> ## Documentation Index
> Fetch the complete documentation index at: https://www.1password.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# 1Password SSH agent

export const Small = ({children}) => {
  return <small>{children}</small>;
};

The 1Password SSH agent uses the SSH keys you have saved in 1Password to seamlessly integrate with your Git and SSH workflows. It authenticates your Git and SSH clients without those clients ever being able to read your private key.

In fact, your private key never even leaves the 1Password app. The SSH agent works with the SSH keys stored in 1Password, but never without your consent. Only SSH clients you explicitly authorize will be able to use your SSH keys until 1Password locks.

Learn how to [turn on the 1Password SSH agent](/ssh/get-started/#step-3-turn-on-the-1password-ssh-agent) and [configure your SSH clients](/ssh/get-started/#step-4-configure-your-ssh-or-git-client).

## Requirements

<Tabs groupId="operating-systems">
  <Tab title="Mac">
    1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
    2. [Install and sign in to 1Password for Mac.](https://1password.com/downloads/mac)
    3. [Install the 1Password browser extension](https://1password.com/downloads/browser-extension) (optional).<br />
       <Small>Required to autofill SSH keys in your browser.</Small>
  </Tab>

  <Tab title="Windows">
    1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
    2. [Install and sign in to 1Password for Windows.](https://1password.com/downloads/windows)
    3. [Install the 1Password browser extension](https://1password.com/downloads/browser-extension) (optional).<br />
       <Small>Required to autofill SSH keys in your browser.</Small>
  </Tab>

  <Tab title="Linux">
    1. [Sign up for 1Password.](https://1password.com/pricing/password-manager)
    2. [Install and sign in to 1Password for Linux.](https://1password.com/downloads/linux)
    3. [Install the 1Password browser extension](https://1password.com/downloads/browser-extension) (optional).<br />
       <Small>Required to autofill SSH keys in your browser.</Small>

    <Warning>
      The 1Password SSH agent doesn't work with [Flatpak <Icon icon="arrow-up-right-from-square" />](https://flatpak.org/) or Snap Store installations of 1Password. To use the SSH agent, choose a different method to [install 1Password for Linux](https://support.1password.com/install-linux/).
    </Warning>
  </Tab>
</Tabs>

<Tip>
  For the best experience when using the 1Password SSH agent, you can configure [Touch ID](https://support.1password.com/touch-id-mac/), [Apple Watch](https://support.1password.com/apple-watch-mac/), [Windows Hello](https://support.1password.com/windows-hello/), or [system authentication](https://support.1password.com/system-authentication-linux/) to unlock 1Password and authenticate SSH key requests.
</Tip>

## Configuration

By default, the 1Password SSH agent will make every [eligible key](/ssh/agent/#eligible-keys) in the built-in [Personal](https://support.1password.com/1password-glossary/#personal-vault), [Private](https://support.1password.com/1password-glossary/#private-vault), or [Employee](https://support.1password.com/1password-glossary/#employee-vault) vault of your 1Password accounts available to offer to SSH servers. This configuration is automatically set up when you [turn on the SSH agent](/ssh/get-started/#step-3-turn-on-the-1password-ssh-agent).

If you need to use the SSH agent with keys saved in shared or custom vaults, you can create and customize an [SSH agent config file](/ssh/agent/config/) (`~/.config/1Password/ssh/agent.toml`) to override the default agent configuration.

If you have more than six SSH keys available in the agent, you can edit your SSH config file or use [SSH Bookmarks](/ssh/bookmarks/) to match your keys to specific hosts. This will help you avoid authentication failures with OpenSSH servers that limit the number of connection attempts. Learn more about the [SSH server six-key limit](/ssh/agent/advanced/#ssh-server-six-key-limit).

## Eligible keys

For the 1Password SSH agent to work with your SSH keys, your 1Password SSH key items must meet the following requirements. They must be:

* [Generated](/ssh/manage-keys/#generate-an-ssh-key) or [imported](/ssh/manage-keys/#import-an-ssh-key) using the `SSH Key` item type (which supports [`Ed25519` or `RSA`](/ssh/manage-keys/#supported-ssh-key-types) key types).
* Stored in the vaults [the SSH agent is configured to use](#configuration) in 1Password. By default, this is the [Personal](https://support.1password.com/1password-glossary/#personal-vault), [Private](https://support.1password.com/1password-glossary/#private-vault), or [Employee](https://support.1password.com/1password-glossary/#employee-vault) vault of any 1Password account you're signed in to.
* Active items (not archived or deleted).

Any key meeting these requirements will automatically be available in the SSH agent for authentication.
You will still be required to explicitly [authorize any request](/ssh/agent/security/#authorization-model) an SSH client makes to use your keys.

To see a list of all keys that the agent has available, [set the `SSH_AUTH_SOCK` environment variable](/ssh/get-started#step-4-configure-your-ssh-or-git-client) (Mac and Linux only) and run:

```shell theme={null}
ssh-add -l
```

## Learn more

* [Autofill public keys](/ssh/public-key-autofill/)
* [Manage SSH keys](/ssh/manage-keys/#generate-an-ssh-key)
* [Sign Git commits](/ssh/git-commit-signing)
* [Workflow: Secure your SSH & Git workflows](/get-started/secure-ssh-git-workflows)
