NVT5E",
"timestamp": "2025-01-01T00:00:00Z",
"context": { /* Context object */ },
"actor": { /* Actor object */ },
"category": "vault",
"action": "vault.vault-item.update",
"targets": [ /* Entity objects */ ]
}
]
},
"meta": {
"next_page_token": "aGVsbG8hIGlzIGl0IG1lIHlvdSBhcmUgbG9va2luZyBmb3IK",
"has_more": true
}
}
```
Below is an example of a successful response that shows one event (a user edited an item in a shared vault). It includes response headers and metadata with a token to fetch the next page of results.
```json theme={null}
HTTP/2 200
content-type: application/json
ratelimit-limit: 600
ratelimit-remaining: 599
ratelimit-reset: 1767735927
date: Tue, 13 Jan 2026 17:30:52 GMT
{
"data": {
"audit_events": [
{
"action": "vault.vault-item.update",
"actor": {
"email": "wendy_appleseed@agilebits.com",
"name": "Wendy Appleseed",
"type": "user",
"uuid": "4HCGRGYCTRQFBMGVEGTABYDU2V"
},
"category": "vault",
"context": {
"account": {
"name": "AgileBits",
"uuid": "VZSYVT2LGHTBWBQGUJAIZVRABM"
},
"client": {
"name": "1Password Extension",
"version": "81118003"
},
"device": {
"model": "142.0.7444.23",
"uuid": "katnz37usfc5i67fqekylwmcde"
},
"location": {
"city": "Toronto",
"country": "Canada",
"ip_address": "192.0.2.254",
"latitude": 43.5991,
"longitude": -79.4988,
"region": "Ontario"
},
"origin": "Admin Console",
"os": {
"name": "MacOSX",
"version": "15.7.1"
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.1 Safari/605.1.15"
},
"session": {
"login_time": "2025-11-13T18:52:10.706588504Z",
"uuid": "X6TARAEE2NGKFLMK5POQBZ4U2Q"
}
},
"targets": [
{
"payload": {
"type": "P",
"uuid": "lc5fqgbrcm4plajd8mwncv2b3u"
},
"type": "vault"
}
],
"timestamp": "2026-01-01T19:01:20.110679321Z",
"uuid": "A5K6COGVRVEJXJW3XQZGS7VAMM"
}
]
},
"meta": {
"has_more": true,
"next_page_token": "eyLMNWdlU2l6ZSI6NSwiU3RhcnRUaW1lIjoiMjAyNS0xMC0wMVQwMDowMDowMFoiLCJFbmRUaW1lIjoiMjAyNi0wMS0wNlQyMTozMzo0Ny44NDA2MjA3NFoiLOPTZWFyY2hBZnRlciI6MTc2MzA2MjYxMjQRSTwiVGllQnJlYWtlciI6IkpaUjdaUVWMN1ZGVDVLVE0zRXYZRURSRlBRIn0"
}
}
```
Example response headers when the rate limit of 600 requests per minute has been exceeded:
```json theme={null}
HTTP/1.1 429 Too Many Requests
content-type: application/json
ratelimit-limit: 600
ratelimit-remaining: 0
ratelimit-reset: 1768325512
retry-after: 60
date: Tue, 13 Jan 2026 17:30:52 GMT
```
## Request schemas
Query parameters
Name
Type
Required
Description
page\_size
integer
No
Maximum number of events records to return per page, from 1 to 1000. If the `page_size` parameter isn't include, the default of 100 will be used.
next\_page\_token
string
No
Opaque cursor token identifying the next page of results to retrieve. Do not use the `start_time` or `end_time` parameters with the `next_page_token`. Doing so will result in a `400` bad request error.
start\_time
string (date-time)
No
The earliest timestamp (inclusive) from which to retrieve events. Invalid if next\_page\_token is specified. Uses the RFC 3339 standard .
end\_time
string (date-time)
No
The latest timestamp (inclusive) for which to retrieve events. Invalid if next\_page\_token is specified. Uses the RFC 3339 standard .
## Response schemas
### Rate limit headers
Header
Type
Required
Description
RateLimit-Limit
integer
No
The request quota for the associated client in the current time window.
RateLimit-Remaining
integer
No
The remaining request quota for the associated client.
RateLimit-Reset
integer
No
Unix timestamp that indicates the number of seconds until the request quota is reset for the associated client.
Retry-After
integer
No
Number of seconds until the request quota is reset for the associated client. Only included in responses with the `429 Too Many Requests` rate limit error.
### AuditEventsResponse object
Field
Type
Required
Description
data
object
Yes
Container for the audit event data.
data.audit\_events
array
Yes
Array of [AuditEvent objects](#auditeventsresponse-auditevent-object).
meta
object
Yes
Pagination metadata for the response that can be used in subsequent requests.
meta.next\_page\_token
string
No
Opaque token used to retrieve the next page of results. Should be included in subsequent requests until has\_more is false.
meta.has\_more
boolean
Yes
Indicates if additional pages of results are available for retrieval (true) or not (false).
A [Context object](#auditeventsresponse-context-object) containing information about how the event was initiated.
actor
object
Yes
An [Actor object](#auditeventsresponse-actor-object) describing who initiated the event.
category
string
Yes
High-level category of the event (for example, report).
action
string
Yes
Specific action taken (for example, report.view).
targets
array
Yes
Array of [Entity objects](#auditeventsresponse-entity-object) that describe what was affected.
#### AuditEventsResponse: Account object
Field
Type
Required
Description
uuid
string
Yes
UUID of the account.
name
string
Yes
Name of the account.
state
string
Yes
State of the account (for example, A).
type
string
Yes
Type of the account (for example, B).
domain
string
Yes
Domain associated with the account (for example, 1password.com).
#### AuditEventsResponse: Actor object
Field
Type
Required
Description
type
string
Yes
The type of actor (for example, user).
uuid
string
Yes
UUID of the actor.
name
string
No
Display name of the actor, if available.
email
string
No
Email address of the actor, if available.
linked\_account
object
No
An [Account object](#auditeventsresponse-account-object) describing a related account, if any.
#### AuditEventsResponse: Client object
Field
Type
Required
Description
name
string
Yes
Name of the client that was used.
version
string
Yes
Version of the client that was used.
#### AuditEventsResponse: Context object
Field
Type
Required
Description
account
object
Yes
A [ContextAccount object](#auditeventsresponse-contextaccount-object) describing the account associated with the event.
origin
string
Yes
The application or interface where the event occurred (for example, password\_manager).
session
object
No
A [Session object](#auditeventsresponse-session-object) describing the session in which the event occurred.
location
object
Yes
A [Location object](#auditeventsresponse-location-object) describing where the event originated.
device
object
No
A [Device object](#auditeventsresponse-device-object) describing the device used to initiate the event.
client
object
No
A [Client object](#auditeventsresponse-client-object) describing the 1Password client used (app or integration).
os
object
No
An [OS object](#auditeventsresponse-os-object) describing the operating system.
#### AuditEventsResponse: ContextAccount object
Field
Type
Required
Description
uuid
string
Yes
UUID of the account.
name
string
Yes
Name of the account.
#### AuditEventsResponse: Device object
Field
Type
Required
Description
uuid
string
Yes
UUID of the device.
model
string
Yes
Model of the device.
#### AuditEventsResponse: Entity object
Field
Type
Required
Description
type
string
Yes
Type of entity affected by a given event. An entity may contain a number of additional properties specific to its type. For example: report, user, or other resource types.
payload
object
Yes
Additional properties describing the entity.
#### AuditEventsResponse: Location object
Field
Type
Required
Description
ip\_address
string
Yes
IP address from which the event originated.
country
string
No
Country associated with the IP address.
region
string
No
Region associated with the IP address.
city
string
No
City associated with the IP address.
latitude
number
No
Latitude of the location.
longitude
number
No
Longitude of the location.
#### AuditEventsResponse: OS object
Field
Type
Required
Description
name
string
Yes
Name of the operating system that was used.
version
string
Yes
Version of the operating system that was used.
userAgent
string
No
Information about the operating system, such as software identification and environment details.
#### AuditEventsResponse: Session object
Field
Type
Required
Description
uuid
string
Yes
UUID of the session.
login\_time
string (date-time)
Yes
Time when the session was created.
### ErrorResponse object
Field
Type
Required
Description
Error
object
No
An [Error object](#errorresponse-error-object) containing the error message.
#### ErrorResponse: Error object
Field
Type
Required
Description
Message
string
No
An error message.
# Events API beta roadmap and changelog
Source: https://www.1password.dev/events-api/beta/roadmap
**Beta features are not guaranteed**
The purpose of this roadmap is to provide beta testers with information about new or improved features that are available for testing. Beta features and improvements may be added, changed, or removed at any time and are not intended to be used in production. You can use the [beta changelog](#beta-changelog) to track changes.
You can use the beta roadmap to track the phased rollout of new and improved features planned for the Events API. This page will be updated periodically to indicate when:
* A new or improved feature is ready for public beta testing
* A beta feature moves into production
* A planned feature is added, changed, or removed from the roadmap
## Planned features
| Feature area | Plan | Phase/Status | Additional information |
| ----------------------------------------- | ------------------------------------------------------------------------------ | ------------ | ----------------------------------------------------------------------------------------------------------------- |
| Audit events | Create new v3 endpoint for audit events, based on updated audit logging model. | Public beta | Beta endpoint available for testing: [`GET /api/v3/auditevents`](/events-api/beta/reference/get-v3-audit-events). |
| Audit log | Rename Activity Log to Audit Log and update to use new audit logging model. | Public beta | Learn more about the [beta audit log](https://support.1password.com/audit-log/). |
| Item usages | Add item usage events to the beta. | Coming soon | |
| Sign-in attempts | Add sign-in attempt events to the beta. | Coming soon | |
| 1Password SaaS Manager (formerly Trelica) | Add SaaS Manager events to Events API and audit log. | Coming soon | |
| 1Password Device Trust (Kolide) | Add Device Trust events to Events API and audit log. | Coming soon | |
## Beta changelog
This section includes information about additive and breaking changes made to the v3 Events API throughout the beta, starting from the public beta release.
Public release of the Events API v3 beta.
* **Specification file**: [1Password Events API specifications (3.0.0)](https://i.1password.com/media/1password-events-reporting/1password-events-api_3.0.0.yaml)
* **Summary**: We've launched the v3 beta of the 1Password Events API. The beta introduces a new audit logging model that provides a more comprehensive view of the actions being performed in a 1Password account.
* **Details**: Key features include:
* A new [v3 audit events beta endpoint](/events-api/beta/reference/get-v3-audit-events): `/api/v3/auditevents`. This endpoint can return structured audit event data starting from December 1, 2025. Audit event data includes information about who performed an action, what was affected, and context about where and how the action occurred.
* A new `GET` HTTP method for audit events.
* Cursor-based pagination with query parameters for `page_size`, `start_time`, `end_time`, and `next_page`.
* A new [beta audit log](https://support.1password.com/audit-log/) to monitor events that happen on your team from your 1Password.com account.
# 1Password Events API changelog
Source: https://www.1password.dev/events-api/changelog
This changelog tracks notable changes to the 1Password Events API and provides information about when changes were made and what changed.
## Summary of changes
| Version | Date | Type | Description | Details |
| ------- | -------------- | --------------- | ----------------------------------------------------------------------------------------------------------------- | ------------------------------- |
| 1.4.1 | September 2025 | Improvement | Added an account UUID property to the introspect response object. | [View details](#september-2025) |
| 1.4.0 | November 2024 | New feature | Added V2 endpoints for sign-in attempts and item usage with external user and MSP support. (*Breaking change* \*) | [View details](#november-2024) |
| 1.3.0 | September 2024 | New feature | Added V2 audit events endpoint with external user and MSP support. (*Breaking change* \*) | [View details](#september-2024) |
| 1.2.0 | November 2023 | New feature | Added passkey credential support to audit events. | [View details](#november-2023) |
| 1.2.0 | August 2023 | Improvement | Enhanced user details in audit event responses. | [View details](#august-2023) |
| 1.2.0 | November 2022 | New feature | Added audit events endpoint and reporting capabilities. | [View details](#november-2022) |
| 1.2.0 | March 2022 | Improvement | Added geolocation info and SSO actions. | [View details](#march-2022) |
| 1.1.0 | September 2021 | Improvement | Added internal server error handling. | [View details](#september-2021) |
| 1.1.0 | August 2021 | New feature | Added V2 introspection endpoint. (*Breaking change* \*) | [View details](#august-2021) |
| 1.0.0 | July 2021 | Initial release | Initial public release of the 1Password Events API. | [View details](#july-2021) |
\* Breaking changes are backwards-incompatible changes that require an upgrade to use. When breaking changes are released, we'll continue to support previous versions of the API and you can choose when to upgrade your API version.
Added a new `account_UUID` property to the introspect endpoint (/api/v2/auth/introspect).
You can now confirm the account a bearer token was issued from. This is particularly relevant to managed service providers (MSPs) that manage multiple accounts.
Added new V2 endpoints with external user and MSP functionality:
* POST /api/v2/signinattempts
* POST /api/v2/itemusages
Changes include:
* New SignInAttemptV2 schema:
* Added `account_uuid` field
* Added `federated` sign-in type
* Uses enhanced UserV2 schema
* New ItemUsageV2 schema:
* Added `account_uuid` field
* Uses enhanced UserV2 schema
* New SignInAttemptUserTypes enum for user type classification
### Breaking changes
V2 endpoints introduce new required fields and response structures. If upgrading from V1:
* Response schemas include new required fields
* User objects now include type classification
* New enums added for MSP functionality
### Migration impact
V1 endpoints continue to be supported. Migration to V2 endpoints is only required if you're an MSP provider and you need to access MSP-related event data for your account or the accounts of your managed companies.
New integrations can use V2 endpoints regardless of MSP needs.
Added new V2 audit events endpoint with MSP support:
* POST /api/v2/auditevents
Changes include:
* New AuditEventV2 schema:
* Added `actor_type` field
* Added `actor_account_uuid` field
* Added `account_uuid` field
* Added AuditEventActorTypes enum
* Added new actions:
* `expire`
* `launchi`
* `unlink`
* Added `mngdacc` object type for managed accounts
* Added "cred" object type for passkey authentication
* Fixed latitude field name in Location schema
Enhanced AuditEvent schema with detailed user information:
* Added `actor_details`
* Added `object_details`
* Added `aux_details`
* Added audit events endpoint (/api/v1/auditevents)
* Added new schemas:
* AuditEvent
* AuditEventItems
* AuditEventActions
* AuditEventObjectTypes
* Session
* Added Location object to sign-in attempts and item usage events:
* `country`
* `region`
* `city`
* `longitude`
* `latitude`
* Added new item usage actions:
* `select-sso-provider`
* `enter-item-edit-mode`
* Added 500 Internal Server Error response to all endpoints
Added V2 introspection endpoint:
* New introspection endpoint (/api/v2/auth/introspect)
* V1 endpoint marked as deprecated
* Added IntrospectionV2 schema with consistent naming
Initial [public release of the 1Password Events API](https://blog.1password.com/introducing-events-api/), including:
* Introspection endpoint
* JWT authentication
* Item usage endpoint
* Sign-in attempts endpoint
* Cursor-based pagination
# Endpoints
Source: https://www.1password.dev/events-api/endpoints
## Endpoint structure
Each API endpoint starts with a [base URL](/events-api/servers/), followed by the resource or operation path:
```text theme={null}
base_url/path
```
Replace the `base_url` placeholder with the appropriate base URL for your 1Password account and use the `path` of the operation or resource you want to access: [`introspect`](/events-api/reference#get-%2Fapi%2Fv2%2Fauth%2Fintrospect), [`auditevents`](/events-api/reference#post-%2Fapi%2Fv2%2Fauditevents), [`itemusages`](/events-api/reference#post-%2Fapi%2Fv2%2Fitemusages), or [`signinattempts`](/events-api/reference#post-%2Fapi%2Fv2%2Fsigninattempts).
For example, if your 1Password account is hosted on `ent.1password.com` and you want to retrieve a list of audit events, you would use the following URL to make a call to the `auditevents` endpoint:
```http Structure of an API endpoint theme={null}
https://events.ent.1password.com/api/v2/auditevents
```
## Endpoint versions
The Events API supports both V1 and V2 endpoints for audit events, item usages, and sign-in attempts. The V2 endpoints in this reference provide additional information about users and accounts for managed service providers (MSPs). V1 endpoints remain fully supported for existing integrations that don't require the additional MSP account and user type information.
Choose the appropriate version based on your needs:
* Use V2 endpoints if you need MSP-related event data or if you're just starting with the Events API.
* Use V1 endpoints if you have existing integrations and you don't require the additional MSP data.
See the [API changelog](/events-api/changelog/) to learn more about the changes in the V2 endpoints and previous versions of the API.
# 1Password Events API generic scripts
Source: https://www.1password.dev/events-api/generic-scripts
If you're new to Events Reporting, [learn how to get started with 1Password Events API](/events-api/get-started/).
To help you get started with the 1Password Events API we've put together a [repository of example scripts](https://github.com/1Password/events-api-generic) across several languages, including [JavaScript](https://github.com/1Password/events-api-generic/blob/main/eventsapi.js), [Python](https://github.com/1Password/events-api-generic/blob/main/eventsapi.py), [Ruby](https://github.com/1Password/events-api-generic/blob/main/eventsapi.rb), [Go](https://github.com/1Password/events-api-generic/blob/main/eventsapi.go), and [PHP](https://github.com/1Password/events-api-generic/blob/main/eventsapi.php). The scripts will print up to 20 sign-in attempts and item usage events from the last 24 hours.
## Requirements
Before implementing any of the examples, or your own scripts, you'll need to generate a bearer token and store it in your 1Password account.
To get a bearer token, you can:
* [Set up a new Events Reporting integration.](/events-api/get-started#step-1-set-up-an-events-reporting-integration)
* [Issue a new token](/events-api/authorization#issue-a-bearer-token) in an existing integration.
* [Generate a token with 1Password CLI.](/cli/reference/management-commands/events-api/#events-api-create)
## Usage
All scripts use the `EVENTS_API_TOKEN` environment variable to load your API token.
We recommend setting `EVENTS_API_TOKEN` to a [secret reference](/cli/secret-reference-syntax/) that points to where your bearer token is saved in 1Password, to avoid revealing the token in plaintext. Then you can use [`op run`](/cli/reference/commands/run/) with [1Password CLI](/cli/) to securely provision the token at runtime.
[Learn more about securely loading secrets from the environment.](/cli/secrets-environment-variables/)
For example, to set the `EVENTS_API_TOKEN` environment variable with an environment file, then use [`op run`](/cli/reference/commands/run/) to run the PHP `eventsapi.php` script with the variable provisioned:
```shell events.env theme={null}
EVENTS_API_TOKEN="op://Vault/Item/token"
```
```
op run --env-file="./events.env" -- php eventsapi.php
```
To export the `EVENTS_API_TOKEN` environment variable, then use [`op run`](/cli/reference/commands/run/) to run the Go `eventsapi.go` script with the variable provisioned:
```shell theme={null}
EVENTS_API_TOKEN="op://Vault/Item/token" op run -- go run eventsapi.go
```
1. Export the necessary environment variables:
```powershell theme={null}
$Env:EVENTS_API_TOKEN = "op://Vault/Item/token"
```
2. Run op run -- with your command for starting the app:
```powershell theme={null}
op run -- go run eventsapi.go
```
## Learn more
* [Get started with the 1Password Events API](/events-api/get-started/)
* [Issue or revoke bearer tokens for the Events API](/events-api/authorization#manage-bearer-tokens)
* [About 1Password Events Reporting security](https://support.1password.com/events-reporting-security/)
# Get started with the 1Password Events API
Source: https://www.1password.dev/events-api/get-started
You can use the 1Password Events API to set up an integration between your 1Password Business account and your security information and event management (SIEM) system.
## Requirements
Before you get started, you'll need to [sign up for a 1Password Business account](https://1password.com/pricing/password-manager).
If you already have a business account, you'll need to be an [owner](https://support.1password.com/1password-glossary/#owner) or [administrator](https://support.1password.com/1password-glossary/#administrator) to set up an Events Reporting integration.
## Step 1: Set up an Events Reporting integration
You can set up an Events Reporting integration in your 1Password Business account:
1. [Sign in](https://start.1password.com/signin) to your account on 1Password.com.
2. Select [**Integrations**](https://start.1password.com/integrations/directory) in the sidebar. If you've set up other integrations in your account, you'll also need to select **Directory** on the Integrations page.
3. In the Events Reporting section, choose your SIEM from the list. If your SIEM isn't listed, select **Other**.
4. Enter a name for the integration, then select **Add Integration**.
5. Set up a bearer token:
* **Token Name**: Enter a name for the token.
* **Expires After**: (Optional) Choose when the token will expire: 30 days, 90 days, or 180 days. The default setting is Never.
* **Events to Report**: Choose which events the token can access. The default scope includes all events: sign-in attempts, item usages, and audit events.
6. Select **Issue Token**.
7. On the "Save your token" page, select **Save in 1Password**. Choose the vault where you want to save your token, then select **Save**. Your bearer token will be saved as an API Credential item in 1Password.
8. Select **View Integration Details**.
You can issue or revoke bearer tokens for your Events Reporting integration at any time. Learn more about [how to manage bearer tokens](/events-api/authorization#manage-bearer-tokens).
## Step 2: Test the integration
Before you connect your 1Password account with your SIEM, you can send a test request to the Events API using [curl ](https://curl.se/) on the command line. Specify the [endpoint](/events-api/endpoints/) along with any required [request headers](/events-api/request-headers/) and data.
### 1. Create a curl request
In your terminal, format your curl request using the following structure:
```shell theme={null}
curl --request \
--url / \
--header 'Authorization: Bearer ' \
--header 'Content-Type: application/json' \
--data '{
"limit": ,
"start_time": "",
"end_time": ""
}'
```
The `Content-Type` header and the `--data` flag with [pagination](/events-api/pagination/) content are only used in `POST` requests to the Events API.
Replace the highlighted content with your preferred values:
`{''}` The [HTTP request method](/events-api/request-methods/) you want to use for your request. For example: `POST`.
`{''}` The [base URL](/events-api/servers/) of the server used for events in your 1Password account. For example: `https://events.1password.com`.
`{''}` The path of the [endpoint](/events-api/endpoints/) you want to use. For example: `/api/v2/signinattempts`.
`{''}`: The bearer token you generated in [step 1](#step-1-set-up-an-events-reporting-integration). You can use one of the following options:
* Option 1: Copy the credential field from the bearer token you saved in 1Password, then paste it in the authorization header. For example:
```shell theme={null}
--header 'Authorization: Bearer eyJhbGciOiJFUzI1NiIsImtpZCI6IjNyaTN0NDR0anZvZmNmbWc0Z2tsNWk2b2FpIiwidHlwIjoiSldUIn0...'
```
The `...` at the end of the bearer token here indicates it's been truncated for the example. You'll need to include the full credential string for your token.
* Option 2: [Use an environment variable to load your API token](/events-api/generic-scripts#usage) to avoid revealing your bearer token in plaintext. You'll need to use double quotes for the authorization header to allow for variable expansion. For example:
```shell theme={null}
--header "Authorization: Bearer ${EVENTS_API_TOKEN}"
```
`{''}` The optional [pagination limit](/events-api/pagination/) for the maximum number of event records you want returned per page. (POST requests only.) Choose a value from `1` to `1000`.
`{''}` The optional [RFC 3339-formatted ](https://datatracker.ietf.org/doc/html/rfc3339) date and time (UTC) for when you want to start and stop retrieving events. (POST requests only.) For example: `2025-10-31T09:00:00Z`.
The pagination limit, start time, and end time data is all optional. If you don't want to include them in your POST request, use an empty request body for the `--data` flag:
```shell theme={null}
--data '{}'
```
### 2. Send a curl request
Send your formatted curl request from the terminal.
The following example sends a POST request to the [`signinattempts` endpoint](/events-api/reference#post-%2Fapi%2Fv2%2Fsigninattempts), using the curl command structure from the example above.
```json theme={null}
curl --request POST \
--url https://events.1password.com/api/v2/signinattempts \
--header 'Authorization: Bearer eyJhbGciOiJFUzI1NiIsImtpZCI6Imt6aXJ4NHQ0Mm1laDVwbmFhcm4yYjZucXN1IiwidHlwIjoiSldUIn0...' \
--header 'Content-Type: application/json' \
--data '{
"limit": 1,
"start_time": "2025-10-31T09:00:00Z",
"end_time": "2025-10-31T17:00:00Z"
}'
#code-result
{
"cursor": "ZX8DAQETRWxhc3RpY3NlYXJjaEN1cnNvcgH_gAABBQEFTGltaXQBBAABCVN0YXJ0VGltZQH_ggABB0VuZFRpbWUB_4IAAQtTZWFyY2hBZnRlcgEEAAEKVGllQnJlYWtlcgEMAAAACv-BBQEC_4QAAABL_4ABAgEPAQAAAA7gjFYQAAAAAP7UAQ8BAAAADuCSBYgAAAAA_tQB-gM0JEhDqgEaQlRYUFUzM1ZOTkJLVERST0lGRUVUQkZQNlUA",
"has_more": true,
"items": [
{
"uuid": "BTXPU33VNNBKTDROIFEETBFP6U",
"session_uuid": "DU72R2RHZRHUTOYHMG44EDG4UI",
"timestamp": "2025-10-31T13:45:49.203617068Z",
"country": "CA",
"category": "success",
"type": "credentials_ok",
"details": null,
"client": {
"app_name": "1Password for Mac",
"app_version": "81118011",
"platform_name": "Wendy’s MacBook Pro",
"platform_version": "MacBookPro18,2",
"os_name": "MacOSX",
"os_version": "15.7.1",
"ip_address": "192.0.2.254"
},
"location": {
"country": "CA",
"region": "Ontario",
"city": "Toronto",
"latitude": 43.5991,
"longitude": -79.4988
},
"target_user": {
"uuid": "ETWZJTQCSRFPVOX74KERGHPBTU",
"name": "Wendy Appleseed",
"email": "wendy_appleseed@agilebits.com",
"type": "user"
},
"account_uuid": "4XHKKHXODJANPD6ZTBAXK4IM7E"
}
]
}
```
### 3. Review the response
Review the response that was returned to check that the request was successful.
The example request above shows a successful `200` response, with JSON objects detailing the sign-in attempt event(s) and a cursor for continued calling of the API. See the [response schema for the `signinattempts` endpoint](/events-api/reference#responses-3) for more information.
If the request was successful but your 1Password account didn't contain any events within the parameters of your request, the response will still return an object with a [cursor string](/events-api/pagination#cursor). For example:
```json theme={null}
{
"cursor": "ZX8DAQETRWxhc3RpY3NlYXJjaEN1cnNvcgH_gAABBQEFTGltaXQBBAABCVN0YXJ0VGltZQH_ggABB0VuZFRpbWUB_4IAAQtTZWFyY2hBZnRlcgEEAAEKVGllQnJlYWtlcgEMAAAACv-BBQEC_4QAAAAn_4ABAgEPAQAAAA7gfNhwAAAAAP__AQ8BAAAADuB84vwAAAAA__8A",
"has_more": false,
"items": []
}
```
If you made a call to a different endpoint, check the [Events API reference](/events-api/reference/) for the appropriate response object schema.
If you see an error, learn more about [HTTP status codes and recommended actions for error messages](/events-api/status-codes).
## Step 3: Connect your 1Password account to your SIEM
### Use a pre-built connector
Many SIEMs already support connecting with 1Password. To use a pre-built connector, [check if your SIEM is in the list of supported applications or services](https://support.1password.com/events-reporting/#step-2-connect-your-1password-account-to-your-siem). If it is, you can follow the provided link for documentation on how to connect your 1Password account.
If your SIEM isn't listed, you can also check the documentation for that service for any information they might have about connecting to a 1Password account.
### Build your own integration
If your SIEM doesn't have a pre-built connector, you can build your own client to send your 1Password account activity to your SIEM. Use the [Events API reference](/events-api/reference/) and documentation to learn more about how the API works.
To help you get started, you can refer to the [example scripts in our GitHub repository ](https://github.com/1Password/events-api-generic/) for JavaScript, Python, Ruby, Go, and PHP. Learn more about [how to use the example scripts](/events-api/generic-scripts/).
## Learn more
* [1Password Events API reference](/events-api/reference/)
* [About the 1Password Events API](/events-api/introduction/)
* [1Password Events API generic scripts](/events-api/generic-scripts/)
* [GitHub repository of example scripts ](https://github.com/1Password/events-api-generic/)
# About the 1Password Events API
Source: https://www.1password.dev/events-api/introduction
The 1Password Events API is a REST-style API that follows the [OpenAPI 3.0 Specifications](https://spec.openapis.org/oas/latest.html). All communication between clients and servers are over HTTPS.
You can use your preferred language and tools for testing and implementing the Events API. The examples in the [API reference](/events-api/reference/) use [curl ](https://curl.se/) on the command line to demonstrate example requests. You can replace the values in any request with your own to receive information about events in your 1Password account.
The API can access data from the last 120 days. If you need to access data from more than 120 days ago, you can [use the audit log in your 1Password account](https://support.1password.com/activity-log/).
## Requirements
Before you can use the 1Password Events API, you'll need to:
* [Sign up for 1Password Business](https://1password.com/pricing/password-manager).
* [Set up an Events Reporting integration](/events-api/get-started) in your 1Password account.
* [Create a bearer token](/events-api/authorization#step-1-get-a-bearer-token) and select the event features it can access.
# Item usage actions
Source: https://www.1password.dev/events-api/item-usage-actions
You can use the [1Password Events API](/events-api/reference/) to send your 1Password account activity to your security information and event management (SIEM) system, including item usage.
[ItemUsage objects](/events-api/reference#post-%2Fapi%2Fv2%2Fitemusages) contain actions, which describe how an item was used.
Actions are only captured from client apps using 1Password 8.4.0 or later.
Item usage activity is only sent when client apps sync to the 1Password server. Not all item usage triggers a sync, so there may be delays before actions are received.
## Item usage action values
Possible values for `action` include:
The behaviors that trigger each type of action are grouped below by 1Password client type.
### enter-item-edit-mode
Client
Behavior
1Password apps
Add an item to Favorites. Edit an item. Usage is recorded upon selecting Edit, whether or not the item is modified.
### export
Client
Behavior
1Password apps
Download a file. Export 1Password account data as a 1PUX or CSV file. Usage is recorded for every exported item.
### fill
Client
Behavior
1Password apps
Fill an item by selecting:
"Open and fill"
"Type in window" (Windows only)
1Password in the browser
Fill an item by selecting:
Autofill
Auto-Type (Windows only)
Open & Fill
An item from the inline menu in a form field
### other
Item usage actions are only captured from devices using 1Password 8.4.0 or later. The `other` value indicates the action was performed using an earlier version of 1Password and is unknown.
Client
Behavior
1Password apps
Action is unknown.
### reveal
Client
Behavior
1Password apps
Preview a file. Reveal a password. Show a password in large type.
1Password in the browser
Reveal a password. Show a password in large type.
### secure-copy
Client
Behavior
1Password apps
Copy an item field. Copy an item's password history.
1Password in the browser
Copy an item field. Copy an item in JSON format.
### select-sso-provider
Client
Behavior
1Password in the browser
Sign in to a site using a sign-in provider.
### server-create
The `server` prefix indicates that the action occurred on the server rather than in the client app.
Client
Behavior
1Password apps
Duplicate an item. Move an item.
1Password.com
Create an item. Duplicate an item.
1Password CLI
Create an item.
1Password Connect server
Create an item.
### server-fetch
The `server` prefix indicates that the action occurred on the server rather than the client app. `server-fetch` is a special kind of action type that isn't used by most clients. It's only used when the client reporting the usage is a web server, like 1Password Connect server.
Client
Behavior
1Password apps
Download a file. Preview a file.
1Password.com
Open an item.
1Password CLI
Open an item.
1Password Connect server
Get all of an item's files. Get the contents of a file. Get the details of a file. Get the details of an item.
### server-update
The `server` prefix indicates that the action occurred on the server rather than the client app.
Client
Behavior
1Password apps
Add an item to Favorites. Archive an item. Delete an item. Edit an item. Move an item. Restore an item.
1Password in the browser
Add an item to Favorites.
1Password.com
Add an item to Favorites. Archive an item. Delete an item. Edit an item. Restore an item.
1Password CLI
Archive an item. Delete an item. Edit an item.
1Password Connect server
Delete an item. Edit an item. Replace an item.
### share
Client
Behavior
1Password apps
Copy an item in JSON format. Duplicate an item. Move an item. Share a link to an item.
1Password.com
Share a link to an item.
## Learn more
* [Get started with 1Password Events Reporting](https://support.1password.com/events-reporting/)
* [1Password Events API reference](/events-api/reference/)
* [Get started with 1Password Events Reporting and Elastic](https://support.1password.com/events-reporting-elastic/)
* [Get started with 1Password Events Reporting and Splunk](https://support.1password.com/events-reporting-splunk/)
* [1Password command-line tool: Full documentation](/cli/reference/)
# Pagination
Source: https://www.1password.dev/events-api/pagination
The Events API uses cursor-based pagination, which is useful for working with large datasets. In response to each request, the API returns a unique ID (cursor) that indicates where you left off retrieving data. On the next call, you can provide that cursor to continue fetching events starting from the next point in the dataset so no records are missed.
There are two types of cursors used in calls to the API: a [reset cursor](#reset-cursor) and a [cursor](#cursor) (also called a continuing cursor).
## Reset cursor
A reset cursor is used for the first request you make to the API to create a new point from which to start fetching data. You can also use a reset cursor any time you need to reset the parameters of your cursor – such as the number of records to return with each request – or go back to an earlier point in the records.
For the first POST request you make to the API, you must include a `ResetCursor` object with an optional start time, end time, and limit parameters in the request body. The return will include a `cursor` in the response body that can be used in the next call made to the API. If no parameters are provided, the API will use the default values indicated in the schema.
For example:
```json theme={null}
{
"limit": 100,
"start_time": "2023-03-15T16:32:50-03:00",
"end_time": "2023-03-15T17:32:50-03:00"
}
```
Name
Type
Description
limit (optional)
number
The number of events to return in a single request. Specify a limit from 1 to 1000. If not specified, limit will default to 100. To return additional events, use the cursor position for subsequent requests.
start\_time (optional)
string
The date and time to start retrieving events. Uses the RFC 3339 standard. If not specified, start\_time will default to one hour before specified end\_time. If no end\_time is specified, start\_time will default to one hour ago.
end\_time (optional)
string
The date and time to stop retrieving events. Uses the RFC 3339 standard.
## Cursor
For continued calling of the API, include the `cursor` from the previous response in the request body of your next call to the API, instead of the `ResetCursor` object. This will start fetching data from the last indicated position to avoid missing any data.
```json theme={null}
{
"cursor": "aGVsbG8hIGlzIGl0IG1lIHlvdSBhcmUgbG9va2luZyBmb3IK"
}
```
Name
Type
Description
cursor
string
Cursor to fetch more data, if available, or continue the polling process. Use the cursor returned in the response body of your previous to the endpoint. For example: aGVsbG8hIGlzIGl0IG1lIHlvdSBhcmUgbG9va2luZyBmb3IK.
The 1Password Events API apps for [Splunk](http://support.1password.com/events-reporting-splunk/) and [Elastic](http://support.1password.com/events-reporting-elastic/) will store the `cursor` position for future requests.
# Rate limits
Source: https://www.1password.dev/events-api/rate-limits
The Events API has the following limits:
* 600 requests per minute
* 30,000 requests per hour
Exceeding these limits will return the following error:
```
429 Too many requests
```
# 1Password Events API reference
Source: https://www.1password.dev/events-api/reference
This API reference documents the latest version of the [1Password Events API specifications (1.4.1)](https://i.1password.com/media/1password-events-reporting/1password-events-api_1.4.1.yaml). Learn more about [API versions](/events-api/endpoints#endpoint-versions).
## GET /api/v2/auth/introspect
```
base_url/api/v2/auth/introspect
```
A GET call to this endpoint returns a list of events (features) a bearer token is authorized to access, including one or more of: audit events, item usage, and sign-in attempts. It also returns the UUID of the account where the token was issued.
### Parameters
No parameters.
### Requests
Use the full URL of the `introspect` endpoint with your [bearer token](/events-api/authorization/) and the required [request headers](/events-api/request-headers/). A GET request doesn't include a body, so the content type header isn't needed.
For example:
```shell theme={null}
curl --request GET \
--url base_url/api/v2/auth/introspect \
--header 'Authorization: Bearer YOUR_BEARER_TOKEN'
```
### Responses
200
Returns an `Introspection` object
400
Bad request
401
Unauthorized access
500
Internal server error
A successful `200` response returns an `Introspection` object with information about the token.
```json theme={null}
{
"uuid": "OK41XEGLRTH4YKO5YRTCPNX3IU",
"issued_at": "2023-03-05T16:32:50-03:00",
"features": [
"auditevents",
"itemusages",
"signinattempts"
],
"account_uuid": "M4E2SWNZAZFTRGQGDNS2E5A4MU"
}
```
A list of event features the integration has access to. Possible values are one or more of:
auditevents
itemusages
signinattempts
account\_uuid
string
The UUID of the account where the bearer token was issued.
## POST /api/v2/auditevents
```
base_url/api/v2/auditevents
```
A POST call to this endpoint returns information about actions performed by team members within a 1Password account. Events include when an action was performed and by whom, along with details about the type and object of the action and any other information about the activity. MSP accounts include additional information about the actor's account and type. Learn more about [audit events](/events-api/audit-events/).
This endpoint requires a [bearer token](/events-api/authorization/) with the `auditevents` feature. You can make an [introspection call](#get-%2Fapi%2Fv2%2Fauth%2Fintrospect) to the API to verify if your token is authorized to access audit events.
### Parameters
No parameters.
### Requests
Use the full URL of the `auditevents` endpoint with your [bearer token](/events-api/authorization/) and the required [request headers](/events-api/request-headers/). You must include a [ResetCursor](/events-api/pagination#reset-cursor) object or the [cursor](/events-api/pagination#cursor) from a previous response in the request body.
```shell theme={null}
curl --request POST \
--url base_url/api/v2/auditevents \
--header 'Authorization: Bearer YOUR_BEARER_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
"limit": 100,
"start_time": "2023-03-15T16:32:50-03:00"
}'
```
```shell theme={null}
curl --request POST \
--url base_url/api/v2/auditevents \
--header 'Authorization: Bearer YOUR_BEARER_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
"cursor": "aGVsbG8hIGlzIGl0IG1lIHlvdSBhcmUgbG9va2luZyBmb3IK"
}'
```
### Responses
A successful `200` response returns an `AuditEventItemsV2` object wrapping cursor properties and an array of `AuditEventV2` objects. The included cursor can be used to fetch more data or continue the polling process.
Cursor to return more event data or to continue polling.
has\_more
boolean
Whether there's more data to be returned using the cursor. If the value is true, there may be more events. If the value is false, there are no more events.
The identifier for someone or something that provides additional information about the activity. For example, the ID of a device that a user adds or removes from an account.
aux\_uuid
string
The unique identifier for someone or something that provides additional information about the activity. For example, the UUID of a team member who joins or leaves a group in an account.
A location object that contains details about the geolocation of the client based on the client's IP address at the time the event was performed.
###### UserV2 object schema
Name
Type
Description
uuid
string
The UUID of the user who performed the action.
name
string
The name of the user who performed the action.
email
string
The email address of the user who performed the action.
user\_type
(MSP accounts only)
string
The type of user who performed the action (internal or external). Possible values are:
user
external\_user
user\_account\_uuid
(MSP accounts only)
string
The UUID of the user's account.
###### Object details object schema
Name
Type
Description
uuid
string
The UUID of the user who is the object of the action.
name
string
The name of the user who is the object of the action.
email
string
The email address of the user who is the object of the action.
###### Aux details object schema
Name
Type
Description
uuid
string
The UUID of the user related to the additional information about the activity. For example, the user who was added to or removed from the account or vault or whom created or deleted the device.
name
string
The name of the user related to the additional information about the activity.
email
string
The email address of the user related to the additional information about the activity.
###### Session object schema
Name
Type
Description
uuid
string
The UUID of the session.
login\_time
string
The date and time the client signed in and started the session. Uses the RFC 3339 standard.
device\_uuid
string
The UUID of the device signed in to the session.
ip
string
The IP address used for the session.
###### Location object schema
Name
Type
Description
country
string
The country where the action was performed.
region
string
The region where the action was performed.
city
string
The city where the action was performed.
longitude
number
A coordinate that specifies the longitudinal location for where the action was performed.
latitude
number
A coordinate that specifies the latitudinal location for where the action was performed.
## POST /api/v2/itemusages
```
base_url/api/v2/itemusages
```
A POST call to this endpoint returns information about items in shared vaults that have been modified, accessed, or used. Events include the name and IP address of the user who accessed the item, when the item was accessed, and the vault where the item is stored. Learn more about [item usage actions](/events-api/item-usage-actions/).
This endpoint requires a [bearer token](/events-api/authorization/) with the `itemusages` feature. You can make an [introspection call](#get-%2Fapi%2Fv2%2Fauth%2Fintrospect) to the API to verify if your token is authorized to access sign-in events.
### Parameters
No parameters.
### Requests
Use the full URL of the `itemusages` endpoint with your [bearer token](/events-api/authorization/) and the required [request headers](/events-api/request-headers/). You must include a [ResetCursor](/events-api/pagination#reset-cursor) object or the [cursor](/events-api/pagination#cursor) from a previous response in the request body.
```shell theme={null}
curl --request POST \
--url base_url/api/v2/itemusages \
--header 'Authorization: Bearer YOUR_BEARER_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
"limit": 100,
"start_time": "2023-03-15T16:32:50-03:00"
}'
```
```shell theme={null}
curl --request POST \
--url base_url/api/v2/itemusages \
--header 'Authorization: Bearer YOUR_BEARER_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
"cursor": "aGVsbG8hIGlzIGl0IG1lIHlvdSBhcmUgbG9va2luZyBmb3IK"
}'
```
### Responses
200
Returns an `ItemUsageV2` response object
400
Bad request
401
Unauthorized access
500
Internal server error
A successful `200` response returns an `ItemUsageItemsV2` object wrapping cursor properties and an array of `ItemUsageV2` objects. The included cursor can be used to fetch more data or continue the polling process.
The response also includes a cursor to continue fetching more data or to use the next time you make a request.
```json theme={null}
{
"cursor": "aGVsbG8hIGlzIGl0IG1lIHlvdSBhcmUgbG9va2luZyBmb3IK",
"has_more": true,
"items": [
{
"uuid": "56YE2TYN2VFYRLNSHKPW5NVT5E",
"timestamp": "2023-03-15T16:33:50-03:00",
"used_version": 0,
"vault_uuid": "VZSYVT2LGHTBWBQGUJAIZVRABM",
"item_uuid": "SDGD3I4AJYO6RMHRK8DYVNFIDZ",
"user": {
"uuid": "4HCGRGYCTRQFBMGVEGTABYDU2V",
"name": "Wendy Appleseed",
"email": "wendy_appleseed@agilebits.com"
},
"client": {
"app_name": "1Password Browser",
"app_version": "20240",
"platform_name": "Chrome",
"platform_version": "string",
"os_name": "MacOSX",
"os_version": "13.2",
"ip_address": "192.0.2.254"
},
"location": {
"country": "Canada",
"region": "Ontario",
"city": "Toronto",
"latitude": 43.5991,
"longitude": -79.4988
},
"action": "secure-copy"
}
]
}
```
#### ItemUsageItemsV2 object schema
Cursor to return more event data or to continue polling.
has\_more
boolean
Whether there's more data to be returned using the cursor. If the value is true, there may be more events. If the value is false, there are no more events.
