REMINDER: the community is in read-only mode until July 2nd. This is part of our platform upgrade! Learn more in the FAQs →
cli
898 TopicsBetter text editor with Find
We use 1Password heavily in build systems where we have configuration and credential files in 1Password that are pulled in by the build process. Once these text files are a few screens tall, it's bad to edit them in 1Password. You have to search to find the key you're supposed to edit, but Find in 1Password goes straight to the main Find. Therefore, we're in the crazy situation that we have to copy these files over into a text editor to edit them and then paste them back into 1Password, just to get a Find feature. This reduces our security dramatically, because there's no telling what disk caching any given text editor will do. So ironically, in our attempt to strengthen our security, we end up weakening it, all because it's impossible to properly edit long text records in 1Password. A Find feature inside the text would solve 90% of the problem. The font is absolutely massive when the text record is shown read-only in 1Password.19Views0likes0CommentsAllow environments to be assigned to groups
I was looking at the new Environments feature in preview. I think environments can only be assigned on a per-user basis. You can't assign a group to an environment. There were a couple of other things that made me think it might not be workable, like the inability to handle concurrency because it uses a FIFO. But the inability to assign groups is what stopped me from playing with it.90Views1like1Commentpre-commit hooks unable to access env variables with environments feature
Hi, We're trying to adopt the new Environments feature, which is working well overall. However, we've encountered an issue with pre-commit hooks not being able to access the required environment variables. Our pre-commit hooks require environment variables to be set. While the Environments feature itself functions correctly, the pre-commit hooks fail with an error indicating that the required environment variables are not available. This is blocking us from fully adopting the feature. Is this a known issue? We haven't found a workaround yet and would appreciate any guidance. Thanks!23Views0likes0Comments1password cli caching (vscode)
I have a credential I need to set in an environment (.env) for Python before running a program. This is all defined via vscode tasks. I switch between 'groups' of settings (ie multiple environment variables) by just copying a template to the .env file An example of one credential is: export GITHUB_PERSONAL_ACCESS_TOKEN=$(op --cache read --account https://my.ent.1password.com/ "op://Private/Github API token/password") When my python code is run (which loads .env) I get prompted for biometrics. That's fine, except that there is no caching ie I get prompted every time. The process being run is of course different each time. Note : I initially didn't have --cache specified, and have subsequently added it after seeing it mentioned here. Any suggestions on how to cache these approvals/credentials for a short while (my intent is not to materialise the actual password in a file at any point). Do I need to write my own helper process, or is there something suitable available in the api?241Views0likes3CommentsDevice-encrypted caching for op - fewer round-trips, no unlock prompt storms
I’m one of the creators of varlock. We build free and open source tools for secrets and configuration, including plugins for all the popular providers including 1Password. Since op CLI latency and repeated unlock prompts are two recurring pain points in this forum, I wanted to share something we just shipped specifically for 1Password users - and for ourselves, since we are 1Password users too! While varlock already adds validation and many other DX improvements on top of 1Password, we've now added a built-in cache that sits in front of op calls, so repeated secret loads don't keep hitting remote servers. There are already a few lightweight op cache wrappers out there, and while they help with speed, they generally give up op's session-scoped biometric unlock, and could leave plaintext secrets available in memory. We wanted the speed without sacrificing security. As an added bonus, our own “session” logic is a bit more flexible than op’s, and helps reduce spurious unlock prompts in cases where it feels unexpected - like parallel reads in turborepo, and non-TTY uses like claude/codex desktop apps. How it works Varlock loads secrets from a declarative .env.schema via its 1Password plugin. It supports both traditional vaults and the newer Environments. The plugin writes values to a secure cache, and subsequent reads will use the cache instead of extra roundtrips to 1Pass servers. On the first read, you’ll see the 1Password prompt (if using local desktop app auth via the CLI). The next read (which hits the cache) will show the varlock prompt. After that, no more prompts (in that session) until any of - call `varlock lock`, machine locks/sleeps, or inactivity timeout. If you'd rather not use Desktop app auth, you can use a service account token, and varlock will you encrypt and secure that too. The cache encrypts values at rest, keyed to your device (Secure Enclave + Touch ID on mac, Windows Hello / DPAPI on Windows, TPM2 on Linux). No plaintext secrets left lying around. If no hardware backend is available, it stays in-memory only for that run rather than writing plaintext to disk. This isn't a replacement for op - it's built on top of the CLI/sdk and 1Password stays the source of truth. We'd genuinely love feedback, especially from anyone who knows op's internals well. Happy to answer anything here. --- An example .env.schema - caching is enabled by the cacheTtl option # @defaultSensitive=false @defaultRequired=infer # @plugin(@varlock/1password-plugin) # Uses OP_TOKEN in CI/deployed envs, othewise use local app auth # @initOp(token=$OP_TOKEN, allowAppAuth=true, cacheTtl=1h) # --- # 1Password service account token. Set directly in CI/deployed env # @type=opServiceAccountToken @sensitive OP_TOKEN= # @sensitive XYZ_API_KEY=op("op://acmecorp-ci-secrets/xyz/api-key") XYZ_ACCOUNT_NAME=acmecorp # non-sensitive config can be hardcoded # ...40Views1like0CommentsCLI Slow Performance
