Upgrade to 1Password CLI 2
Learn how to upgrade to 1Password CLI 2 from an earlier version, and update your scripts to the new command syntax.
1Password CLI 1 will be deprecated on October 1, 2024. Any scripts or integrations that use version 1 will stop working as expected. We recommend upgrading to 1Password CLI 2 as soon as possible to avoid disruptions.
About 1Password CLI 2
We released version 2 of the 1Password CLI in March 2022. Since then, more than 96% of users have adopted the latest version.
1Password CLI 2 includes a number of changes to the schema to make the tool easier to use as well as new features to help you provision secrets.
New schema
1Password CLI 2 introduces a noun-verb command structure that groups commands by topic rather than by operation. You can find all available topics with op --help
, and see the commands avaialble for each topic with op <topic> --help
. Topics include:
Other schema changes include:
- The default output is now a human-friendly, tabular schema.
Learn how to change the default output to JSON. - The JSON output schema now contains more useful information.
- Improved stdin processing allows you to chain more commands together.
- The new schema uses flags instead of positional arguments.
Secrets provisioning
To help you provision secrets locally, 1Password CLI 2 allows you to load secrets directly from 1Password in environment variables and configuration files. With secrets provisioning, you can replace your plaintext secrets with references to the secrets stored in 1Password and load them at runtime in your scripts, applications, and other workflows.
Integrate 1Password CLI with the 1Password desktop app
You can sign in to 1Password CLI 2 with the accounts you've added to the 1Password desktop app, then authenticate your accounts on the command line with biometrics.
Shell plugins
To simplify and secure your workflow, 1Password CLI 2 introduces shell plugins that allow you to securely authenticate third-party command-line tools using biometrics.
Package manager installation
1Password CLI 2 supports easier installation with package managers including Apt, Yum, Alpine, and tar.
You can find all changes in the changelog.
To share feedback with us, visit the support community forum.
Step 1: Choose an upgrade strategy
There are multiple ways to upgrade to 1Password CLI 2. You can upgrade immediately or gradually, depending on your workflow and toolchain.
Upgrade immediately
The quickest way to upgrade to 1Password CLI 2 is to overwrite your existing installation. This is a good option if you have a small team who can upgrade their local installations simultaneously.
Use
which op
(or(Get-Command op).Path
on Windows) to get the directory of the current installation.Download 1Password CLI 2 and move
op
to the same directory, overwriting the existing copy.To verify the installation, check the version number:
Make sure everyone on your team upgrades to 1Password CLI 2. After you update your scripts, they won't work with earlier versions of 1Password CLI.
Upgrade gradually
If you're not ready to upgrade immediately, you can use Docker to upgrade individual projects or use both versions of 1Password CLI side-by-side. We will continue to support version 1 for one year after version 2 is released.
Use Docker to upgrade individual projects
If you want to upgrade project by project, you can Dockerize your workflow so that each team member uses the version of 1Password CLI in a Docker image for a specific project. This is a good option for large teams, because it doesn't require each team member to update a local installation.
Use the 1Password CLI Docker image or use your own image and add the CLI. Your Dockerfile should look like this:
After upgrading to 1Password CLI 2, update your scripts to use the new command syntax.
This approach also sets you up to move your scripts to headless environments such as CI/CD pipelines.
Use both versions of 1Password CLI
If your scripts depend on the local installation on each team member's machine, and you still want to migrate gradually, this is your best option.
Each team member should do the following:
- Rename the earlier version of 1Password CLI
op1
. - Find and replace all occurences of
op
withop1
. - Install 1Password CLI 2 inside your
$PATH
.cautionFor macOS 1Password CLI 2 has to be moved exactly to
/usr/local/bin/op
.
For Linux, it is recommended to be moved to/usr/local/bin/op
. - Update your scripts one-by-one to use the new
op
. You can continue to use your current scripts with the earlier version of 1Password CLI installed asop1
. - When you've updated all your scripts and are ready to upgrade, uninstall the earlier version of 1Password CLI.
- Find and replace all occurrences of
op1
in your scripts toop
.
Step 2: Update your scripts
If you've been using an earlier version of 1Password CLI in scripts, you'll need to update your scripts to the new syntax.
After you install 1Password CLI 2, use the following table to update your scripts. It shows all the updated commands and associated changes to arguments or flags.
