Manage Connect servers
As of Feb 27, 2025, all 1Password customers have unlimited access to Connect.
A Connect server is a type of Secrets Automation workflow that allows you to securely access your 1Password items and vaults in your company's apps and cloud infrastructure using a private REST API provided by 1Password Connect Server.
You can use 1Password.com or the Connect REST API to:
- Control which team members and applications have access to which Connect server tokens.
- Monitor and audit access and item usage.
- Secure applications by choosing when Connect server tokens expire.
- Create and revoke Connect server tokens.


Manage permissions
With 1Password Business or 1Password Teams, you can manage Connect server permissions with groups, or more granularly, with environments. This allows for enforcement of security best practices. Learn more about Connect security.
You can also manage group access using automated provisioning.
Manage global permissions
Groups allow you to specify one or more users who can access Connect servers.
To assign groups (such as Owners and Administrators) to manage Connect servers:
- Sign in to your account on 1Password.com and select Developer in the sidebar.
- Select Permissions from the top navigation bar, then select Secrets Automation.
- In the Managers section, select Manage, then choose the groups you want to manage Connect servers.
- Select Update Groups.


Manage environment permissions
Environments allow you to override global permissions (with groups) for a specific Connect server environment.
To assign groups (such as Owners and Administrators) to manage a specific Connect server:
- Sign in to your account on 1Password.com and select Developer in the sidebar.
- Select Permissions from the top navigation bar, then select Secrets Automation.
- In the Environments section, select Manage.
- In the Permissions section, select Manage, then choose the groups you want to manage Connect servers in the environment.
- Select Update Groups.
Manage access tokens
Secrets automation access tokens are also called Connect server tokens. The following sections show how to manage Connect server tokens:
Create a token
To create a Connect server token:
- Sign in to your account on 1Password.com and select Developer in the sidebar.
- Choose the Secrets Automation environment where you want to create a Connect server token.
- Select New Token.
- Follow the onscreen instructions to issue an access token.
You can't edit the vaults a token can access after you create it. If you want to change the vaults a token can access, you must revoke the token and create a new one.
Connect tokens can support up to 100 vaults each. If you grant a Connect token access to more than 100 vaults, the server may reject requests.
Set a token expiration
You can set token expiration time of 30, 90, or 180 days when you create a Connect server token. When the expiration time elapses, 1Password revokes the Connect server token.
To set a token expiration date:
- Sign in to your account on 1Password.com and select Developer in the sidebar.
- Choose the Secrets Automation environment where you want to create a Connect server token.
- Select New Token.
- Set the "Expires After" to 30 days, 90 days, or 180 days.
- Continue with the onscreen instructions.
Revoke a token
To revoke a Connect server token:
- Sign in to your account on 1Password.com and select Developer in the sidebar.
- Choose the Secrets Automation environment where you want to manage Connect server tokens.
- Select next to the token you want to revoke, then select Revoke.
Rename a token
To rename a Connect server token:
- Sign in to your account on 1Password.com and select Developer in the sidebar.
- Choose the Secrets Automation environment where you want to manage Connect server tokens.
- Select next to the token you want to rename, then select Rename and enter a new name.
Grant or revoke access to vaults
To grant or revoke access to vaults:
- Sign in to your account on 1Password.com and select Developer in the sidebar.
- Choose the Secrets Automation environment where you want to grant or revoke access to vaults.
- In the Vaults section, select Manage and choose the vaults you want to add or remove.
- Select Update Vaults.
You can't grant Connect servers access to your built-in Personal, Private, or Employee vault, or your default Shared vault.


Monitor item usage
Connect servers send reports about item usage to the 1Password server every time an item is accessed so you can monitor item usage.
Item usage information might take a few hours to sync with 1Password.com.
To view item usage for a Connect server:
- Sign in to your account on 1Password.com and select Developer in the sidebar.
- Choose the Secrets Automation environment (Connect server) you want to monitor.
- Under Version, select More Actions > View Item Usage Report.
For more information, visit Create reports in 1Password Business.
About Connect server item usage
Items accessed through a Connect server update specific fields in the following manner:
- The Action field in the report always shows Display.
- The Used by field always includes the name of the Connect server instance (not the Connect server token).
Connect servers only report item usage when they have a working connection to the 1Password server. If a Connect server can't reach the 1Password server (for example, when it updates or restarts), it might lose item usage information from that time period.
Item usage reporting continues when the Connect server has a working connection to the 1Password server again.