A location object that contains details about the geolocation of the client based on the client's IP address at the time the event was performed.
account\_uuid
(MSP accounts only)
string
The UUID of the account where the action was performed.
###### UserV2 object schema
Name
Type
Description
uuid
string
The UUID of the user that accessed the item or attempted to sign in to the account.
name
string
The name of the user, hydrated at the time the event was generated.
email
string
The email address of the user, hydrated at the time the event was generated.
user\_type
(MSP accounts only)
string
The type of user who performed the action (internal or external). Possible values are:
user
external\_user
user\_account\_uuid
(MSP accounts only)
string
The UUID of the user's account.
###### Client object schema
Name
Type
Description
app\_name
string
The name of the 1Password app the item was accessed from.
app\_version
string
The version number of the app.
platform\_name
string
The name of the platform the item was accessed from.
platform\_version
string
The version of the browser or computer where 1Password is installed or the CPU of the machine where the 1Password command-line tool is installed.
os\_name
string
The name of the operating system the item was accessed from.
os\_version
string
The version of the operating system the item was accessed from.
ip\_address
string
The IP address the item was accessed from.
###### Location object schema
Name
Type
Description
country
string
The country where the item was accessed.
region
string
The region where the item was accessed.
city
string
The city where the item was accessed.
longitude
number
A coordinate that specifies the longitudinal location for where the item was accessed.
latitude
number
A coordinate that specifies the latitudinal location for where the item was accessed.
## POST /api/v2/signinattempts
```
base_url/api/v2/signinattempts
```
A POST call to this endpoint returns information about sign-in attempts. Events include the name and IP address of the user who attempted to sign in to the account, when the attempt was made, and – for failed attempts – the cause of the failure. For MSP accounts, events also include additional information about the user's account and type.
This endpoint requires a [bearer token](/events-api/authorization/) with the `signinattempts` feature. You can make an [introspection call](#get-%2Fapi%2Fv2%2Fauth%2Fintrospect) to the API to verify if your token is authorized to access sign-in events.
### Parameters
No parameters.
### Requests
Use the full URL of the `signinattempts` endpoint with your [bearer token](/events-api/authorization/) and the required [request headers](/events-api/request-headers/). You must include a [ResetCursor](/events-api/pagination#reset-cursor) object or the [cursor](/events-api/pagination#cursor) from a previous response in the request body.
```shell theme={null}
curl --request POST \
--url base_url/api/v2/signinattempts \
--header 'Authorization: Bearer YOUR_BEARER_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
"limit": 100,
"start_time": "2023-03-15T16:32:50-03:00"
}'
```
```shell theme={null}
curl --request POST \
--url base_url/api/v2/signinattempts \
--header 'Authorization: Bearer YOUR_BEARER_TOKEN' \
--header 'Content-Type: application/json' \
--data '{
"cursor": "aGVsbG8hIGlzIGl0IG1lIHlvdSBhcmUgbG9va2luZyBmb3IK"
}'
```
### Responses
200
Returns a `SignInAttemptItemsV2` object
400
Bad request
401
Unauthorized access
500
Internal server error
A successful `200` response returns a `SignInAttemptItemsV2` object wrapping cursor properties and an array of `SignInAttemptV2` objects. The included cursor can be used to fetch more data or continue the polling process.
```json theme={null}
{
"cursor": "aGVsbG8hIGlzIGl0IG1lIHlvdSBhcmUgbG9va2luZyBmb3IK",
"has_more": true,
"items": [
{
"uuid": "56YE2TYN2VFYRLNSHKPW5NVT5E",
"session_uuid": "A5K6COGVRVEJXJW3XQZGS7VAMM",
"timestamp": "2023-03-15T16:32:50-03:00",
"category": "firewall_failed",
"type": "continent_blocked",
"country": "France",
"details": {
"value": "Europe"
},
"target_user": {
"uuid": "IR7VJHJ36JHINBFAD7V2T5MP3E",
"name": "Wendy Appleseed",
"email": "wendy_appleseed@agilebits.com"
},
"client": {
"app_name": "1Password Browser",
"app_version": "20240",
"platform_name": "Chrome",
"platform_version": "string",
"os_name": "MacOSX",
"os_version": "13.2",
"ip_address": "192.0.2.254"
},
"location": {
"country": "Canada",
"region": "Ontario",
"city": "Toronto",
"latitude": 43.5991,
"longitude": -79.4988
}
}
]
}
```
#### SignInAttemptItemsV2 object schema
Cursor to return more event data or to continue polling.
has\_more
boolean
Whether there's more data to be returned using the cursor. If the value is true, there may be more events. If the value is false, there are no more events.
##### SignInAttemptsV2 object schema
Name
Type
Description
uuid
string
The UUID of the event.
session\_uuid
string
The UUID of the session that created the event.
timestamp
string
The date and time of the sign-in attempt. Uses the RFC 3339 standard.
category
string
The category of the sign-in attempt. Possible values are:
"success"
"credentials\_failed"
"mfa\_failed"
"sso\_failed"
"modern\_version\_failed"
"firewall\_failed"
"firewall\_reported\_success"
type
string
Details about the sign-in attempt. Possible values are:
A location object that contains details about the geolocation of the client based on the client's IP address at the time the event was performed.
account\_uuid
(MSP accounts only)
string
The UUID of the account where the action was performed.
###### Details object schema
Name
Type
Description
value
string
The additional information about the sign-in attempt, such as any firewall rules that prevent a user from signing in. For example, in the event of a sign-in attempt blocked by firewall rules, the value is the country, continent, or IP address of the sign-in attempt.
###### UserV2 object schema
Name
Type
Description
uuid
string
The UUID of the user that accessed the item or attempted to sign in to the account.
name
string
The name of the user, hydrated at the time the event was generated.
email
string
The email address of the user, hydrated at the time the event was generated.
user\_type
(MSP accounts only)
string
The type of user who performed the action (internal or external). Possible values are:
user
external\_user
user\_account\_uuid
(MSP accounts only)
string
The UUID of the user's account.
###### Client object schema
Name
Type
Description
app\_name
string
The name of the 1Password app the item was accessed from.
app\_version
string
The version number of the app.
platform\_name
string
The name of the platform the item was accessed from.
platform\_version
string
The version of the browser or computer where 1Password is installed or the CPU of the machine where the 1Password command-line tool is installed.
os\_name
string
The name of the operating system the item was accessed from.
os\_version
string
The version of the operating system the item was accessed from.
ip\_address
string
The IP address the item was accessed from.
###### Location object schema
Name
Type
Description
country
string
The country where the sign-in attempt was made.
region
string
The region where the sign-in attempt was made.
city
string
The city where the sign-in attempt was made.
longitude
number
A coordinate that specifies the longitudinal location where the sign-in attempt was made.
latitude
number
A coordinate that specifies the latitudinal location where the sign-in attempt was made.
# Retrieves audit events for actions performed by team members within a 1Password account
Source: https://www.1password.dev/events-api/reference/audit-events
/openapi/events_api.yaml post /api/v2/auditevents
This endpoint requires your JSON Web Token to have the *auditevents* feature.
# Performs introspection of the provided Bearer JWT token
Source: https://www.1password.dev/events-api/reference/introspect
/openapi/events_api.yaml get /api/v2/auth/introspect
# Retrieves events for each usage of an item stored in a shared vault within a 1Password account
Source: https://www.1password.dev/events-api/reference/items-usage
/openapi/events_api.yaml post /api/v2/itemusages
This endpoint requires your JSON Web Token to have the *itemusages* feature.
# Retrieves events for both successful and failed attempts to sign into a 1Password account
Source: https://www.1password.dev/events-api/reference/sign-in-attempt
/openapi/events_api.yaml post /api/v2/signinattempts
This endpoint requires your JSON Web Token to have the *signinattempts* feature.
# Request headers
Source: https://www.1password.dev/events-api/request-headers
Requests to the Events API must include the correct header(s):
* `Authorization`: Each GET and POST request to the Events API must be [authorized with a bearer token](/events-api/authorization/) scoped to access event data for that feature. You'll include your token in the authorization header.
* `Content-Type`: Each POST request requires a `Content-Type` header to indicate the media type of the resource being sent in the request body. All data for the Events API is sent and received as JSON, so you'll need to specify `application/json` as the content type. GET requests don't contain a request body and therefore don't require this header.
An example of a request header:
```
Authorization: Bearer YOUR_BEARER_TOKEN
Content-type: application/json
```
# Request methods
Source: https://www.1password.dev/events-api/request-methods
The Events API accepts the following standard HTTP request methods:
* GET requests to the [`introspect`](/events-api/reference#get-%2Fapi%2Fv2%2Fauth%2Fintrospect) endpoint return information about the events a bearer token has access to and the account where the token was issued.
* POST requests to the [`auditevents`](/events-api/reference#post-%2Fapi%2Fv2%2Fauditevents), [`itemusages`](/events-api/reference#post-%2Fapi%2Fv2%2Fitemusages), and [`signinattempts`](/events-api/reference#post-%2Fapi%2Fv2%2Fsigninattempts) endpoints return information about various activities in a 1Password account. Depending on which endpoint is called, the request returns one of the following:
* Successful and failed attempts to sign in to a 1Password account.
* Information about every use of an item stored in a shared vault in the account.
* Audit events for actions performed by team members in the account.
# Servers and base URLs
Source: https://www.1password.dev/events-api/servers
The API service ID (`events`) and the server that hosts your 1Password account form the base URL you'll use for the API endpoints.
| If your account is hosted on: | Your base URL is: |
| ----------------------------- | ---------------------------------- |
| `1password.com` | `https://events.1password.com` |
| `ent.1password.com` | `https://events.ent.1password.com` |
| `1password.ca` | `https://events.1password.ca` |
| `1password.eu` | `https://events.1password.eu` |
# HTTP status codes
Source: https://www.1password.dev/events-api/status-codes
Calls to the 1Password Events API may return the following HTTP status codes:
| Code | Message | Description / Recommended action |
| ----- | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `200` | OK | The request was successful and the server returned a JSON object or an array of objects.
Recommended action: No action is required. |
| `400` | Bad Request | The server could not understand the request due to invalid syntax.
Recommended action: Check the [API reference](/events-api/reference/) and documentation [about the API](/events-api/introduction/) to make sure your request is properly formatted. |
| `401` | Unauthorized | Authentication has failed or wasn't provided.
Recommended action: Check that your request includes the [`Authorization` header](/events-api/request-headers/), and make sure your bearer token is valid and scoped to access the requested resource. [Learn more about authorizing API requests.](/events-api/authorization/) |
| `429` | Too Many Requests | The rate limit has been exceeded.
Recommended action: Wait until the applicable rate-limit window (per-minute or per-hour) resets, then try again. [Learn more about Events API rate limits.](/events-api/rate-limits) |
| `500` | Internal Server Error | The server encountered an unexpected condition that prevented it from fulfilling the request.
Recommended action: Retry your request after a brief wait. If the issue persists, check the [1Password status page](https://status.1password.com/) to verify the Events API service is operational, or [contact 1Password Support](https://support.1password.com/contact/) for help. |
# 1Password integrations
Source: https://www.1password.dev/integrations
Use integrations to securely access secrets from 1Password in your development workflows.
Interact with your 1Password Connect deployment from Ansible playbooks. Create, read, update, and delete 1Password vaults and items.
Use 1Password Connect with AWS Fargate, so you can leverage Amazon Elastic Container Service (ECS) to run containers without the need to manage clusters.
Point AI coding assistants, chatbots, and agents to 1Password documentation for accurate context when building integrations.
Securely access secrets in your CI/CID pipelines with CircleCI, GitHub Actions, and Jenkins.
Use hooks to validate 1Password configurations and integrations in supported agents and IDEs like Cursor and GitHub Copilot, preventing errors and security vulnerabilities.
Integrate 1Password with Kubernetes Secrets Injector, Kubernetes Operator, or Helm charts.
Securely load API keys and other secrets stored in 1Password into Postman without exposing any secrets in plaintext.
Use the 1Password provider for Pulumi to access and manage items in your 1Password vaults.
Dynamically import Secrets from 1Password into your Environment. The provider will return a map of names to Secrets.
Reference, create, or update items in your vaults with a Connect server or service account.
Integrate your VS Code development workflow with 1Password.
# 1Password Helm charts
Source: https://www.1password.dev/k8s/helm
Helm is a tool that helps you manage Kubernetes applications through specification files called Helm charts. Helm charts define a Kubernetes application and make it easy to share, install, and upgrade. Refer to [Helm ](https://helm.sh) to learn more.
The 1Password Helm charts allow you to use Helm to deploy a [Secrets Automation workflow](/secrets-automation/). 1Password offers two Helm charts:
* The [1Password Connect and Kubernetes Operator Helm chart ](https://github.com/1Password/connect-helm-charts/blob/main/charts/connect) runs a Connect server by itself or alongside the Kubernetes Operator.
* The [1Password Secrets Injector Helm chart ](https://github.com/1Password/connect-helm-charts/blob/main/charts/secrets-injector) runs the Kubernetes Secrets Injector, which works with both service accounts and Connect servers.
See the following comparison table to learn which Helm chart is right for the environment you want to run.
| Environment | Connect and Operator | Secrets Injector |
| ------------------------------------------------ | -------------------- | ---------------- |
| Connect server (without the Kubernetes Operator) | Yes | No |
| Connect server and the Kubernetes Operator | Yes | No |
| Kubernetes Injector | No | Yes |
### Requirements
Make sure you complete the requirements for the Helm chart you intend to use before continuing.
Before you use the 1Password Connect and Operator Helm chart, make sure you:
### Deployment
The deployment process for the 1Password Helm charts depends on multiple factors, including:
* The type of secrets automation workflow.
* Whether you want to use the Kubernetes Operator, the Kubernetes Injector, or neither.