Old command | CLI 2 command | Notes |
---|---|---|
create vault | vault create | |
get vault | vault get | |
edit vault | vault edit | --travel-mode=on/off flag introduced |
delete vault | vault delete | allows piped input when the - argument is provided |
list vaults | vault list | |
list users --vault | vault user list | |
add group | vault group grant |
|
remove group | vault group revoke |
|
add user <user> <vault> | vault user grant |
|
remove user <user> <vault> | vault user revoke |
|
signin <url> | account add |
|
signin --list | account list | account list will format its output based on output format selection (JSON vs human readable) |
forget account | account forget | new -—all flag for forgetting all accounts |
get account | account get | |
confirm user | user confirm | allows piped input when the - argument is provided |
create user | user provision | email and name arguments changed to --email and --name flags |
delete user | user delete | allows piped input when the - argument is provided |
edit user | user edit | allows piped input when the - argument is provided |
reactivate user | user reactivate | allows piped input when the - argument is provided |
suspend user | user suspend | --deauthorize-devices-after flag accepts any duration unit, not just seconds |
list users | user list | |
get user | user get |
|
create connect server | connect server create | add —-server flag instead of using an argument for specifying the related server |
delete connect server | connect server delete | allows piped input when the - argument is provided |
edit connect server | connect server edit | |
list connect servers | connect server list | |
- | connect server get | |
create connect token | connect token create | |
delete connect token | connect token delete | |
edit connect token | connect token edit | argument name changed from jti to token |
list connect tokens | connect token list | ConnectVault.ACL is now displayed in lowercase_with_underscores |
add connect server | connect vault grant | server and vault arguments changed to --server and --vault flags |
remove connect server | connect vault revoke | server and vault arguments changed to --server and --vault flags |
manage connect add group | connect group grant | server and group arguments changed to --server and --group flags |
manage connect remove group | connect group revoke | server and group arguments changed to --server and --group flags |
create item | item create |
|
delete item | item delete | allows piped input when the - argument is provided |
edit item | item edit | new --tags , --title , --url flags |
get item | item get | |
list items | item list | |
list templates | item template list | |
get template | item template get | |
create group | group create | |
delete group | group delete | allows piped input when the - argument is provided |
edit group | group edit | allows piped input when the - argument is provided |
list groups | group list | |
get group | group get | |
add user <user> <group> | group user grant | user and group arguments changed to --user and --group flags |
remove user <user> <group> | group user revoke | user and group args changed to --user and --group flags |
op list users --group <group> | group user list | op list users --group GROUP still works |
delete trash | - | deprecated |
create document | document create | --filename flag changed to --file-name flag |
edit document | document edit | --filename flag changed to --file-name flag |
list documents | document list | |
get document | document get | |
delete document | document delete | |
create integration events-api | events-api create | |
list events | - | Use Events Reporting API instead. |
encode | - | deprecated, use create item --template=file.json instead |
get totp | item get --otp |
Appendix: Change default output to JSON
The default output format for 1Password CLI 2 is a human-readable, tabular schema. You can change the default to machine-readable JSON in two ways:
- For a single command, include the
--format json
flag with your command. For example,op item get <name> --format json
. - To always default to JSON, set the
$OP_FORMAT
environment variable tojson
.
Appendix: Item JSON template
You can expect to see several formatting improvements and field name changes in 1Password CLI 2 item JSON templates.
Old template
New template
This is how 1Password CLI 1 template fields correspond to 1Password CLI 2:
Item
1Password CLI 1 | 1Password CLI 2 | Notes |
---|---|---|
uuid | ||
templateUuid | category | |
details | - | replaced by sections and fields |
Section
1Password CLI 1 | 1Password CLI 2 | Notes |
---|---|---|
name | id | |
title | label | |
fields | - | moved separately |
Field
1Password CLI 1 | 1Password CLI 2 |
---|---|
n | id |
k | type |
t | label |
v | value |
- | section |
Get help
If you need help upgrading to 1Password CLI 2, contact 1Password Support or join our Developer Slack workspace and ask a question in the #cli
channel.
Learn more
- Get started with 1Password CLI 2
- 1Password CLI 2 release notes import { textChangeRangeIsUnchanged } from "typescript"