1Password Events API reference

You can use the 1Password Events API to retrieve information about activity in your 1Password account – like audit events, item usage, and sign-in attempts – and send it to your security information and event management (SIEM) system.

tip

This API reference documents the latest version of the 1Password Events API specifications (1.4.0). Learn more about API versions.

Requirements

Before you can use the 1Password Events API, you'll need to:

• Sign up for 1Password Business.
• Set up an Events Reporting integration in your account.
• Create a bearer token and select the event features it can access.

About the API

The 1Password Events API is a REST-style API that follows the OpenAPI 3.0 Specifications. All communication between clients and servers are over HTTPS.

You can use your preferred language and tools for testing and implementing the Events API. This reference uses curl on the command line to demonstrate example requests. You can replace the values in any request with your own to receive information about events in your 1Password account.

The API can access data from the last 120 days. If you need to access data from more than 120 days ago, you can use the Activity Log in your 1Password account.

Endpoint versions

The Events API supports both V1 and V2 endpoints for audit events, item usages, and sign-in attempts. The V2 endpoints in this reference provide additional information about users and accounts for managed service providers (MSPs). V1 endpoints remain fully supported for existing integrations that don't require the additional MSP account and user type information.

Choose the appropriate version based on your needs:

• Use V2 endpoints if you need MSP-related event data or if you're just starting with the Events API.
• Use V1 endpoints if you have existing integrations and you don't require the additional MSP data.

See the API changelog to learn more about the changes in the V2 endpoints and previous versions of the API.

Request methods

The Events API accepts the following standard HTTP request methods:

• GET requests to the introspect endpoint return information about the events a bearer token has access to.

• POST requests to the auditevents, itemusages, and signinattempts endpoints return information about various activities in a 1Password account. Depending on which endpoint is called, the request returns one of the following:

  • successful and failed attempts to sign in to a 1Password account
  • information about every use of an item stored in a shared vault in the account
  • audit events for actions performed by team members in the account

Servers

The base URL you'll use to make API calls is determined by the server that hosts your 1Password account.

If your account is on:	Your base URL is:
1Password.com	https://events.1password.com (1Password Business) https://events.ent.1password.com (1Password Enterprise)
1Password.ca	https://events.1password.ca
1Password.eu	https://events.1password.eu

The service ID (events) and the host server form the base URL, followed by the path for the endpoint you want to call. For example, to retrieve a list of audit events for a business account on 1Password.com, you would use the following URL to make a call to the auditevents endpoint:

Authorization

Every call to the 1Password Events API must be authorized with a bearer token. You must include your bearer token in the header of your request for authentication.

A token can be authorized to access data for one or more events, depending on which events were scoped when the token was created. Make sure the bearer token you use has access to the events you want to request. You can verify this from the Events Reporting integration details in the Integrations section of your 1Password account or through a GET request to the introspection endpoint.

Request headers

Requests to the Events API must include the correct header(s):

• Authorization: Each GET and POST request to the Events API must be authorized with a bearer token scoped to access event data for that feature. You'll include your token in the authorization header.

• Content-Type: Each POST request requires a Content-Type header to indicate the media type of the resource being sent in the request body. All data for the Events API is sent and received as JSON, so you'll need to specify application/json as the content type. GET requests don't contain a request body and therefore don't require this header.

An example of a request header:

Pagination

The Events API uses cursor-based pagination, which is useful for working with large datasets. In response to each request, the API returns a unique ID (cursor) that indicates where you left off retrieving data. On the next call, you can provide that cursor to continue fetching events starting from the next point in the dataset so no records are missed.

There are two types of cursors used in calls to the API: a reset cursor and a cursor (also called a continuing cursor).

Reset cursor

A reset cursor is used for the first request you make to the API to create a new point from which to start fetching data. You can also use a reset cursor any time you need to reset the parameters of your cursor – such as the number of records to return with each request – or go back to an earlier point in the records.

