Skip to main content

Get started with 1Password CLI

Requirements

Supported shells: Bash, Zsh, sh, fish

*Required to integrate 1Password CLI with the 1Password app.

Install

  1. Install the 1password-cli cask from the 1Password tap:

  2. Check that 1Password CLI was installed successfully:

Beta builds

To download 1Password CLI beta builds, navigate to our downloads page and select "Show betas". On Linux, you can switch the channel from "stable" to "beta" when adding the 1Password repository in your package manager.

Sign in

1Password CLI integrates with the 1Password 8 desktop app so you can sign in on the command line with the accounts you've added to the 1Password app. Then you can authenticate your accounts with your fingerprint, face, Windows Hello PIN, Apple Watch, or device user password.

If you don't want to use 1Password CLI with the 1Password desktop app, or if you're using 1Password 7, learn how to sign in to your 1Password account manually instead.

Step 1: Turn on the 1Password app integration

To sign in to 1Password CLI with the accounts you've added to the 1Password 8 desktop app:

  1. Open and unlock the app.
  2. Click your account or collection at the top of the sidebar.
  3. Navigate to Settings > Developer.
  4. Select "Connect with 1Password CLI".
The 1Password Developer settings pane with the Connect with 1Password CLI option selected.The 1Password Developer settings pane with the Connect with 1Password CLI option selected.

Step 2: Turn on Touch ID

To authenticate 1Password CLI with your fingerprint, turn on Touch ID in the desktop app:

  1. Navigate to Settings > Security.
  2. Select Touch ID.

To authenticate with your Apple Watch, set up your Apple Watch to unlock 1Password.

If you don't want to use Touch ID or Apple Watch, you'll be prompted to allow 1Password CLI access to the 1Password app when you sign in.

The 1Password security pane with the Touch ID option selected.The 1Password security pane with the Touch ID option selected.

Step 3: Sign in to your account

Enter op signin to select an account to sign in to. Use the arrow keys to select an account, then hit enter. You'll be prompted to authenticate with your fingerprint.

To sign in to a different account, enter op signin again. You can also specify an account to sign in to with the --account flag or by setting the OP_ACCOUNT environment variable.

Usage

1Password CLI uses a noun-verb command structure that groups commands by topic rather than by operation.

The basic structure of a command starts with the 1Password program op, then the command name (noun), often followed by a subcommand (verb), then flags (which include additional information that gets passed to the command).

For example, to retrieve a list of all the items in your Private vault:

To get a list of all global commands and flags, run the following: ​

​ And to see the subcommands available for each command, use: ​

Basic commands

You can use 1Password CLI to work with items, users, vaults, and secrets.

Items

To get information about an item:

You'll see the item's ID, title, vault, when it was created, when it was last modified, the item's version, if it's marked as a favorite, the type of item it is, and the item's fields.

If an item name includes spaces or special characters, enclose it in quotes. For example:

See result...

To use op item get to retrieve specific fields, include the --fields flag followed by a comma-separated list, with the prefix label= before each field name. For example, to only retrieve the username and password for the item work email:

See result...

Learn more about working with items.

Users and groups

To get details about a user:

See result...

To list the users who belong to a group:

See result...

Learn more about working with users and groups.

Vaults

To create a new vault named Test:

To get details about an existing vault:

See result...

To list the vaults in an account:

See result...

Learn more about working with vaults.

Secrets

To insert a secret into an environment variable, config file, or script without putting the plaintext secret in code, use a secret reference that specifies where the secret is stored in your 1Password account:

Then, you can use op read, op run, or op inject to replace the secret reference with the actual secret at runtime.

To resolve a secret reference and confirm it outputs correctly:

See result...

Learn more about loading secrets.

Read the full reference documentation to learn about more advanced use cases.

Unique identifiers (IDs)

When you retrieve information about objects using the get and list subcommands, you'll see a string of numbers and letters that make up the objects's unique identifier (ID).

You can use names or IDs in commands that take any account, user, vault, or item as an argument.

IDs never change, so you can be sure you’re always referring to the same object. Commands provided with an ID are also faster and more efficient.

To get the ID for the item Netflix:

See result...

To get the IDs for all vaults in an account:

See result...

Shell completion

You can add shell completion so that 1Password CLI automatically completes your commands.

With shell completion enabled, start typing an op command, then press Tab to see the available commands and options.

To enable shell completion with Bash:

  1. Install the bash-completion package

  2. Add this line to your .bashrc file:

Learn more about shell completion.

Next steps

1Password CLI can be used to accomplish many different tasks. Explore the guides below to learn about common use cases.

Read the reference documentation to discover all the possibilities.

Work with items

Manage users

Provision secrets

Pass secrets from 1Password to your applications, scripts and other workloads.

Secure your workflows

Was this page helpful?