Get started with 1Password CLI
Requirements
- Mac
- Windows
- Linux
- 1Password subscription
- 1Password 8 for Mac*
- macOS Big Sur 11.0.0 or later
Supported shells: Bash, Zsh, sh, fish
*Required to integrate 1Password CLI with the 1Password app.Supported shells: PowerShell
*Required to integrate 1Password CLI with the 1Password app.- 1Password subscription
- 1Password 8 for Linux*
- PolKit*
- A PolKit authentication agent running*
Supported shells: Bash, Zsh, sh, fish
*Required to integrate 1Password CLI with the 1Password app.Install
- Mac
- Windows
- Linux
- Homebrew
- Manual
Install the
1password-clicask from the 1Password tap:Check that 1Password CLI was installed successfully:
Download 1Password CLI for your platform and architecture.
Learn how to verify its authenticity.Install 1Password CLI in the default location
/usr/local/bin.Check that 1Password CLI was installed successfully:
Download the archive for your platform and architecture and extract
op.exe.
Learn how to verify its authenticity.Open PowerShell as an administrator.
Create a directory to move
op.exeinto, such asC:\Program Files\1Password CLI.Move
op.exetoC:\Program Files\1Password CLI, or another directory in yourPATH. Click OK to apply.Add the directory containing
op.exeto your PATH.How to add directories to your PATH
Windows 10 and later
- Search for Advanced System Settings in the Start menu.
- Select Environment Variables. In the System Variables section, find the
PATHenvironment variable. Select it and click Edit. - In the prompt, click New and add the directory that
op.exewas moved to. In our example,C:\Program Files\1Password CLI. - Sign out and back in to Windows for the system environment variable changes to take effect.
Check that 1Password CLI was installed successfully:
If you'd rather install 1Password CLI with a single block of commands, run the following in PowerShell as administrator:
If your Windows operating system uses a language other than English, you'll need to set $arch manually in the first line. To do this, replace $arch = (Get-CimInstance Win32_OperatingSystem).OSArchitecture with $arch = "64-bit" or $arch = "32-bit".
You can install 1Password CLI from one of the following packages for your Linux distribution:
- Apt
- Yum
- Alpine
- .zip
Add the key for the 1Password Apt repository:
Add the 1Password Apt repository:
Add the debsig-verify policy:
Install 1Password CLI:
Check that 1Password CLI was installed successfully:
Alternatively, download the latest 1Password CLI .deb package directly from one of the following links:
Import the public key:
Configure the repository information:
Install 1Password CLI:
Check that 1Password CLI was installed succesfully:
Alternatively, download the latest 1Password CLI .rpm package directly from one of the following links:
APKs are only supported on the x86_64 architecture.
Add Password CLI to your list of repositories:
Add the public key to validate the APK to your keys directory:
Install 1Password CLI:
Check that 1Password CLI was installed successfully:
Download 1Password CLI for your platform and architecture and extract it. To verify its authenticity:
Move
opto/usr/local/bin, or another directory in your$PATH.Check that 1Password CLI was installed successfully:
If you'd rather install 1Password CLI with a single block of commands, run the following:
Beta builds
To download 1Password CLI beta builds, navigate to our downloads page and select "Show betas". On Linux, you can switch the channel from "stable" to "beta" when adding the 1Password repository in your package manager.
Sign in
1Password CLI integrates with the 1Password 8 desktop app so you can sign in on the command line with the accounts you've added to the 1Password app. Then you can authenticate your accounts with your fingerprint, face, Windows Hello PIN, Apple Watch, or device user password.
If you don't want to use 1Password CLI with the 1Password desktop app, or if you're using 1Password 7, learn how to sign in to your 1Password account manually instead.
- Mac
- Windows
- Linux
Step 1: Turn on the 1Password app integration
To sign in to 1Password CLI with the accounts you've added to the 1Password 8 desktop app:
- Open and unlock the app.
- Click your account or collection at the top of the sidebar.
- Navigate to Settings > Developer.
- Select "Connect with 1Password CLI".


Step 2: Turn on Touch ID
To authenticate 1Password CLI with your fingerprint, turn on Touch ID in the desktop app:
- Navigate to Settings > Security.
- Select Touch ID.
To authenticate with your Apple Watch, set up your Apple Watch to unlock 1Password.
If you don't want to use Touch ID or Apple Watch, you'll be prompted to allow 1Password CLI access to the 1Password app when you sign in.


Step 3: Sign in to your account
Enter op signin to select an account to sign in to. Use the arrow keys to select an account, then hit enter. You'll be prompted to authenticate with your fingerprint.
To sign in to a different account, enter op signin again. You can also specify an account to sign in to with the --account flag or by setting the OP_ACCOUNT environment variable.
Step 1: Turn on Windows Hello
To authenticate 1Password CLI with biometrics or your Windows Hello PIN, turn on Windows Hello in the 1Password 8 desktop app:
- Open and unlock the app.
- Click your account or collection at the top of the sidebar.
- Navigate to Settings > Security.
- Select "Allow Windows Hello to unlock 1Password".