For the first POST request you make to the API, you must include a ResetCursor object with an optional start time, end time, and limit parameters in the request body. The return will include a cursor in the response body that can be used in the next call made to the API. If no parameters are provided, the API will use the default values indicated in the schema.

For example:

Example reset cursor request

ResetCursor object schema

Name	Type	Description
limit (optional)	number	The number of events to return in a single request. Specify a limit from 1 to 1000. If not specified, limit will default to 100. To return additional events, use the cursor position for subsequent requests.
start_time (optional)	string	The date and time to start retrieving events. Uses the RFC 3339 standard. If not specified, start_time will default to one hour before specified end_time. If no end_time is specified, start_time will default to one hour ago.
end_time (optional)	string	The date and time to stop retrieving events. Uses the RFC 3339 standard.

Cursor

For continued calling of the API, include the cursor from the previous response in the request body of your next call to the API, instead of the ResetCursor object. This will start fetching data from the last indicated position to avoid missing any data.

Example cursor

Cursor object schema

Name	Type	Description
cursor	string	Cursor to fetch more data, if available, or continue the polling process. Use the cursor returned in the response body of your previous to the endpoint. For example: aGVsbG8hIGlzIGl0IG1lIHlvdSBhcmUgbG9va2luZyBmb3IK.

The 1Password Events API apps for Splunk and Elastic will store the cursor position for future requests.

Rate limits

The Events API limits requests to 600 per minute and up to 30,000 per hour. Exceeding these limits will return an error.

429

Too many requests

GET /api/v2/auth/introspect

A GET call to this endpoint returns a list of events (features) a bearer token is authorized to access, including one or more of: audit events, item usage, and sign-in attempts.

Parameters

No parameters.

Requests

Use the full URL of the introspect endpoint with your bearer token and the required request headers. A GET request doesn't include a body, so the content type header isn't needed.

For example:

Responses

200

Returns an Introspection object

400

Bad request

401

Unauthorized access

500

Internal server error

A successful 200 response returns an Introspection object with information about the token.

Example introspection response

IntrospectionV2 object schema

Name	Type	Description
uuid	string	The UUID of the Events Reporting integration.
issued_at	string	The date and time the token was issued. Uses the RFC 3339 standard.
features	array of strings	A list of event features the integration has access to. Possible values are one or more of: auditevents itemusages signinattempts

POST /api/v2/auditevents

A POST call to this endpoint returns information about actions performed by team members within a 1Password account. Events include when an action was performed and by whom, along with details about the type and object of the action and any other information about the activity. MSP accounts include additional information about the actor's account and type. Learn more about audit events.

This endpoint requires a bearer token with the auditevents feature. You can make an introspection call to the API to verify if your token is authorized to access audit events.

Parameters

No parameters.

Requests

Use the full URL of the auditevents endpoint with your bearer token and the required request headers. You must include a ResetCursor object or the cursor from a previous response in the request body.

Example audit events request with a reset cursor

Example audit events request with a continuing cursor

Responses

A successful 200 response returns an AuditEventItemsV2 object wrapping cursor properties and an array of AuditEventV2 objects. The included cursor can be used to fetch more data or continue the polling process.

200

Returns an AuditEventItemsV2 object

400

Bad request

401

Unauthorized access

500

Internal server error

Example audit event response

AuditEventV2 object schemas

AuditEventItemsV2 object schema

Name	Type	Description
cursor	string	Cursor to return more event data or to continue polling.
has_more	boolean	Whether there's more data to be returned using the cursor. If the value is true, there may be more events. If the value is false, there are no more events.
items	array	An array of AuditEventV2 objects.

