1Password SaaS Manager API - 1Password Developer

The SaaS Manager public REST API lets you read and manage your applications, people, teams, contracts, devices, workflows and audit log programmatically. Resources are grouped by area. The conventions below apply across the whole API.

Regions and base URL

SaaS Manager is hosted in multiple regions. Choose a base URL for your tenant’s region from the Servers dropdown:

https://app.trelica.com (United States)
https://eu.trelica.com (Europe)

Endpoint URLs throughout this reference use whichever server you select.

Authentication

Every request must send an Authorization header carrying an OAuth 2.0 access token, prefixed with Bearer:

Authorization: Bearer <ACCESS_TOKEN>

Obtain a token using either the Client Credentials flow (machine-to-machine) or the Authorization Code flow (acting on behalf of a user). The scopes granted to your token determine which endpoints you may call. Learn more in scopes. Access tokens expire. When a token is missing, invalid, or expired, you’ll receive 401 Unauthorized. Inspect the WWW-Authenticate response header for detail. For example:

Bearer error="invalid_token", error_description="The token expired at '12/23/2020 10:27:15'"

If you used the Authorization Code flow with the offline_access scope, use your refresh token to obtain a new access token. A 403 Forbidden means the token is valid but lacks the scope required by the endpoint.

Dates and times

Dates and times are sent and returned in RFC 3339 format . For example, 2020-12-25 (midnight) or 2020-12-25T10:50:00Z. Field names ending in Dtm carry a meaningful time component, while field names ending in Date are date-only.

Optional fields and null

Responses omit fields that have no value, so you’ll see the field absent rather than returned as null. When creating or replacing a resource with PUT, any field you omit is cleared. With PATCH, omitting a field leaves it unchanged, whereas sending it as null clears it.

Pagination

List endpoints are paginated and return up to 100 results by default. You can request up to 1000 with the limit query parameter, though you may receive fewer than requested. Request the next page with the after query parameter, passing the opaque cursor token that SaaS Manager supplies. The response’s next field (and the link response header, rel="next") contains the full URL for the next page:

{
    "next": "https://app.trelica.com/api/people/v1?after=<TOKEN>&limit=100",
    "results": [ { /* ... */ } ]
}

Keep requesting pages until no further results are returned. User data returned over SCIM uses the SCIM startIndex/count pagination scheme instead.

Filtering

Many list endpoints accept a URL-encoded filter query parameter based on the SCIM filtering specification. A filter is one or more expressions (an attribute name, operator, or optional value) combined with and, or, not, and grouped with parentheses. Attribute names match the JSON returned and may use dot notation for nested attributes (for example, createdBy.email). For an attribute that is an array of objects, put a sub-expression in brackets so the item matches when any element satisfies it. For example, teams[name eq "Developers"] or teams[id eq "5f8d0a1b2c3d4e5f60718293"]. Values can be double-quoted strings, integers, double-quoted RFC 3339 dates, or booleans. Some list endpoints also accept a free-text q parameter that searches the resource’s displayable fields. Soft-deleted entities are excluded by default. You can include them with a filter that references deleted (for example, filter=deleted eq true).

Operator	Meaning	Behavior
`eq`	equal	Attribute value is identical to the operator value
`ne`	not equal	Attribute value differs from the operator value
`co`	contains	Attribute value contains the operator value text
`sw`	starts with	Attribute value starts with the operator value text
`ew`	ends with	Attribute value ends with the operator value text
`pr`	present	Attribute has a non-empty / non-null value
`gt`	greater than	Attribute value is greater than the operator value
`ge`	greater than or equal	Attribute value is greater than or equal to the operator value
`lt`	less than	Attribute value is less than the operator value
`le`	less than or equal	Attribute value is less than or equal to the operator value

For gt/ge/lt/le, strings compare lexicographically, dates chronologically, and numbers numerically. Each list endpoint documents the fields you can filter on. For example:

Filter	Result
`firstName sw "Jan"`	People whose first name starts with “Jan”
`teams[name eq "Developers"]`	People in the team called Developers
`not (leavingDate pr)`	People with no leaving date
`lastModifiedDtm ge "2021-06-01"`	Records modified on or after 1 June 2021

Errors

A 400 Bad Request indicates a problem with your request. The body is a problem-details object whereerrors maps each offending field to its messages, with title, status, a type URL, and an extensions.traceId for correlation:

{
    "errors": { "leavingDate": [ "Error converting value \"2020-40-40\" ..." ] },
    "type": "https://tools.ietf.org/html/rfc7231#section-6.5.1",
    "title": "One or more validation errors occurred.",
    "status": 400,
    "extensions": { "traceId": "00-91e4405b...-00" }
}

If you see 500 Internal Server Error, contact saasmanager@1password.com with details of the request so we can investigate.

Scopes

Scopes define what an API app may do. Following the principle of least privilege, grant only the scopes you need. Each endpoint documents the scope(s) it requires.

Scope	Description
`Apps.Read`	Read-only access to applications
`Apps.Users.Read`	Read-only access to application accounts
`Apps.Write`	Write access to applications
`Assets.Read`	Read-only access to devices
`Assets.Write`	Write access to devices
`AuditLog.Read`	Read-only access to the audit log
`Contracts.Read`	Read-only access to contracts
`Contracts.Write`	Write access to contracts
`People.Read`	Read-only access to people and teams
`People.Write`	Write access to people and teams
`Users.Read`	Read-only access to users with access to SaaS Manager
`Users.Write`	Write access to users with access to SaaS Manager
`Workflows.Read`	Read-only access to workflow definitions
`Workflows.Runs.Read`	Read-only access to workflow runs
`Workflows.Runs.Execute`	Execute workflow run actions
`Workflows.Runs.ReadSecrets`	Read workflow run secrets
`offline_access`	Issue a refresh token alongside the access token (Authorization Code flow)

​Regions and base URL

​Authentication

​Dates and times

​Optional fields and null

​Pagination

​Filtering

​Errors

​Scopes