There are multiple ways to use the Helm chart for 1Password Connect and the Kubernetes Operator. Select one to get started:
1. [Deploy a Connect server.](/connect/get-started/?deploy=kubernetes#step-2-deploy-1password-connect-server)
2. [Deploy a Connect server and the Kubernetes Operator.](/k8s/operator/?requirements=deploy-with-helm\&deployment=helm#deployment)
3. [Deploy the Kubernetes Operator.](/k8s/operator/?requirements=deploy-with-helm\&deployment=helm#deployment)
There are two ways to use the 1Password Connect and Operator Helm chart. Select one to get started:
1. [Deploy the Kubernetes Secrets Injector for a Connect server.](/k8s/injector/?workflow-type=connect#deployment)
2. [Deploy the Kubernetes Secrets Injector for a service account.](/k8s/injector/?workflow-type=service-account#deployment)
### Configuration
See the [Helm chart configuration values reference](/k8s/helm/) documentation.
# Helm chart configuration
Source: https://www.1password.dev/k8s/helm-config
This page documents the configuration options for the 1Password Helm charts:
* [Connect and Operator Helm chart](#connect-and-operator-helm-chart)
* [Secrets Injector Helm chart](#secrets-injector-helm-chart)
## Connect and Operator Helm chart
The 1Password Connect and Operator Helm chart allows you to use Helm to deploy [Connect](/connect/get-started/), the [Kubernetes Operator](/k8s/operator/), or both.
You can override configuration values in a chart with the `helm install` command using either the `--values` flag or the `--set` flag. You can also force a string value with the `--set-string` flag.
For example, the following code block shows how to use the `--set` flag to set the `connect.applicationName` configuration value:
```shell theme={null}
helm install --set connect.applicationName=connect connect 1password/connect
```
Refer to the [official `helm install` documentation ](https://helm.sh/docs/helm/helm_install/) for more information.
By default, installing a 1Password Helm chart also installs the `OnePasswordItem` database operations for CRD (Custom Resource Definition).
If you don't want to install the `OnePasswordItem` custom resource definitions (CRD), run `helm install` with the [`--skip-crds` flag ](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-1-let-helm-do-it-for-you).
### Configuration options
The following table documents the available configuration options for the 1Password Connect and Operator Helm chart.
If you have a large configuration value, use `--set-file` to read the single large value from the file (instead of `--values` or `--set`).
For example:
```
$ helm install -f myvalues.yaml injector 1password/secrets-injector
```
| Key | Type | Default | Description |
| ------------------------------------- | ---------- | ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `connect.create` | boolean | `true` | Denotes whether to deploy the 1Password Connect server. Set this value to `false` and `operator.create` to `true` to only deploy the Kubernetes Operator. See [Deploy without Connect](/k8s/operator?deployment-type=helm#helm-step-2). |
| `connect.replicas` | integer | `1` | The number of replicas to run the 1Password Connect deployment. |
| `connect.applicationName` | string | `"onepassword-connect"` | The name of 1Password Connect application. |
| `connect.host` | string | `"onepassword-connect"` | The name of 1Password Connect host. |
| `connect.api.imageRepository` | string | `"1password/connect-api` | The 1Password Connect API repository. |
| `connect.api.name` | string | `"connect-api"` | The name of the 1Password Connect API container. |
| `connect.api.resources` | object | `{}` | The resources requests/limits for the 1Password Connect API pod. |
| `connect.api.httpPort` | integer | `8080` | The port the Connect API is served on when not using TLS. |
| `connect.api.httpsPort` | integer | `8443` | The port the Connect API is served on when using TLS. |
| `connect.api.logLevel` | string | `info` | The log level of the Connect API container. Valid options are `trace`, `debug`, `info`, `warn`, and `error`. |
| `connect.credentials` | jsonString | | The contents of the `1password-credentials.json` file for Connect. You can set it by adding `--set-file connect.credentials=` to your `helm install` command. |
| `connect.credentials_base64` | string | | The base64-encoded contents of the `1password-credentials.json` file for Connect. You can use this instead of `connect.credentials` if supplying raw JSON to `connect.credentials` lead to issues. |
| `connect.credentialsKey` | string | `"1password-credentials.json"` | The key for the 1Password Connect credentials (stored in the credentials secret). The credentials must be encoded as a base64 string. |
| `connect.credentialsName` | string | `"op-credentials"` | The name of Kubernetes Secret containing the 1Password Connect credentials. |
| `connect.dataVolume.name` | string | `"shared-data"` | The name of the shared [volume ](https://kubernetes.io/docs/concepts/storage/volumes/) used between 1Password Connect containers. |
| `connect.dataVolume.type` | string | `"emptyDir"` | The type of shared [volume ](https://kubernetes.io/docs/concepts/storage/volumes/) used between 1Password Connect containers. |
| `connect.dataVolume.values` | object | `{}` | Describes the fields and values for the configuration of the shared [volume ](https://kubernetes.io/docs/concepts/storage/volumes/) for 1Password Connect. |
| `connect.imagePullPolicy` | string | `"IfNotPresent"` | The 1Password Connect API image pull policy. |
| `connect.ingress.annotations` | object | `{}` | The 1Password Connect [ingress ](https://kubernetes.io/docs/concepts/services-networking/ingress/) annotations. |
| `connect.ingress.enabled` | bool | `false` | Whether to enable 1Password Connect [ingress ](https://kubernetes.io/docs/concepts/services-networking/ingress/) traffic. |
| `connect.ingress.extraPaths` | list | `[]` | Additional [ingress ](https://kubernetes.io/docs/concepts/services-networking/ingress/) paths. |
| `connect.ingress.hosts[0].host` | string | `"chart-example.local"` | The 1Password Connect [ingress ](https://kubernetes.io/docs/concepts/services-networking/ingress/) hostname. |
| `connect.ingress.hosts[0].paths` | list | `[]` | The 1Password Connect [ingress ](https://kubernetes.io/docs/concepts/services-networking/ingress/) path. |
| `connect.ingress.ingressClassName` | string | `""` | Optionally use `ingressClassName` instead of a deprecated annotation. |
| `connect.ingress.labels` | object | `{}` | [Ingress ](https://kubernetes.io/docs/concepts/services-networking/ingress/) labels for 1Password Connect. |
| `connect.ingress.pathType` | string | `"Prefix"` | Ingress [PathType ](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types). |
| `connect.ingress.tls` | list | `[]` | [Ingress TLS ](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls). |
| `connect.nodeSelector` | object | `{}` | The [Node selector ](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) stanza for the Connect pod. |
| `connect.probes.readiness` | boolean | `true` | Denotes whether the 1Password Connect API readiness probe operates and ensures the pod is ready before serving traffic. |
| `connect.probes.liveness` | boolean | `true` | Denotes whether Kubernetes continually checks the 1Password Connect API for liveness and restarts if the pod becomes unresponsive. |
| `connect.annotations` | object | `{}` | Additional [annotations ](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) to add to the Connect API deployment resource. |
| `connect.labels` | object | `{}` | Additional [labels ](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) to add to the Connect API deployment resource. |
| `connect.podAnnotations` | object | `{}` | Additional [annotations ](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) to be added to the Connect API pods. |
| `connect.podLabels` | object | `{}` | Additional [labels ](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) to be added to the Connect API pods. |
| `connect.serviceType` | string | `NodePort` | The type of Service resource to create for the Connect API and Connect Sync services. |
| `connect.serviceAnnotations` | object | `{}` | Additional [annotations ](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) to be added to the service. |
| `connect.sync.imageRepository` | string | `"1password/connect-sync"` | The 1Password Connect Sync repository. |
| `connect.sync.name` | string | `"connect-sync"` | The name of the 1Password Connect Sync container. |
| `connect.sync.resources` | object | `{}` | The resources requests/limits for the 1Password Connect Sync pod. |
| `connect.sync.httpPort` | integer | `8081` | The port serving the health of the Connect Sync container. |
| `connect.sync.logLevel` | string | `info` | The log level of the Connect Sync container. Valid options are `trace`, `debug`, `info`, `warn`, and `error`. |
| `connect.tls.enabled` | boolean | `false` | Denotes whether the Connect API is secured with TLS. |
| `connect.tls.secret` | string | `"op-connect-tls"` | The name of the secret containing the TLS key (`tls.key`) and certificate (`tls.crt`). |
| `connect.tolerations` | list | `[]` | A list of tolerations to be added to the Connect API pods. |
| `connect.version` | string | `{{.Chart.AppVersion}}` | The 1Password Connect version to pull. |
| `operator.autoRestart` | boolean | `false` | Denotes whether the Kubernetes Operator automatically restarts deployments based on associated updated secrets. See [Automatic redeployment](/k8s/operator#enable-auto-redeployment). |
| `operator.create` | boolean | `false` | Denotes whether to deploy the Kubernetes Operator. You can set this to `false` to only deploy Connect. |
| `operator.imagePullPolicy` | string | `"IfNotPresent"` | The Kubernetes Operator image pull policy. |
| `operator.imageRepository` | string | `"1password/onepassword-operator"` | The Kubernetes Operator repository. |
| `operator.nodeSelector` | object | `{}` | [Node selector ](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) stanza for the Kubernetes Operator pod. |
| `operator.annotations` | object | `{}` | Additional [annotations ](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) to add to the Kubernetes Operator deployment resource. |
| `operator.labels` | object | `{}` | Additional [labels ](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) to be added to the Operator deployment resource. |
| `operator.logLevel` | string | `info` | The log level of the Kubernetes Operator container. Valid options are: `debug`, `info`, and `error`. |
| `operator.podAnnotations` | object | `{}` | Additional [annotations ](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) to add to the Kubernetes Operator pods. |
| `operator.podLabels` | object | `{}` | Additional [labels ](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) to add to the Kubernetes Operator pods. |
| `operator.pollingInterval` | integer | `600` | The interval at which the Kubernetes Operator polls for secrets updates. |
| `operator.clusterRole.create` | boolean | `{{.Values.operator.create}}` | Denotes whether to create a cluster role for the Kubernetes Operator. |
| `operator.clusterRole.name` | string | `"onepassword-connect-operator"` | The name of the Kubernetes Operator [Cluster Role ](https://kubernetes.io/docs/reference/access-authn-authz/rbac/). |
| `operator.clusterRoleBinding.create` | boolean | `{{.Values.operator.create}}` | Denotes whether to create a [ClusterRole binding ](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Kubernetes Operator Service Account. |
| `operator.roleBinding.create` | boolean | `{{.Values.operator.create}}` | Denotes whether to create a role binding for each Namespace for the Kubernetes Operator Service Account. |
| `operator.roleBinding.name` | string | `"onepassword-connect-operator"` | The name of the Kubernetes Operator Role Binding. |
| `operator.serviceAccount.annotations` | object | `{}` | The [annotations ](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) for the 1Password Connect Service Account. |
| `operator.serviceAccount.create` | boolean | `{{.Values.operator.create}}` | Denotes whether to create a [Service Account](/service-accounts/get-started/) for the Kubernetes Operator. |
| `operator.serviceAccount.name` | string | `"onepassword-connect-operator"` | The name of the Kubernetes Operator. |
| `operator.tolerations` | list | `[]` | A list of tolerations to add to the Kubernetes Operator pods. |
| `operator.version` | string | `"1.8.0"` | The Kubernetes Operator version to pull. It defaults to the latest version. |
| `operator.token.key` | string | `"token"` | The key for the 1Password Connect token (stored in the 1Password token secret). |
| `operator.token.name` | string | `"onepassword-token"` | The name of Kubernetes Secret containing the 1Password Connect API token. |
| `operator.token.value` | string | `"onepassword-token"` | An API token generated for 1Password Connect to be used by the Kubernetes Operator. |
| `operator.watchNamespace` | list | `[]` | A list of namespaces for the Kubernetes Operator to watch and manage. Use the empty list to watch all namespaces. |
| `operator.resources` | object | `{}` | The resources requests/limits for the Kubernetes Operator pod. |
## Secrets Injector Helm chart
The 1Password Secrets Injector Helm chart allows you to use Helm to deploy the [Kubernetes Secrets Injector](/k8s/injector/).
You can override configuration values in a chart with the `helm install` command using either the `--values` flag or the `--set` flag. You can also force a string value with the `--set-string` flag.
For example, the following code block shows how to use the `--set` flag to set the `injector.applicationName` configuration value:
```shell theme={null}
helm install --set injector.applicationName=injector injector 1password/secrets-injector
```
Refer to the [official `helm install` documentation ](https://helm.sh/docs/helm/helm_install/) for more information.
### Configuration options
The following table documents the available configuration options for the Secrets Injector Helm chart.
If you have a large configuration value, use `--set-file` to read the single large value from the file (instead of `--values` or `--set`).
For example:
```
$ helm install -f myvalues.yaml injector 1password/secrets-injector
```
| Key | Type | Default | Description |
| -------------------------- | ------- | ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
| `injector.applicationName` | string | `"secrets-injector"` | The name of 1Password Kubernetes Secrets Injector Application. |
| `injector.imagePullPolicy` | string | `"IfNotPresent"` | The 1Password Secrets Injector Docker image policy. `"IfNotPresent"` means the image is pulled only if it is not already present locally. |
| `injector.imageRepository` | string | `"1password/kubernetes-secrets-injector"` | The 1Password Secrets Injector docker image repository. |
| `injector.port` | string | `443` | The port the Secrets Injector exposes. |
| `injector.targetPort` | integer | `8443` | The port the Secrets Injector API sends requests to the pod. |
| `injector.version` | string | `{{.Chart.AppVersion}}` | The 1Password Secrets Injector version to pull. |
# Kubernetes Injector
Source: https://www.1password.dev/k8s/injector
The 1Password Kubernetes Secrets Injector implements a mutating webhook that allows you to inject 1Password secrets using a [service account](/service-accounts/) or a [Connect server](/connect/) to authenticate to 1Password.
Unlike the 1Password [Kubernetes Operator](/k8s/operator/), the Secrets Injector doesn't create a Kubernetes Secret when assigning secrets to your resource. See [Kubernetes integrations](/k8s/integrations/) to compare the Kubernetes Operator and the Kubernetes Injector.
Learn how to use the Kubernetes Secrets Injector with a 1Password Service Account.
## Requirements
Before using the Kubernetes Injector, make sure you:
* [Sign up for 1Password](https://1password.com/pricing/password-manager).
* Have a Kubernetes deployment. You can also use [minikube ](https://minikube.sigs.k8s.io/docs/start/) to test locally.
* Create either a [service account](/service-accounts/get-started/) or a [Connect server](/connect/get-started/#step-1) to authenticate to 1Password.
## Limitations
There are some limitations and nuances to consider about the Kubernetes Injector. For example:
* The Kubernetes Injector requires deployment specifications to use the `command` field.
* Secrets aren't available to all a container's sessions by default.
### The `command` field
The Kubernetes Secrets Injector works by changing the `command` value on initialization. As a result, the pod you want to inject secrets into must have a `command` value defined in its [deployment specification ](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) file (as shown in the following code block).
See the `command` field in the code block below. In this example, a 1Password Service Account injects secrets into the application run by `npm` `start`.
```yaml deployment-specification.yaml theme={null}
spec:
containers:
- name: app-example1
image: my-image
ports:
- containerPort: 5000
command: ["npm"]
args: ["start"]
env:
- name: OP_SERVICE_ACCOUNT_TOKEN
valueFrom:
secretKeyRef:
name: op-service-account
key: token
- name: DB_USERNAME
value: op://my-vault/my-item/sql/username
- name: DB_PASSWORD
value: op://my-vault/my-item/sql/password
```
If the deployments you're using aren't designed to have a command field specified in the deployment, then the 1Password [Kubernetes Operator](/k8s/operator/) might be a better fit for your use case.
### Session availability
Injected secrets are available only in the current pod's session. You can only access the secrets for the command listed in the container specification. To access it in any other session, for example, using `kubectl`, it's necessary to prepend `op run --` to the command.
In the [service account example deployment specification](#usage-examples), the app-example1 container will have injected the `DB_USERNAME` and `DB_PASSWORD` values in the session executed by the command `npm start`.
Another way to have secrets available in all sessions for a container is by using the [Kubernetes Operator](/k8s/operator/).
## Deployment
Use the following instructions to configure and deploy the Kubernetes Injector with your service account or Connect server and Kubernetes deployment.
Some strings used throughout the code examples on this page are variable and arbitrary. Other strings have specific meanings within the context of 1Password.
The following strings used in the code examples on this page have very specific and hard-coded meanings within the context of 1Password:
* `OP_CONNECT_HOST`
* `OP_CONNECT_TOKEN`
* `OP_SERVICE_ACCOUNT_TOKEN`
The following strings used in the code examples on this page have are variables and don't have specific meanings within the context of 1Password:
* `DB_PASSWORD`
* `DB_USERNAME`
### Step 1: Enable secrets injection
Use kubectl to enable secrets injection by adding the `secrets-injection=enabled` label to your namespace (`NAMESPACE`)
. The Kubernetes Injector uses the `default` namespace unless you specify a custom namespace.
```shell theme={null}
kubectl label namespace NAMESPACE secrets-injection=enabled
```
### Step 2: Deploy the injector
Use the `kubectl apply` command to the deployment specification files. When you use manual deployment, you must apply each deployment specification file separately.
In the following example, `INJECTOR.yaml` is the name of the Kubernetes Injector deployment specification file and `CONNECT.yaml` is the name of the Connect deployment specification file.
```shell theme={null}
kubectl apply -f INJECTOR.yaml
kubectl apply -f CONNECT.yaml
```
To undeploy, use `kubectl delete`.
```shell theme={null}
kubectl delete -f INJECTOR.yaml
kubectl delete -f CONNECT.yaml
```
The commands in this example only deploy the Kubernetes Injector and Connect. They don't handle additional configuration you might need, like [permissions ](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/), [namespaces ](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/), and [custom resource definitions (CRD) ](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/).
You can deploy and configure the Kubernetes Injector in one command if you use the [1Password Secrets Injector Helm chart](/k8s/helm/).
The Kubernetes Injector creates the necessary [TLS certificate ](https://en.wikipedia.org/wiki/Public_key_certificate) for the webhook when it's deployed ([`deployment.yaml` ](https://github.com/1Password/kubernetes-secrets-injector/blob/main/deploy/deployment.yaml)). If you remove the Kubernetes Injector from the cluster, it automatically deletes the TLS certificate.
### Step 3: Annotate your deployment specification
Annotate your [Kubernetes deployment specification ](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) with `operator.1password.io/inject:` followed by a comma-separated list of the containers you want to mutate and inject secrets into.
1. Edit your deployment specification file and add the following annotation:
```yaml deployment-specification.yaml theme={null}
annotations:
operator.1password.io/inject: "app-example1, app-example2"
```
### Step 4: Configure the resource environment
Add an environment variable to your pod or [Kubernetes deployment specification ](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) with a value referencing your 1Password item using a [secret reference](/cli/secret-reference-syntax/).
1. Edit your deployment specification file and add an environment variable containing the path to the 1Password item. Make sure to replace `VAULT`
, `ITEM`, `SECTION`, and `FIELD` with the correct values.
```yaml deployment-specification.yaml theme={null}
env:
- name: DB_USERNAME
value: op://VAULT/ITEM[/SECTION]/FIELD
```
The value should look something like the text in the following code block:
```yaml deployment-specification.yaml theme={null}
env:
- name: DB_USERNAME
value: op://my-vault/sql/username
```
### Step 5: Add your 1Password credentials to your deployment
#### Step 5.1: Create a Kubernetes Secret with your authentication token
To authenticate to 1Password, you'll need to create a [Kubernetes Secret ](https://kubernetes.io/docs/concepts/configuration/secret/) that contains your service account or Connect server token.
You can pass your service account token to Kubernetes using the `kubectl create secret` command:
Your service account token is generated automatically during the service account creation process. If you lose the token, you must [create a new service account](/service-accounts/get-started/).
```shell theme={null}
kubectl create secret generic op-service-account --from-literal=token=YOUR_SERVICE_ACCOUNT_TOKEN
```
This creates a generic Secret named `op-service-account` with a key named `token` that contains your service account token.
You can pass your Connect server access token token to Kubernetes using the `kubectl create secret` command:
```shell theme={null}
kubectl create secret generic connect-token --from-literal=token=YOUR_CONNECT_TOKEN
```
This creates a generic Secret named `connect-token` with a key named `token` that contains your Connect server access token.
#### Step 5.2: Add the Secret to your Kubernetes deployment specification file
You can reference the Secret you created for your service account or Connect server token in your [Kubernetes deployment specification file ](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) using an environment variable. Kubernetes will automatically inject the authentication token into your pod or deployment when it starts.
Add an environment variable named `OP_SERVICE_ACCOUNT_TOKEN` to your deployment specification file, and set the `valueFrom` to reference the Kubernetes Secret you created in the previous step.
If you used a custom Secret or key name, make sure to update the example to use the appropriate name and key.
```yaml deployment-specification.yaml theme={null}
spec:
containers:
- name: app-example1
image: my-image
ports:
- containerPort: 5000
command: ["npm"]
args: ["start"]
env:
- name: OP_SERVICE_ACCOUNT_TOKEN
valueFrom:
secretKeyRef:
name: op-service-account
key: token
```
1. Add an environment variable named `OP_CONNECT_HOST` to your deployment specification file for your Connect server host. Set the `value` to the URL where your Connect server is deployed.
2. Add an environment variable named `OP_CONNECT_TOKEN`, and set the `valueFrom` to reference the Kubernetes Secret you created in the previous step. If you used a custom Secret or key name, make sure to update the example to use the appropriate name and key.
```yaml deployment-specification.yaml theme={null}
spec:
containers:
- name: app-example1
image: my-image
ports:
- containerPort: 5000
command: ["npm"]
args: ["start"]
env:
- name: OP_CONNECT_HOST
value: http://onepassword-connect:8080
- name: OP_CONNECT_TOKEN
valueFrom:
secretKeyRef:
name: connect-token
key: token
```
If you configure the Kubernetes Injector to authenticate with both a service account and a Connect server, the Connect server will take precedence.
## Usage examples
The following Kubernetes deployment specification files show what your deployment file should look like.
The following code block contains an example of a Kubernetes deployment specification YAML file setup to inject secrets using a 1Password Service Account. In this example, the Kubernetes Injector injects secrets into `APP_1`, but not `APP_2`.
```yaml deployment-specification.yaml theme={null}
apiVersion: apps/v1
kind: Deployment
metadata:
name: app-example
spec:
selector:
matchLabels:
app: app-example
template:
metadata:
annotations:
operator.1password.io/inject: APP_1
labels:
app: app-example
spec:
containers:
- name: APP_1
image: my-image
ports:
- containerPort: 5000
command: ["npm"]
args: ["start"]
env:
- name: OP_SERVICE_ACCOUNT_TOKEN
valueFrom:
secretKeyRef:
name: op-service-account
key: token
- name: DB_USERNAME
value: op://my-vault/my-item/sql/username
- name: DB_PASSWORD
value: op://my-vault/my-item/sql/password
- name: APP_2
image: my-image
ports:
- containerPort: 5000
command: ["npm"]
args: ["start"]
env:
- name: DB_USERNAME
value: op://my-vault/my-item/sql/username
- name: DB_PASSWORD
value: op://my-vault/my-item/sql/password
```
The following code block contains an example of a Kubernetes deployment specification YAML file setup to inject secrets using a 1Password Connect Server. In this example, the Kubernetes Injector injects secrets into `APP_1`, but not `APP_2`.
```yaml deployment-specification.yaml theme={null}
apiVersion: apps/v1
kind: Deployment
metadata:
name: app-example
spec:
selector:
matchLabels:
app: app-example
template:
metadata:
annotations:
operator.1password.io/inject: APP_1
labels:
app: app-example
spec:
containers:
- name: APP_1
image: my-image
ports:
- containerPort: 5000
command: ["npm"]
args: ["start"]
env:
- name: OP_CONNECT_HOST
value: http://onepassword-connect:8080
- name: OP_CONNECT_TOKEN
valueFrom:
secretKeyRef:
name: connect-token
key: token-value
- name: DB_USERNAME
value: op://my-vault/my-item/sql/username
- name: DB_PASSWORD
value: op://my-vault/my-item/sql/password
- name: APP_2
image: my-image
ports:
- containerPort: 5000
command: ["npm"]
args: ["start"]
env:
- name: DB_USERNAME
value: op://my-vault/my-item/sql/username
- name: DB_PASSWORD
value: op://my-vault/my-item/sql/password
```
# Kubernetes integrations
Source: https://www.1password.dev/k8s/integrations
You can use Kubernetes integrations to deploy a [1Password Connect Server](/connect/) or a [1Password Service Account](/service-accounts/) to a Kubernetes cluster.
1Password offers multiple Kubernetes integrations, including the [Kubernetes Secrets Injector](#kubernetes-injector), the [Kubernetes Operator](#kubernetes-operator), and [Helm charts](#1password-helm-charts) (which support both the Kubernetes Injector and the Kubernetes Operator). The best integration option depends on your unique environment.
## Comparison
Both the Kubernetes Injector and the Kubernetes Operator work by allowing you to inject secrets from 1Password into a Kubernetes environment. However, they vary slightly based on your intended use case and their requirements.
The 1Password Helm charts allow you to more easily deploy a Connect server, the Kubernetes Operator, or the Kubernetes Injector.
Refer to the following table to learn the differences between the integrations.
| **Feature** | [**Kubernetes Injector**](#kubernetes-injector) | [**Kubernetes Operator**](#kubernetes-operator) |
| ----------------------------------------------------------- | ----------------------------------------------- | ----------------------------------------------- |
| Supports service accounts | Yes | Yes |
| Supports Connect servers | Yes | Yes |
| Allows for granular selection of secrets | Yes | No |
| Uses Kubernetes Secrets | No | Yes |
| Injects 1Password items directly into Kubernetes pods | Yes | No |
| Works with multiple credentials simultaneously | Yes | No |
| Supports automatic redeployment when 1Password items change | No | Yes |
| Requires a Connect token to deploy | No | Yes |
### Kubernetes Injector
The 1Password Kubernetes Secrets Injector implements a mutating webhook that allows you to inject 1Password secrets as environment variables into a Kubernetes pod or deployment. You can use the Kubernetes Injector with [Connect servers](/connect/) or [service accounts](/service-accounts/).
Get started with the Kubernetes Injector
### Kubernetes Operator
The 1Password Connect Kubernetes Operator integrates [Kubernetes Secrets ](https://kubernetes.io/docs/concepts/configuration/secret/) with 1Password with one or more Connect servers or service accounts. It allows you to:
* Create Kubernetes Secrets from 1Password items and load them into Kubernetes deployments.
* Automatically restart deployments when 1Password items update.
Get started with the Kubernetes Operator
### 1Password Helm charts
[Helm ](https://helm.sh/) is a tool that helps you manage Kubernetes applications through specification files called Helm charts. Helm charts define a Kubernetes application and make it easy to share, install, and upgrade.
The official 1Password Helm charts allow you to create a Secrets Automation workflow deployment using a predefined specification.
Get started 1Password Helm charts
# Kubernetes Operator
Source: https://www.1password.dev/k8s/operator
The 1Password Connect Kubernetes Operator integrates [Kubernetes Secrets ](https://kubernetes.io/docs/concepts/configuration/secret/) with 1Password with one or more Connect servers. It allows you to:
* Create Kubernetes Secrets from 1Password items and load them into Kubernetes deployments.
* Automatically restart deployments when 1Password items update.
## Requirements
Before using the Kubernetes Operator, make sure you finish the requirement steps. The requirements vary slightly depending on how you plan to deploy the Kubernetes Operator.
Before you can deploy the Kubernetes Operator with the 1Password Connect and Operator Helm chart, you must:
Have a Kubernetes deployment. You can also use minikube to test locally.
## Limitations
The Kubernetes Operator supports Connect servers and service accounts.
Additionally, the Operator doesn't allow you to select secrets granularly or use multiple credentials simultaneously. For a complete comparison of features and functionality, see [Kubernetes integrations](/k8s/integrations/).
## Deployment
There are two ways to deploy the Kubernetes Operator:
1. Using the 1Password Connect and Operator Helm chart.
2. Manually using a Kubernetes deployment specification file.
The recommended way to deploy the Kubernetes Operator is with Helm. Deploying manually is a much more involved and complicated process.
The following instructions cover deploying the Kubernetes Operator using the [1Password Connect and Operator Helm chart](/k8s/helm/).
You can use the 1Password Connect and Operator Helm chart to deploy the Kubernetes alongside Connect or without Connect.
### Step 1. Add the 1Password Helm chart repository
The following command adds the [1Password Helm chart repository ](https://github.com/1Password/connect-helm-charts) to your local instance of Helm. This allows you to download and install all charts from 1Password's GitHub repository.
```shell theme={null}
helm repo add 1password https://1password.github.io/connect-helm-charts/
```
Step 2. Install the Kubernetes Operator using Helm
You can use the 1Password Connect and Operator Helm chart to deploy the Kubernetes Operator with Connect or without Connect.
In most cases, it makes sense to deploy the Kubernetes Operator alongside Connect because it simplifies the setup and communication between Connect and the Operator. However, it might make more sense to deploy only the Kubernetes Operator if you already have a Connect deployment in production.
To install the Kubernetes Operator with Connect, use the following command. It deploys the Kubernetes Operator with a 1Password Connect server using the `1password-credentials.json` file.
```shell theme={null}
helm install connect 1password/connect --set-file connect.credentials=1password-credentials.json --set operator.create=true --set operator.token.value=OP_CONNECT_TOKEN
```
If you don't already have a Connect token, use the following command instead. Make sure to replace `SERVER` and `VAULT` with the correct values.
```shell theme={null}
helm install connect 1password/connect --set-file connect.credentials=1password-credentials.json --set operator.create=true --set operator.token.value=$(op connect token create --server SERVER --vault VAULT)
```
To install the Kubernetes Operator without Connect, set `operator.create` to `true` and `connect.create` to `false`.
```shell theme={null}
helm install connect 1password/connect --set operator.create=true --set operator.token.value= --set connect.create=false
```
If you don't already have a Connect token, use the following command instead. Make sure to replace `SERVER` and `VAULT` with the correct values.
```shell theme={null}
helm install connect 1password/connect --set operator.create=true --set operator.token.value=$(op connect token create --server SERVER --vault VAULT) --set connect.create=false
```
To install the Kubernetes Operator with a service account, set `operator.create` to `true`, `connect.create` to `false`, and `operator.authMethod` to `service-account`.
```shell theme={null}
helm install connect 1password/connect --set operator.create=true --set connect.create=false --set operator.authMethod=service-account --set operator.serviceAccountToken.value=
```
The following instructions cover deploying the Kubernetes Operator manually, using a [Kubernetes deployment specification ](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/).
1. [Create a deployment specification.](#manual-step-1)
2. [Create a Kubernetes Secret from the Connect server credentials.](#manual-step-2)
3. [Add the `MANAGE_CONNECT` environment variable.](#manual-step-3)
4. [Create a Kubernetes Secret for the Connect server token.](#manual-step-4)
5. [Deploy the Kubernetes Operator.](#manual-step-5)
Step 1: Create a deployment specification
1. Create a [Kubernetes deployment specification ](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) YAML file. You can use the example [`manager.yaml` ](https://github.com/1Password/onepassword-operator/blob/main/config/manager/manager.yaml) file from the Kubernetes Operator repository on GitHub.
You can also update an existing Kubernetes deployment specification to include the `1password/onepassword-operator` container image and options.
Step 2: Create a Kubernetes Secret from the Connect server credentials
1. Encode the `1password-credentials.json` file you generated when you created your Connect server and name it `FILE_NAME`.
```shell theme={null}
cat 1password-credentials.json | base64 | \ tr '/+' '_-' | tr -d '=' | tr -d '\n' > FILE_NAME
```
2. Use `kubectl` to create a Kubernetes Secret from the encoded `FILE_NAME` file.
```shell theme={null}
kubectl create secret generic op-credentials --from-file=FILE_NAME
```
Step 3: Add the `MANAGE_CONNECT` environment variable
1. Add the `MANAGE_CONNECT` environment variable to the Kubernetes Operator container (`onepassword-connect-operator`) in the deployment specification file and set it to `true`.
The `MANAGE_CONNECT` environment variable tells the Kubernetes Operator to automatically deploy a default configuration of the 1Password Connect server to the current namespace.
```yaml deployment-specification.yaml theme={null}
- name: MANAGE_CONNECT
value: "true"
```
Step 4: Create a Kubernetes Secret for the Connect server token
Create a Kubernetes Secret for your Connect server token. Replace `OP_CONNECT_TOKEN` with the Connect token string or an environment variable that contains the Connect token string.
```shell theme={null}
kubectl create secret generic onepassword-token --from-literal=token="OP_CONNECT_TOKEN"
```
If you don't already have a Connect server token for the Kubernetes Operator, you can use the following command to create a token and save it as a Kubernetes Secret.
```shell theme={null}
kubectl create secret generic onepassword-token --from-literal=token=$(op connect token create op-k8s-operator --server SERVER --vault VAULT)
```
Make sure to replace `SERVER` with the name (or ID) of the Connect server and `VAULT` with the name (or ID) of the vault.
Step 5: Deploy the Kubernetes Operator and Connect server
Finally, manually deploy the Kubernetes Operator by running `make deploy`.
You must clone the [Kubernetes Operator repository ](https://github.com/1Password/onepassword-operator) before you can manually deploy the Kubernetes Operator.
1. Clone the [Kubernetes Operator repository ](https://github.com/1Password/onepassword-operator).
2. Run `make deploy`.
Run the following command to check if the CRDs installed correctly:
```shell theme={null}
kubectl get crd onepassworditems.onepassword.com
```
To deploy the Kubernetes Operator with a service account, first [create a service account](/service-accounts/get-started/#create-a-service-account). Then follow these steps:
### 1. Create a Kubernetes secret for the service account
1. Set the `OP_SERVICE_ACCOUNT_TOKEN` environment variable to the service account token you created in step 1. This token will be used by the Operator to access 1Password items.
2. Create a Kubernetes secret:
```shell theme={null}
kubectl create secret generic onepassword-service-account-token --from-literal=token="$OP_SERVICE_ACCOUNT_TOKEN"
```
### 2. Deploy the Operator
To use the Operator with a service account, you need to set the `OP_SERVICE_ACCOUNT_TOKEN` environment variable in the `/config/manager/manager.yaml` file and remove the environment variables `OP_CONNECT_TOKEN` and `OP_CONNECT_HOST`.
To configure the 1Password Kubernetes Operator, the following environment variables can be set in the Operator YAML file:
* `OP_SERVICE_ACCOUNT_TOKEN` (required): Specifies a service account token within Kubernetes to access the 1Password items.
* `WATCH_NAMESPACE`: A comma-separated list of namespaces to watch for changes. The default is `watch all namespaces`.
* `POLLING_INTERVAL`: The number of seconds the 1Password Kubernetes Operator will wait before checking for updates from 1Password. The default is `600`.
* `AUTO_RESTART`: If set to true, the Operator will restart any deployment using a secret from 1Password. This can be overwritten by a namespace, deployment, or individual secret. The default is `false`.
After you've set the environment variables, run the following command to deploy the Operator:
```shell theme={null}
make deploy
```
You can view a sample YAML file [in the onepassword-operator repository on GitHub. ](https://github.com/1Password/onepassword-operator/blob/main/config/manager/manager.yaml)
## Usage examples
Use the following usage examples to help you get started:
* [Create a Kubernetes Secret from a 1Password item](#kubernetes-secret-from-item)
* [Deploy with a single Kubernetes Secret](#deploy-single)
* [Ignore updates for a Kubernetes Secret](#ignore-updates)
* [Enable automatic redeployment](#enable-auto-redeployment)
* [Per Kubernetes Operator](#per-kubernetes-operator)
* [Per namespace](#per-namespace)
* [Per Kubernetes deployment](#per-kubernetes-deployment)
* [Per OnePasswordItem](#per-onepassworditem)
Create a Kubernetes Secret from a 1Password item
With the Kubernetes Operator deployed, you can create [Kubernetes Secrets ](https://kubernetes.io/docs/concepts/configuration/secret/) from 1Password items by creating a YAML file and then using `kubectl` to deploy it to your Kubernetes cluster.
The YAML file tells the Kubernetes Operator to create a Kubernetes Secret from a `OnePasswordItem` (a 1Password item) and specifies the item name and the path of the item.
1. Create a YAML file (`1password-item.yaml`) for the 1Password item using the following template. Replace `SECRET_NAME`, `VAULT`, and `ITEM` with the correct values for your 1Password item.
* Replace `SECRET_NAME` with the name to use to create the Kubernetes Secret.
* Replace `VAULT` with the name or ID of the vault.
* Replace `ITEM` with the ID or title of the 1Password item.
```yaml 1password-item.yaml theme={null}
apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
name: SECRET_NAME
spec:
itemPath: "vaults/VAULT/items/ITEM"
```
2. Use `kubectl` to deploy the `1password-item.yaml` file.
```shell theme={null}
kubectl apply -f 1password-item.yaml
```
```shell theme={null}
kubectl get secret 1password-item.yaml
```
If you delete the 1Password item you created, the Kubernetes Operator automatically deletes the corresponding Kubernetes Secret.
Deploy with a single Kubernetes Secret
You can also create a single Kubernetes Secret for a Kubernetes deployment by adding specific metadata to the deployment specification file and then applying it.
1. Add the following annotations to the deployment specification file:
```yaml deployment-specification.yaml theme={null}
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-example
annotations:
operator.1password.io/item-path: "vaults/VAULT/items/ITEM"
operator.1password.io/item-name: "SECRET_NAME"
```
Replace `VAULT`, `ITEM`, and `SECRET_NAME`, with the correct values for your 1Password item.
* Replace `VAULT` with the name or ID of the vault.
* Replace `ITEM` with the ID or title of the 1Password item.
* Replace `SECRET_NAME` with the name to use to create the Kubernetes Secret.
2. Apply the YAML file. This creates a Kubernetes Secret named `SECRET_NAME` with the content from the 1Password item specified in the `operator.1password.io/item-path`.
```shell theme={null}
kubectl apply -f deployment-specification.yaml
```
Ignore updates for a Kubernetes Secret
The Kubernetes Operator automatically keeps Kubernetes Secrets in sync with the corresponding 1Password items.
If a 1Password Item linked to a Kubernetes Secret changes within the `POLLING_INTERVAL`, the associated Kubernetes Secret automatically updates.
You can prevent a specific Kubernetes Secret from updating by adding the annotation `operator.1password.io:ignore-secret` to the item stored in 1Password. While this annotation is in place, the Kubernetes Secret won't update when the associated 1Password item updates.
Enable automatic redeployment
The Kubernetes Operator supports automatic redeployment, which automatically restarts Kubernetes deployments when it detects that a 1Password item linked to a Kubernetes Secret has been updated. When enabled, the Kubernetes Operator restarts Kubernetes deployments that meet the following criteria each time the Connect server polls for updates:
* Its scope is configured to automatically restart.
* It's using a Kubernetes Secret linked to a 1Password item that's been updated.
You can configure automatic redeployment for different scopes:
* [Per Kubernetes Operator](#per-kubernetes-operator)
* [Per namespace](#per-namespace)
* [Per Kubernetes deployment](#per-kubernetes-deployment)
* [Per OnePasswordItem](#per-onepassworditem)
When you configure automatic deployment in a scope (such as per namespace), the configuration applies to all downstream scopes unless you explicitly specify a different configuration for the scope.
#### Per Kubernetes Operator
You can configure automatic redeployment per Kubernetes Operator, which includes all Kubernetes deployments within the namespaces watched by the Kubernetes Operator instance.
The Kubernetes Operator automatic redeployment setting is controlled by the `AUTO_RESTART` environment variable. By default, it's set to `false`. To enable automatic redeployment, set it to `true`.
#### Per namespace
You can configure automatic redeployment per namespace, which includes all Kubernetes deployments within the namespace.
* To turn on automatic redeployment for all Kubernetes deployments within a namespace, set the `operator.1password.io/auto-restart` annotation to `true`.
* To turn off automatic redeployment for all Kubernetes deployments within a namespace, set the `operator.1password.io/auto-restart` annotation to `false`.
Each namespace uses the Kubernetes Operator setting for automatic redeployment if you don't set the `operator.1password.io/auto-restart` annotation value.
The following code block shows an example namespace configuration with automatic redeployment enabled for all Kubernetes deployments within the namespace.
```yaml deployment-specification.yaml highlight={6} theme={null}
apiVersion: v1
kind: Namespace
metadata:
name: "example-namespace"
annotations:
operator.1password.io/auto-restart: "true"
```
#### Per Kubernetes deployment
You can configure automatic redeployment per individual Kubernetes deployment:
* To turn on automatic redeployment for a specific Kubernetes deployment, set the `operator.1password.io/auto-restart` annotation to `true`.
* To turn off automatic redeployment for a specific Kubernetes deployment, set the `operator.1password.io/auto-restart` annotation to `false`.
Each Kubernetes deployment uses the namespace setting for automatic redeployment if you don't set the `operator.1password.io/auto-restart` annotation value.
The following code block shows an example deployment configuration with automatic redeployment enabled.
```yaml deployment-specification.yaml highlight={6} theme={null}
apiVersion: v1
kind: Deployment
metadata:
name: "example-deployment"
annotations:
operator.1password.io/auto-restart: "true"
```
#### Per OnePasswordItem
You can configure automatic redeployment for a specific 1Password item (`OnePasswordItem`) custom resource:
* To turn on automatic redeployment for a specific 1Password item custom resource, set the `operator.1password.io/auto-restart` annotation value to `true`.
* To turn off automatic redeployment for a specific 1Password item custom resource, set the `operator.1password.io/auto-restart` annotation value to `false`.
Each 1Password item (`OnePasswordItem`) uses the Kubernetes deployment setting for automatic redeployment if you don't set the `operator.1password.io/auto-restart` annotation value.
The following code block shows an example of a 1Password item configuration with automatic redeployment enabled.
```yaml deployment-specification.yaml highlight={6} theme={null}
apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
name: example
annotations:
operator.1password.io/auto-restart: "true"
```
## Behavior
The 1Password Kubernetes Connect Operator follows the Kubernetes Operator pattern. It uses Controllers, which provide a reconcile function that synchronizes resources until it reaches the desired cluster state.
Visit the Kubernetes documentation to learn more about the [Operator pattern ](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/) and [Controllers ](https://kubernetes.io/docs/concepts/architecture/controller/).
The information in this section documents some of the behavior of the Kubernetes Operator in specific scenarios.
* [Deployment deletion](#deployment-deletion)
* [Fields storing files](#fields-storing-files)
* [Whitespace characters](#whitespace-characters)
### Deployment deletion
Deleting the Deployment you've created deletes the Kubernetes Secret deployment if all the following are true:
1. The deployment has the `operator.1password.io/item-path` and `operator.1password.io/item-name` annotations.
2. No other deployments are using the secret.
### Fields storing files
If a 1Password item field stores a file, the corresponding Kubernetes Secret uses the file's contents as the value. If a single 1Password item has a field storing a file and a field storing another type of data, the Kubernetes Operator prefers the non-file field and ignores the field containing a file.
### Whitespace characters
Titles and field names that include whitespace characters (or any other characters invalid for DNS subdomain names) result in the Kubernetes Operator changing the titles (or fields) in the following manner when creating Kubernetes Secrets:
* Remove invalid characters before the first alphanumeric character.
* Remove invalid characters after the last alphanumeric character.
* Replace whitespace characters between words with a dash (`-`).
* Convert letters to lowercase.
