Skip to main content

Sign in to your 1Password account manually

If you don't want to use the 1Password app to sign in to 1Password CLI, you can manually add and sign in to your accounts in the terminal.

Known security risks

If you sign in to 1Password CLI manually, any process running under the current user can, on some platforms, potentially access your 1Password account.

We recommend you use the 1Password app to sign in to 1Password CLI because it offers more robust security guarantees.

When you sign in manually in the terminal, 1Password CLI stores your session key encrypted on disk and the random wrapper key used in the environment of the current shell.

Sessions expire after 30 minutes of inactivity, after which you’ll need to sign in again and save a new token. If you want to immediately terminate your authenticated session, you can run op signout.

Sign in manually

Step 1: Add an account

To manually add a 1Password account to 1Password CLI, use op account add:

1Password CLI will prompt you to enter your sign-in address, email address, Secret Key, and 1Password account password.

tip

For non-interactive shells in local environments, sign in with the 1Password desktop app integration instead.

For non-interactive shells in remote environments, authenticate with a service account or a Connect server.

Set a custom account shorthand

1Password CLI uses account shorthands to refer to each of the accounts you add. The default shorthand is your sign-in address subdomain (for example, my for my.1password.com).

To set a custom shorthand, include the --shorthand flag when you add an account. For example, to add an account with the shorthand personal:

Step 2: Sign in

If you added your accounts to 1Password CLI manually, you'll need to use the manual sign-in command to sign in.

This command also works with the app integration turned on, so you can use it in scripts to provide compatibility for all users regardless of their sign-in method.

After you sign in, 1Password CLI creates a session token and sets the OP_SESSION environment variable to it. Include the --raw flag to get a token you can export manually.

Session tokens expire after 30 minutes of inactivity, after which you’ll need to sign in again and save a new token.

To sign out, use the command op signout.

Optional: Switch between accounts with the --account flag

If you've added multiple accounts and are using an interactive terminal, 1Password CLI will prompt you to select the account you want to sign in to. Use the arrow keys to select an account, then press the Return key to sign in.

In most shells, you can bypass the prompt to select an account using the --account flag with your account shorthand, sign-in address, or ID. This option isn't available in PowerShell. For example:

To always sign in to the same account, set the OP_ACCOUNT environment variable to your account shorthand, sign-in address, or ID.

You can sign in to multiple accounts at the same time, then use the --account flag to specify which account should execute each command. If you don't specify an account, 1Password CLI will default to the account you most recently signed in to.

For example, to sign in to accounts with the shorthands personal and agilebits:

To run the command op vault list in the account with the shorthand personal:

Then to run the same command in the agilebits account:

You can also specify a custom shorthand when you add an account.

Troubleshooting

If you've already turned on the 1Password app integration, you'll need to turn it off before you can add an account on the command line.

Learn more

Appendix: Find an account shorthand or ID

1Password CLI uses account shorthands to refer to each of the accounts you've added. To see all the accounts you've added, their shorthands, and account details, run op account list.

See result...

You can use the shorthand, sign-in address, or user ID to refer to a specific account in your commands.

Was this page helpful?