AuditEventV2 object schema

Name	Type	Description
uuid	string	The UUID of the action event.
timestamp	string	The date and time when the action was performed. Uses the RFC 3339 standard.
actor_uuid	string	The UUID of the user who performed the action.
actor_details	object	A user object.
actor_type	string	The type of user who performed the action (internal or external). Possible values are: user external_user (MSP accounts only)
actor_account_uuid	string	The UUID of the account the user belongs to.
account_uuid	string	The UUID of the account where the action was performed.
action	string	The type of action that was performed. Possible values are: "activate" "addgsso" "begin" "beginr" "cancel" "cancelr" "changeks" "changeks" "changela" "changemp" "changenm" "changesk" "chngasso" "chngdsso" "chngpsso" "complete" "completr" "convert" "create" "dealldev" "delete" "delgsso" "delshare" "deolddev" "detchild" "disblduo" "disblmfa" "disblsso" "dlgsess" "dvrfydmn" "enblduo" "enblmfa" "enblsso" "expire" "export" "grant" "hide" "join" "launchi" "leave" "musercom" "muserdec" "patch" "propose" "provsn" "prsndall" "purge" "rdmchild" "reactive" "reauth" "replace" "replace" "resendts" "revoke" "role" "sdvcsso" "sendpkg" "sendts" "share" "ssotknv" "suspend" "tdvcsso" "trename" "trevoke" "trvlaway" "trvlback" "tverify" "uisas" "unhide" "unknown" "unlink" "updatduo" "update" "updatea" "updatfw" "updatmfa" "upguest" "uvrfydmn" "verify" "view" "vrfydmn" Learn about audit event actions.
object_type	string	The type of object the action was performed on. Possible values are: "account" "card" "cred" "device" "dlgdsess" "ec" "famchild" "file" "gm" "group" "gva" "invite" "item" "itemhist" "items" "miguser" "mngdacc" "pm" "report" "sa" "satoken" "slackapp" "sso" "ssotkn" "sub" "template" "user" "uva" "vault" "vaultkey" Learn about audit event objects.
object_uuid	string	The unique identifier for the object the action was performed on.
object_details	object	An object details object. Returned if the object is a user.
aux_id	integer	The identifier for someone or something that provides additional information about the activity. For example, the ID of a device that a user adds or removes from an account.
aux_uuid	string	The unique identifier for someone or something that provides additional information about the activity. For example, the UUID of a team member who joins or leaves a group in an account.
aux_details	object	An aux details object. Returned if the aux details relate to a user.
aux_info	string	Additional information about the activity.
session	object	A session object.
location	object	A location object that contains details about the geolocation of the client based on the client's IP address at the time the event was performed.

UserV2 object schema

Name	Type	Description
uuid	string	The UUID of the user who performed the action.
name	string	The name of the user who performed the action.
email	string	The email address of the user who performed the action.
user_type (MSP accounts only)	string	The type of user who performed the action (internal or external). Possible values are: user external_user
user_account_uuid (MSP accounts only)	string	The UUID of the user's account.

Object details object schema

Name	Type	Description
uuid	string	The UUID of the user who is the object of the action.
name	string	The name of the user who is the object of the action.
email	string	The email address of the user who is the object of the action.

Aux details object schema

Name	Type	Description
uuid	string	The UUID of the user related to the additional information about the activity. For example, the user who was added to or removed from the account or vault or whom created or deleted the device.
name	string	The name of the user related to the additional information about the activity.
email	string	The email address of the user related to the additional information about the activity.

Session object schema

Name	Type	Description
uuid	string	The UUID of the session.
login_time	string	The date and time the client signed in and started the session. Uses the RFC 3339 standard.
device_uuid	string	The UUID of the device signed in to the session.
ip	string	The IP address used for the session.

Location object schema

Name	Type	Description
country	string	The country where the action was performed.
region	string	The region where the action was performed.
city	string	The city where the action was performed.
longitude	number	A coordinate that specifies the longitudinal location for where the action was performed.
latitude	number	A coordinate that specifies the latitudinal location for where the action was performed.

POST /api/v2/itemusages

A POST call to this endpoint returns information about items in shared vaults that have been modified, accessed, or used. Events include the name and IP address of the user who accessed the item, when the item was accessed, and the vault where the item is stored. Learn more about item usage actions.

This endpoint requires a bearer token with the itemusages feature. You can make an introspection call to the API to verify if your token is authorized to access sign-in events.

Parameters

No parameters.

Requests

Use the full URL of the itemusages endpoint with your bearer token and the required request headers. You must include a ResetCursor object or the cursor from a previous response in the request body.

Example item usage request with a reset cursor

Example item usage request with a continuing cursor

Responses

200

Returns an ItemUsageV2 response object

400

Bad request

401

Unauthorized access

500

Internal server error

A successful 200 response returns an ItemUsageItemsV2 object wrapping cursor properties and an array of ItemUsageV2 objects. The included cursor can be used to fetch more data or continue the polling process.

The response also includes a cursor to continue fetching more data or to use the next time you make a request.

Example item usage response

ItemUsageV2 object schemas

ItemUsageItemsV2 object schema

Name	Type	Description
items	array	An array of ItemUsageV2 objects.
cursor	string	Cursor to return more event data or to continue polling.
has_more	boolean	Whether there's more data to be returned using the cursor. If the value is true, there may be more events. If the value is false, there are no more events.

ItemUsageV2 object schema

Name	Type	Description
uuid	string	The UUID of the event.
timestamp	string	The date and time of the event. RFC 3339 standard.
used_version	integer	The version of the item that was accessed.
vault_uuid	string	The UUID of the vault the item is in.
item_uuid	string	The UUID of the item that was accessed.
action	string	Details about how the item was used. Actions are only captured from client apps using 1Password 8.4.0 or later. Possible values are: "enter-item-edit-mode" "export" "fill" "other" "reveal" "secure-copy" "select-sso-provider" "server-create" "server-fetch" "server-update" "share" Learn about item usage actions.
user	object	A user object.
client	object	A client object.
location	object	A location object that contains details about the geolocation of the client based on the client's IP address at the time the event was performed.
account_uuid (MSP accounts only)	string	The UUID of the account where the action was performed.

UserV2 object schema

Name	Type	Description
uuid	string	The UUID of the user that accessed the item or attempted to sign in to the account.
name	string	The name of the user, hydrated at the time the event was generated.
email	string	The email address of the user, hydrated at the time the event was generated.
user_type (MSP accounts only)	string	The type of user who performed the action (internal or external). Possible values are: user external_user
user_account_uuid (MSP accounts only)	string	The UUID of the user's account.

Client object schema

Name	Type	Description
app_name	string	The name of the 1Password app the item was accessed from.
app_version	string	The version number of the app.
platform_name	string	The name of the platform the item was accessed from.
platform_version	string	The version of the browser or computer where 1Password is installed or the CPU of the machine where the 1Password command-line tool is installed.
os_name	string	The name of the operating system the item was accessed from.
os_version	string	The version of the operating system the item was accessed from.
ip_address	string	The IP address the item was accessed from.

Location object schema

Name	Type	Description
country	string	The country where the item was accessed.
region	string	The region where the item was accessed.
city	string	The city where the item was accessed.
longitude	number	A coordinate that specifies the longitudinal location for where the item was accessed.
latitude	number	A coordinate that specifies the latitudinal location for where the item was accessed.

POST /api/v2/signinattempts

A POST call to this endpoint returns information about sign-in attempts. Events include the name and IP address of the user who attempted to sign in to the account, when the attempt was made, and – for failed attempts – the cause of the failure. For MSP accounts, events also include additional information about the user's account and type.

This endpoint requires a bearer token with the signinattempts feature. You can make an introspection call to the API to verify if your token is authorized to access sign-in events.

Parameters

No parameters.

Requests

Use the full URL of the signinattempts endpoint with your bearer token and the required request headers. You must include a ResetCursor object or the cursor from a previous response in the request body.

Example request with a reset cursor

Example request with a continuing cursor

Responses

200

Returns a SignInAttemptItemsV2 object

400

Bad request

401

Unauthorized access

500

Internal server error

A successful 200 response returns a SignInAttemptItemsV2 object wrapping cursor properties and an array of SignInAttemptV2 objects. The included cursor can be used to fetch more data or continue the polling process.

Example sign-in attempt response

SignInAttemptsV2 object schemas

SignInAttemptItemsV2 object schema

Name	Type	Description
items	array	An array of SignInAttemptsV2 objects.
cursor	string	Cursor to return more event data or to continue polling.
has_more	boolean	Whether there's more data to be returned using the cursor. If the value is true, there may be more events. If the value is false, there are no more events.

SignInAttemptsV2 object schema

Name	Type	Description
uuid	string	The UUID of the event.
session_uuid	string	The UUID of the session that created the event.
timestamp	string	The date and time of the sign-in attempt. Uses the RFC 3339 standard.
category	string	The category of the sign-in attempt. Possible values are: "success" "credentials_failed" "mfa_failed" "sso_failed" "modern_version_failed" "firewall_failed" "firewall_reported_success"
type	string	Details about the sign-in attempt. Possible values are: "all_blocked" "anonymous_blocked" "code_bad" "code_disabled" "code_timeout" "continent_blocked" "country_blocked" "credentials_ok" "duo_bad" "duo_disabled" "duo_native_bad" "duo_timeout" "federated" "ip_blocked" "mfa_missing" "mfa_ok" "modern_version_missing" "modern_version_old" "non_sso_user" "password_secret_bad" "platform_secret_bad" "platform_secret_disabled" "platform_secret_proxy" "service_account_sso_denied" "sso_user_mismatch" "totp_bad" "totp_disabled" "totp_timeout" "u2f_bad" "u2f_disabled" "u2f_timeout"
country	string	The country code of the event. Uses the ISO 3166 standard.
details	object	A details object that contains additional information about the sign-in attempt.
target_user	object	A user object.
client	object	A client object.
location	object	A location object that contains details about the geolocation of the client based on the client's IP address at the time the event was performed.
account_uuid (MSP accounts only)	string	The UUID of the account where the action was performed.

Details object schema

Name	Type	Description
value	string	The additional information about the sign-in attempt, such as any firewall rules that prevent a user from signing in. For example, in the event of a sign-in attempt blocked by firewall rules, the value is the country, continent, or IP address of the sign-in attempt.

UserV2 object schema

Name	Type	Description
uuid	string	The UUID of the user that accessed the item or attempted to sign in to the account.
name	string	The name of the user, hydrated at the time the event was generated.
email	string	The email address of the user, hydrated at the time the event was generated.
user_type (MSP accounts only)	string	The type of user who performed the action (internal or external). Possible values are: user external_user
user_account_uuid (MSP accounts only)	string	The UUID of the user's account.

Client object schema

Name	Type	Description
app_name	string	The name of the 1Password app the item was accessed from.
app_version	string	The version number of the app.
platform_name	string	The name of the platform the item was accessed from.
platform_version	string	The version of the browser or computer where 1Password is installed or the CPU of the machine where the 1Password command-line tool is installed.
os_name	string	The name of the operating system the item was accessed from.
os_version	string	The version of the operating system the item was accessed from.
ip_address	string	The IP address the item was accessed from.

Location object schema

Name	Type	Description
country	string	The country where the sign-in attempt was made.
region	string	The region where the sign-in attempt was made.
city	string	The city where the sign-in attempt was made.
longitude	number	A coordinate that specifies the longitudinal location where the sign-in attempt was made.
latitude	number	A coordinate that specifies the latitudinal location where the sign-in attempt was made.

ErrorResponse object

Example error response

ErrorResponse object schema

Name	Type	Description
status	integer	The HTTP status code.
message	string	A message detailing the error.