## Configuration
The following section describes the Kubernetes Operator (`1password/onepassword-operator`) container configuration options and their default values. The [example Kubernetes deployment specification file ](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-container-environment-variables-using-secret-data) shows these configuration values in context.
### Environment variables
| **Environment variable** | **Description** | **Required** | **Default value** |
| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `OP_CONNECT_HOST` | The hostname of the Connect server within Kubernetes. | Yes | `http://onepassword-connect:8080` |
| `WATCH_NAMESPACE` | A comma-separated list of namespaces to watch for changes. By default, it watches all namespaces. | No | default (watch all namespaces) |
| `POLLING_INTERVAL` | The number of seconds the Kubernetes Operator should wait before checking for updates from the Connect server. | No | `600` |
| `MANAGE_CONNECT` | Whether or not the Kubernetes Operator should deploy with the Connect server in the current namespace with the default configuration. | No | `false` |
| `AUTO_RESTART` | Whether or not the Kubernetes Operator should redeploy when it detects a secret change from the Connect server. You can overwrite this value by namespace, deployment, or individual secret. | No | `false` |
| `OP_CONNECT_TOKEN` | A reference to the Kubernetes Secret that contains your Connect server token. | Yes | [secretKeyRef ](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-container-environment-variables-using-secret-data) |
### Command arguments
| **Argument** | **Description** | **Default value** |
| ----------------- | ------------------------------------------------------------------------------------------------------------------------ | ----------------- |
| `--zap-log-level` | Specify the logging level of detail for the Kubernetes Operator. The available options are `debug`, `info`, and `error`. | `debug` |
# 1Password Partnership API reference
Source: https://www.1password.dev/partnership-api/reference
You can use the 1Password Partnership API to manage the provisioning and deprovisioning of third-party partner billing accounts for your customers. The API supports partner billing accounts for 1Password individual and family accounts. The Partnership API doesn't support 1Password team or business accounts.
To work with the 1Password Partnership API in another tool, download the API specification file: [1password-partnership-api.yml](https://i.1password.com/media/1password-partnership-api/partnership-api.yml).
## Prerequisites
Before you can use the API to integrate with our partner billing service, you'll need to register as a 1Password partner. Registered partners are granted access to bearer tokens to authorize requests to the API billing servers.
To learn more about our partnership opportunities, visit the [1Password Partner Program website](https://1password.com/partnerships) or [contact the 1Password Partnerships team](mailto:partners@1password.com). If you're not a partner, reach out to your Customer Success Manager or the [1Password Sales team](https://1password.com/contact-us).
## Information about the API
The 1Password Partnership API is a REST-style API that follows the [OpenAPI 3.0 specifications](https://spec.openapis.org/oas/v3.0.3). All communication between clients and servers is over HTTPS.
You can use your preferred programming language and tools for testing and implementing the Partnership API. This reference uses [curl](https://curl.se/) on the command line to demonstrate example requests. You can replace the values in any request with your own to receive information about your customers' billing accounts.
### Request methods
You can use the following standard HTTP methods to make requests to the Partnership API:
* [POST](#create-a-billing-account): Create a third-party billing account for a customer through the partner billing service.
* [GET](#get-billing-account-information): Get details about a customer's billing account.
* [DELETE](#delete-a-billing-account): Delete a customer's third-party billing account from the partner billing service.
* [PATCH](#update-a-billing-account-end-date): Update the date and time a customer's billing account is scheduled be removed from the partner billing service.
Batch requests are not supported.
### Servers
There are two billing servers partners can use to work with the 1Password Partnership API that provide the base URLs of the API endpoints:
* **Test server** (`https://billing.b5test.eu`): Use the test server URL as the base for all requests in the test environment. You can provision and deprovision test partner billing accounts for all domains from the test server: **b5test.com**, **b5test.ca**, and **b5test.eu.**
* **Production server** (`https://billing.1password.com`): Use the production server URL as the base for all requests in the production environment. You can provision and deprovision partner billing accounts for all domains from the production server: **1password.com**, **1password.ca**, and **1password.eu**.
### Endpoints
Each request to the API starts with the base URL of the server environment you want to work with (test or production), followed by the path (`api/v1/partners/account`). Path parameters, indicated with curly braces (`{}`), are required where defined. For example:
```text Structure of an API endpoint theme={null}
//{parameters}
```
Replace the `base_URL` and `\{parameters}` placeholders with the server environment you're using and any path parameters specified for the request. The `path` is the same for all requests.
```text Example API endpoint without a path parameter theme={null}
https://billing.b5test.eu/api/v1/partners/accounts
```
```text Example API endpoint with a path parameter theme={null}
https://billing.1password.com/api/v1/partners/accounts/4266474b-6385-56d4-7b75-648096593064
```
### Authorization
When you register with the [1Password Partner Program](https://1password.com/partnerships), the Partnership team will provide you with bearer tokens you'll need to authorize your calls to the Partnership API.
You'll receive separate tokens to use with [the test and production environments](#servers). Make sure to use the token that has been authorized for the environment you're working in.
If you're a partner and need a new bearer token, [contact the 1Password Partnerships team](mailto:partners@1password.com). If you're not a partner, reach out to your Customer Success Manager or the [1Password Sales team](https://1password.com/contact-us) and let them know you need a new bearer token.
### Request headers
Requests to the Partnership API use three types of headers:
* **`Authorization`**: Each GET, POST, DELETE, and PATCH request to the Partnership API must be authorized with a [bearer token](#authorization).
* **`Content-Type`**: Each POST and PATCH request requires a header to indicate the media (MIME) type of the request body.
* **`Accept`**: Each GET, POST, and PATCH request to the Partnership API should include an accept header to indicate what kind of response the client can accept from the server.
All data is sent and received as JSON, so make sure to specify that in the headers.
```
Authorization: Bearer YOUR_BEARER_TOKEN
Content-type: application/json
Accept: application/json
```
If you're a partner and need a new bearer token, [contact the 1Password Partnerships team](mailto:partners@1password.com). If you're not a partner, reach out to your Customer Success Manager or the [1Password Sales team](https://1password.com/contact-us) and let them know you need a new bearer token.
### Request bodies
Request bodies (also called request payloads) contain the JSON-formatted data clients send to create (POST) or update (PATCH) resources on the servers. A request body consists of an object that may include one or more of the following fields, as indicated:
* **The unique identifier (UID) for the customer's billing account.** The UID is supplied by the partner. It can be up to 200 characters long with any combination of alphanumeric characters (`A-Z`, `a-z`, `0-9`), hyphens (`-`), and periods/dots (`.`) .
* **The 1Password account type.** Options are individual (`I`) or family (`F`). Team and business accounts aren't supported.
* **The domain the customer can use for their new or existing 1Password account.** For the test server, options are: `b5test.com`, `b5test.ca`, or `b5test.eu`. For the production server, options are: `1password.com`, `1password.ca`, or `1password.eu`.
* **The date and time the customer's billing account is scheduled to be removed.** The date cannot be in the past. Format the date, time, and optional timezone in the [ISO 8601 standard](https://www.iso.org/iso-8601-date-and-time-format.html).
GET and DELETE calls don't contain request bodies.
### Activation tokens
Activation tokens are used to provision customers to third-party billing by linking 1Password accounts to partner billing accounts.
Make a [POST call](#create-a-billing-account) to the Partnership API to create a new partner billing account for a customer and generate their unique activation token.
Append the token returned in the [POST response](#success-response) to a 1Password partnership redemption link to [create the customer's partner billing link](#create-a-link-for-customers). Then provide the customer with their link.
The link will direct the customer to a promotional page where they'll be instructed to create a new 1Password account or sign in to an existing one. The billing for the customer's 1Password account will then be linked to their partner billing account.
#### Create a link for customers
To create a partner billing link for a customer, adjust the 1Password partnership redemption link (`https://start.[1password_domain]/partnership/redeem`) to use the desired 1Password domain. Then append a query string with the required parameters for the account type and the activation token. You can also include an optional [language parameter](#language-codes).
```text Structure of a partner billing link for a 1Password account theme={null}
https://start.[1password_domain]/partnership/redeem?t={account_type}&c={activation_token}&l={language_code}
```
| Placeholder | Values | Required |
| --------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
| `[1password_domain]` | Possible values are `1password.com`, `1password.ca`, or `1password.eu`. | Yes |
| `\{account_type}` | Possible values are `individual` or `family`. | Yes |
| `\{activation_token}` | The value of the token returned in the [POST response](#success-response). For example: `4266474b-6385-56d4-7b75-648096593064`. | Yes |
| `\{language_code}` | Optional [language code](#language-codes) values are `en`, `de`, `es`, `fr`, `it`, `ja`, `ko`, `nl`, `pt-BR`, `ru`, `zh-Hans`, or `zh-Hant`. | No |
Replace the placeholders for the 1Password domain and the parameters with the appropriate values. For example:
```text Example partner billing link for an individual account on 1Password.eu with an optional language parameter theme={null}
https://start.1password.eu/partnership/redeem?t=individual&c=4266474b-6385-56d4-7b75-648096593064&l=de
```
```text Example partner billing link for a family account on 1Password.com with an optional language parameter theme={null}
https://start.1password.com/partnership/redeem?t=family&c=4266474b-6385-56d4-7b75-648096593064&l=en
```
If you're not sure which link(s) you need to create, [contact the 1Password Partnerships team](mailto:partners@1password.com) for help.
For customers with existing 1Password accounts, partner billing links will only work if their 1Password account type and domain are the same as the ones specified in the [POST request](#request).
Customers can [contact 1Password Support](https://support.1password.com/contact/) if they need help to change their existing [account type](https://support.1password.com/change-account-type/) or [region](https://support.1password.com/regions/#change-your-region).
#### Alternate partner billing link options
The Partnership API also supports some alternate options for partner billing links. Depending on the details of your partnership, you might prefer to create links for:
* [A new 1Password account only](#create-a-link-for-a-new-1password-account-only)
* [An existing 1Password account only](#create-a-link-for-an-existing-1password-account-only)
If you provide a customer with one of these links, they'll only be able to use it to link their partner billing account to either a new account or an existing account, respectively.
You can also create one link of each type and provide your customers with both so they can choose the option they need. However, creating a [single link](#create-a-link-for-customers) that allows for both options may be a better solution.
##### Create a link for a new 1Password account only
To create a partner billing link for a customer to use with a new 1Password account only, adjust the 1Password sign-up link (`https://start.[1password_domain]/sign-up/[account_type]`) to use the desired 1Password domain and account type. Then append a query string with the required activation token parameter. You can also include an optional [language parameter](#language-codes). For example:
```text Structure of a partner billing link for a new 1Password account theme={null}
https://start.[1password_domain]/sign-up/[account_type]?c={activation_token}&l={language_code}
```
Replace the [placeholders](#placeholder-reference) for the 1Password domain, account type, and the parameters with the appropriate values. For example:
```text Example partner billing link for a new individual account on 1Password.eu with an optional language parameter theme={null}
https://start.1password.eu/sign-up/individual?c=4266474b-6385-56d4-7b75-648096593064&l=de
```
```text Example partner billing link for a new family account on 1Password.com with an optional language parameter theme={null}
https://start.1password.com/sign-up/family?c=4266474b-6385-56d4-7b75-648096593064&l=en
```
##### Create a link for an existing 1Password account only
To create a partner billing link for a customer to use with an existing 1Password account only, adjust the 1Password account sign-in link (`https://my.[1password_domain]/partnership/link`) to use the desired 1Password domain. Then append a query string with the required activation token parameter. You can also include an optional [language parameter](#language-codes). For example:
```text Structure of a partner billing link for an existing 1Password account theme={null}
https://my.[1password_domain]/partnership/link?c={activation_token}&l={language_code}
```
Replace the [placeholders](#placeholder-reference) for the 1Password domain and the parameters with the appropriate values. For example:
```text Example partner billing link for an existing account on 1Password.com with an optional language parameter theme={null}
https://my.1password.com/partnership/link?c=4266474b-6385-56d4-7b75-648096593064&l=en
```
This link doesn't include an account type because it directs the customer to sign in to the 1Password account they already have.
##### Placeholder reference
| Placeholder | Values | Required |
| --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ |
| `[1password_domain]` | Possible values are `1password.com`, `1password.ca`, or `1password.eu`. | Yes |
| `[account_type]` | The account type is only used with links to [create a new 1Password account](#create-a-link-for-a-new-1password-account-only). Possible values are `individual` or `family`. | Yes
For new accounts only
|
| `\{activation_token}` | The value of the token returned in the [POST response](#success-response). For example: `4266474b-6385-56d4-7b75-648096593064`.
| Yes |
| `\{language_code}` | Optional [language code](#language-codes) values are `en`, `de`, `es`, `fr`, `it`, `ja`, `ko`, `nl`, `pt-BR`, `ru`, `zh-Hans`, or `zh-Hant`. | No |
Language code parameters
Language codes are an optional parameter that can be added to a [partner billing link](#create-a-link-for-customers) to take the customer to the appropriate landing page for that language. Customers will be directed to the default landing page (English) if no language parameter is included.
The following language codes can be used with the language parameter:
| Language | Code |
| -------- | ---- |
| English | `en` |
| Deutsch | `de` |
| Español | `es` |
| Français | `fr` |
| Italiano | `it` |
| 日本語 | `ja` |
| Language | Code |
| ---------- | --------- |
| 한국어 | `ko` |
| Nederlands | `nl` |
| Português | `pt-BR` |
| Русский | `ru` |
| 简体中文 | `zh-Hans` |
| 繁體中文 | `zh-Hant` |
## Create a billing account
```
POST /api/v1/partners/accounts
```
A POST call creates a new third-party billing account for a customer through the partner billing service and returns the [activation token](#activation-tokens) you'll use to create a partner billing link for the customer to complete provisioning.
### Path parameters
No path parameters.
### Request
Use the endpoint URL with your [bearer token](#authorization) and the required [request headers](#request-headers). Include an object as a [request body](#request-bodies) that contains:
* The customer's account UID.
* The eligible 1Password account type.
* The domain the customer can use for their new or existing 1Password account.
* (Optional) The date and time you want to remove the customer's account from the partner billing service. This value cannot be in the past. You can also update this field with [a PATCH request](#update-a-billing-account-end-date).
```shell highlight={7,8,9,10} theme={null}
curl --request POST \
--url https://billing.1password.com/api/v1/partners/accounts \
--header 'Authorization: Bearer YOUR_BEARER_TOKEN' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--data '{
"customer_account_uid": "4266474b-6385-56d4-7b75-648096593064",
"account_type": "F",
"domain": "1password.com",
"ends_at": "2024-08-31T13:00:00-05:00"
}'
```