Use 1Password CLI 1
1Password CLI 1 will be deprecated on October 1, 2024. Any scripts or integrations that use version 1 will stop working as expected at that time. Upgrade to 1Password CLI 2 to maintain uninterrupted access and compatibility with the latest features.
Sign in or out
To sign in to an account and get a session token:
After you sign in the first time, you can sign in again using only the shorthand for your account:
By default, the shorthand is your account's subdomain. You can change it the first time you sign in by using the --shorthand
option.
Hyphens (-) in a subdomain will be changed to an underscore (_).
See also Appendix: Session management.
Sign out
Sessions automatically expire after 30 minutes of inactivity. You can sign out manually using the signout
command:
See also Appendix: Session management.
List objects
To list objects in a 1Password account:
To list users or groups with access to a vault:
To list users in a group:
To list items in a vault:
To include items or documents in the Archive:
List Activity Log events
The Activity Log is only available for 1Password Business accounts.
To list events from the Activity Log:
The 100 most recent events will be listed.
List events after a specific log entry
You can provide an event ID (eid
) as a starting point for listing entries by using the --eventid
option. A maximum of 100 events will be returned, starting after, but not including, the provided event.
List events before a specific log entry
The --older
option can be used with the --eventid
option to list entries that occurred before the provided event ID.
A maximum of 100 events will be returned, starting with the event before, not including, the provided event.
Manage objects
Get details
To get details about an object:
The --include-archive
option will allow for items in the Archive to be returned.
To get the UUID of an object, look it up by name, email address, or domain. See also Appendix: Specifying objects.
Get details of an item
By default, op get item
gets details of all fields. You can get details of just the fields you want instead. For one field, 1Password CLI returns a simple string:
For multiple fields, specify them in a comma-separated list. 1Password CLI returns a JSON object:
You can change the output to CSV or to always use JSON with the --format
option.
Create or edit an item
To create an item:
If you can't trust other users or processes on your system, use op create item <category> --template=file.json
instead.
To edit an item:
Assignment statements follow this syntax:
You can omit spaces when you specify the section or field name. You can also refer to a field by its JSON short name (name
or n
).
The section is optional unless multiple sections have a field with the same name.
You can't make a new custom section using an assignment statement.
You can generate a password for the item with the --generate-password
option. By default, it will create a 32-character password made up of letters, numbers, and symbols.
See also Appendix: Categories for a list of categories.
See also Appendix: Specifying objects.
When you create an item, its UUID is returned.
Delete an item
To delete an item:
Use the --archive
option to move it to the Archive instead.
See also Appendix: Specifying objects.
Create or remove a vault
To create a vault:
When you create a vault, its UUID is returned. Use the --allow-admins-to-manage
option to specify whether administrators can manage access to the vault or not. If not provided, the default policy for the account applies.
To remove a vault:
See also Appendix: Specifying objects.
Work with documents
To create a document:
When you create a document, its UUID is returned.
To download a document and save it to a file:
The document's contents are sent to standard output (stdout
) by default. Use the --output
option to save the document to a file directly. It won't overwrite an existing file unless it's empty.
To delete a document:
Use the --archive
option to move it to the Archive instead.
See also Appendix: Specifying objects.
Manage users and groups
Invite and confirm users
To create and invite a new user:
Users are invited by email and then must be confirmed using their email address or UUID:
The --all
option confirms all users pending confirmation.
Get user details
To get details about a user:
If the --publickey
or --fingerprint
options are used, only the user’s public key or public key fingerprint is returned.
Edit users and groups
To edit a user's name:
To turn Travel Mode on or off for a user:
To edit the name or description of a group:
Suspend or reactivate a user
To suspend or reactivate a user:
See also Appendix: Specifying objects.
Remove a user
To completely remove a user:
See also Appendix: Specifying objects.
Manage individual access
To grant a user access to a vault or group:
To revoke a user's access to a vault or group:
See also Appendix: Specifying objects.
Manage group access
To grant a group access to a vault:
To revoke a group's access to a vault:
See also Appendix: Specifying objects.
Create or remove a group
To create a group:
When you create a group, its UUID is returned.
To remove a group:
See also Appendix: Specifying objects.
Appendix: Checking for updates
To check for updates to 1Password CLI:
If a newer version is available, 1Password CLI can download it for you. To change the download folder, use the --directory
option.
Appendix: Specifying objects
Every object can be specified by UUID or name. Users and items can also be specified by email address and domain, respectively.
Object | UUID | Name | Email address | Domain |
---|---|---|---|---|
Group | ✅ | ✅ | — | — |
User | ✅ | ✅ | ✅ | — |
Vault | ✅ | ✅ | — | — |
Item | ✅ | ✅ | — | ✅ |
Document | ✅ | ✅ | — | — |
When specifying by UUID, the item or its details will be returned, even if the item is in the Archive. You don’t need to specify --include-archive
.
Appendix: Categories
- API Credential
- Bank Account
- Credit Card
- Database
- Document
- Driver License
- Email Account
- Identity
- Login
- Membership
- Outdoor License
- Passport
- Password
- Reward Program
- Secure Note
- Server
- Social Security Number
- Software License
- Wireless Router
Appendix: Session management
op signin
will prompt you for your 1Password account password and output a command that can save your session token to an environment variable:
To set the environment variable, run the export
command manually, or use eval
(Mac, Linux) or Invoke-Expression
(Windows) to set it automatically.
On Mac and Linux:
On Windows:
You can sign in to multiple accounts at the same time.
Use with multiple accounts
Commands that you run will use the account you signed in to most recently. To run a command using a specific account, use --account <shorthand>
:
To authenticate with a session token, sign in with the --raw
option to get the token. Then use --session <session_token>
with any command:
Remove account details from your computer
You can remove account details from your computer at any time.
To sign out of an account and remove its details from your computer:
If you're already signed out, you can specify an account by its shorthand: