Manage service accounts
Manage active service accounts
Owners and administrators can manage all service accounts created by their team. Other team members with the permission to create service accounts can manage their own service accounts, but not service accounts created by other people.
You can view and manage a service account from its overview page on 1Password.com. The service account overview page shows information about the service account, such as the vaults it can access, vault permissions, and recent activity.
To manage a service account, go to the service account overview:
- Sign in to your account on 1Password.com.
- Select Developer in the sidebar.
- Choose the service account to manage.
Create a usage report for a service account
To create a usage report for a service account, select Developer in the sidebar, then select a service account. On the service account overview page, select View Item Usage Report.
Usage reports for service accounts include information on the number of vaults and items a service account can access, an overview of vaults where a service account has accessed items, when those items were last accessed, and the action performed.
Change a service account's name
To change a service account's name:
- Sign in to your account on 1Password.com.
- Select Developer in the sidebar, then choose Service accounts at the top of the page.
- Choose a service account to manage.
- Select Edit Details.
- Type a new name, then select Save.
Rotate a service account token
Rotating a service account token generates a new token with the same permissions. You can also specify an expiration for the current token, so you have time to update to the new token without any interruption in service.
Take note of any places where you may need to update a service account token before you rotate it. This helps you set a more reasonable expiration time.
To rotate a service account token:
- Sign in to your account on 1Password.com.
- Select Developer in the sidebar, then choose Service accounts at the top of the page.
- Choose the service account to manage.
- Under the Token section, select Rotate Token.
- Select a value for Expire existing token to set when the token will expire.
For example, you can set the existing token to expire now (immediately), in 1 hour, or in 3 days. - Enter the service account name to confirm.
- Select Rotate Token.
- Select Save in 1Password to save the new token value in 1Password.
If your sign-in address changes, make sure to rotate your service account tokens. Your tokens will redirect to the new sign-in address for 30 days.
Revoke a service account token
Revoking a service account token immediately removes its access to 1Password vaults. You might want to revoke a token if it becomes compromised or unnecessary.
To revoke a service account token:
- Sign in to your account on 1Password.com.
- Select Developer in the sidebar, then choose Service accounts at the top of the page.
- Choose the service account to manage.
- Under the Token section, select Revoke Token.
- Enter the service account name to confirm, then select Revoke Token.
Manage service account settings
With 1Password Teams and 1Password Business, you can manage who on your team can create service accounts and which vaults the service accounts can access.
Manage who can create service accounts
By default, only owners and administrators can create and manage service accounts in 1Password Teams and 1Password Business.
To allow other groups to create service accounts, an owner or administrator can:
- Sign in to your account on 1Password.com.
- Select Developer in the sidebar.
- Select Permissions at the top of the Developer page, then select Service Account.
- Select Manage groups, choose the groups you want to allow to create service accounts, then select Update Groups.
Team members in the selected groups will be able to create service accounts.
To manage which individual team members can create service accounts, change from the Groups tab to the People tab. Select Manage People, choose the team members you want to allow to create service accounts, then select Update People.
Each team member with permission to create service accounts will only be able to manage their own service accounts, not service accounts created by other people.
Manage which vaults team members can grant access to
Team members can only grant service accounts access to a vault if they have the appropriate permissions in the vault:
| Account type | Permission |
|---|---|
| 1Password Teams | Allow Managing |
| 1Password Business | Manage Vault |
You can manage team members' permissions in vaults with 1Password CLI or on 1Password.com.
Manage service account access to vaults
Team administrators can control service account access to 1Password vaults by turning access to a vault off or on.
A vault's service account access setting applies to all service accounts. If you turn off service account access in a vault, existing service accounts will lose access to that vault and new service accounts can't be granted access. After you create a service account, you can't add additional vaults or edit any vault permissions it has.
To turn service account access on or off for a vault:
- Sign in to your account on 1Password.com.
- Choose the vault you want to change service account access to.
- Select Manage.
- Under Service Account Access, select the toggle to turn access on or off.
Get help
If you need to change a service account's permissions or vault access
After you create a service account, you can't give it access to additional vaults, change its permissions in the vaults it can access, or change its ability to create new vaults. If you want to edit a service account's vault access or permissions, you'll need to create a new service account. You can create a service account on 1Password.com or with 1Password CLI.