I have the 1Password desktop app installed and up to date on my macBook Pro, the `op` CLI is also installed, up to date, and working properly. All expected CLI queries work but they are surprisingly slow. After a bunch of trial and error, it seems that it is making a round-trip online as part of every single CLI query. I added the --debug flag and I can see cache hits, but the round trip online is still occurring. Disabling the network interface causes all queries to fail. Is it possible to get the 1Password CLI working fully offline to avoid all of this unnecessary round-trip business? Surely with the desktop app installed and CLI integration turned on, there has to be a way to make efficient (and offline) use of my 1Password vaults. Otherwise automation tasks that require secrets are simply too cumbersome to handle with 1Password, and I will require a secondary solution. And in that case, I may as well give up on 1Password.1.2KViews3likes14CommentsFeature Request - MCP Limiting Controls
I really love using the MCP service with Claude CLI on my Mac, but it bothers me that it can somewhat easily see all my Vaults. Feature Request Please implement in the 1password App's MCP Settings: 1. Ability to toggle read access for individual vaults 2. Ability to toggle write access for individual vaults Mock-up Here's what I'd like in the 1Password App settings - This would be great for easing my mind specifically not that I don't accidentally give it keys to my kingdom (like the bank) (Props @ GPT and my ability to write a simple prompt) Failed Work-Around Attempt I tried creating another family member account in my family org and just shared the Vaults that I wanted my Claude to use with that, but the desktop app won't let me sign in to multiple accounts in the same org at the same time and I'm not really sure this would have been a good enough work-around for me anyway. The feature I'm requesting above would solve this perfectly. Successful Work-Around Attempt - But sucks So as it stands, the best that I guess I can do is login to my 1password desktop app with only to the dedicated account I made for Agentic access. This would not give any read-only support either, which is not epic.56Views0likes0CommentsFeature Request: Can we get a gh auth login style flow for the CLI?
Hi 1Password team, I’m hitting a major wall with the CLI when trying to use it with AI coding agents (like Claude Code, Cursor, or Linear Agents). Right now, op seems to assume that the person running the "op run" command is always sitting right there at a TTY with a keyboard. But when I’m running an agent in a headless container or a remote environment, the CLI just hangs because it’s waiting for a password or a biometric prompt that it can’t reach. I really don't want to use Service Accounts for this. Giving an autonomous agent a long-lived, static token feels like a massive security step backward. I want the agent to be able to "ask" me for permission. What I'm looking for: A way to do something like op login --browser. It would give me a URL/code (exactly like how aws sso login or the GitHub CLI works), I click it on my host machine, auth in my browser with TouchID, and the agent gets its session token. Are there any plans to support an OIDC-style "Device Authorization" flow?209Views3likes3CommentsSecurity concern with allowing Terminal complete access to my 1P account via op CLI
I have a shell script that uses 1Password secret reference: export EXAMPLE_API_KEY=$(op read "op://Vault-Name/Example API Token/Specific-Token/Token") But when it's loaded, I have to authorise the terminal/shell to have access to it (see screenshot) My concern is that it's giving the terminal/shell access to my entire account and all vaults within it when I only want to provide it with access to one entry within a single vault. What happens if I had a malicious script installed that scans for 1Password secret references across multiple files? The script might not be able to identify the "account" but it just needs the vault names. Then it can start to build up common names for identifying secrets stored within 1Password and try requesting them, and if I've already authorised the terminal/shell I won't see a popup notification and so the script would be free to access the secrets. Initially, I moved any secrets I use for development work into a separate vault, which I thought would help when it came to the terminal/shell requiring access via a 1Password secret reference because it would only have access to that specific vault (reducing the blast radius) but that's when I noticed it wasn't getting access to just the vault but the entire account. I'm not sure how much of an issue people think this is but it worries me. 1Password Version: 8.10.40 Extension Version: Not Provided OS Version: macOS 15.1 Browser: ChromeSolved927Views0likes12Comments