Step 2: Turn on the 1Password app integration
To sign in to 1Password CLI with the accounts you've added to the 1Password desktop app, navigate to Settings > Developer and select "Connect with 1Password CLI".


Step 3: Sign in to your account
Enter op signin to select an account to sign in to. Use the arrow keys to select an account, then hit enter. You'll be prompted to authenticate with Windows Hello.
To sign in to a different account, enter op signin again. You can also specify an account to sign in to with the --account flag or by setting the OP_ACCOUNT environment variable.


If you downloaded 1Password CLI directly, rather than using the .deb or .rpm installers, do the following:
Create the
onepassword-cligroup if it doesn't yet exist:Set the correct permissions on the
opbinary:
Step 1: Turn on system authentication
To authenticate 1Password CLI with biometrics or your device user password, turn on system authentication in the 1Password 8 desktop app:
- Open and unlock the app.
- Click your account or collection at the top of the sidebar.
- Navigate to Settings > Security.
- Select "Unlock using system authentication service".
You'll be prompted to unlock 1Password CLI the same way you sign in to your Linux user account. To change to a different authentication method, adjust your system settings.


Step 2: Turn on the 1Password app integration
To sign in to 1Password CLI with the accounts you've added to the 1Password desktop app, navigate to Settings > Developer and select "Connect with 1Password CLI".


Step 3: Sign in to your account
Enter op signin to select an account to sign in to. Use the arrow keys to select an account, then hit enter. You'll be prompted to authenticate.
To sign in to a different account, enter op signin again. You can also specify an account to sign in to with the --account flag or by setting the OP_ACCOUNT environment variable.


Usage
1Password CLI uses a noun-verb command structure that groups commands by topic rather than by operation.
The basic structure of a command starts with the 1Password program op, then the command name (noun), often followed by a subcommand (verb), then flags (which include additional information that gets passed to the command).
For example, to retrieve a list of all the items in your Private vault:
To get a list of all global commands and flags, run the following:
And to see the subcommands available for each command, use:
Basic commands
You can use 1Password CLI to work with items, users, vaults, and secrets.
Items
To get information about an item:
You'll see the item's ID, title, vault, when it was created, when it was last modified, the item's version, if it's marked as a favorite, the type of item it is, and the item's fields.
If an item name includes spaces or special characters, enclose it in quotes. For example:
See result...
To use op item get to retrieve specific fields, include the --fields flag followed by a comma-separated list, with the prefix label= before each field name. For example, to only retrieve the username and password for the item work email:
See result...
Learn more about working with items.
Users and groups
To get details about a user:
See result...
To list the users who belong to a group:
See result...
Learn more about working with users and groups.
Vaults
To create a new vault named Test:
To get details about an existing vault:
See result...
To list the vaults in an account:
See result...
Learn more about working with vaults.
Secrets
To insert a secret into an environment variable, config file, or script without putting the plaintext secret in code, use a secret reference that specifies where the secret is stored in your 1Password account:
Then, you can use op read, op run, or op inject to replace the secret reference with the actual secret at runtime.
To resolve a secret reference and confirm it outputs correctly:
See result...
Learn more about loading secrets.
Read the full reference documentation to learn about more advanced use cases.
Unique identifiers (IDs)
When you retrieve information about objects using the get and list subcommands, you'll see a string of numbers and letters that make up the objects's unique identifier (ID).
You can use names or IDs in commands that take any account, user, vault, or item as an argument.
IDs never change, so you can be sure you’re always referring to the same object. Commands provided with an ID are also faster and more efficient.
To get the ID for the item Netflix:
See result...
To get the IDs for all vaults in an account:
See result...
Shell completion
You can add shell completion so that 1Password CLI automatically completes your commands.
With shell completion enabled, start typing an op command, then press Tab to see the available commands and options.
- Bash
- Zsh
- fish
- PowerShell
To enable shell completion with Bash:
Install the bash-completion package
Add this line to your
.bashrcfile:
To enable shell completion with Zsh, add this line to your .zshrc file:
To enable shell completion with fish, add this to your .fish file:
To enable shell completion with PowerShell, add this to your .ps1 file:
You'll need to enable script execution in PowerShell to start using shell completion. To do that, start a PowerShell window as an administrator and enter:
Learn more about shell completion.
Next steps
1Password CLI can be used to accomplish many different tasks. Explore the guides below to learn about common use cases.
Read the reference documentation to discover all the possibilities.
Work with items
Manage users
- Invite and confirm team members
- Create user groups for scalable access management
- Manage vault access for users and groups
Provision secrets
Pass secrets from 1Password to your applications, scripts and other workloads.
- Replace plaintext secrets with secret references
- Load secrets into environment variables
- Load secrets into configuration files
Secure your workflows