# 1Password CLI Documentation > Complete reference for 1Password CLI (op), including commands, secret references, and shell plugins. This file contains all documentation content in a single document following the llmstxt.org standard. ## 1Password app integration security ## Security model [Integrating 1Password CLI with the 1Password app](/docs/cli/app-integration/) allows you to use accounts you've added to the 1Password desktop app with 1Password CLI. Every time you use 1Password CLI in a new terminal window or tab, you'll be asked to authorize with biometrics. This authorization establishes a 10-minute session that automatically refreshes on each use. 1Password accounts can only be accessed through 1Password CLI after the user provides explicit biometric authorization and authorization is limited to an single account at a time. The user is shown a prompt containing the 1Password account display name (for example, `AgileBits` or `Wendy Appleseed's Family`) and the process being authorized (for example, `iTerm2` or `Terminal`). The user must confirm the prompt for 1Password CLI to be granted access to the requested account details. Authorizing use of 1Password CLI while the 1Password app is locked will result in the 1Password app unlocking. When the 1Password app is locked, all prior authorization is revoked. Any new invocation of 1Password CLI will require new authorization. If a process is running at the moment authorization is revoked or expires, it will be able to finish its task and exit. ## Authorization model Authorization in 1Password CLI occurs on a per-account basis. If you sign in to multiple accounts, each account must be authorized separately. Authorization expires after 10 minutes of inactivity in the terminal session. There's a hard limit of 12 hours, after which you must reauthorize. Each time you use a 1Password CLI command in a new terminal window or tab, you'll need to authorize your account again: - On macOS and Linux, authorization is confined to a terminal session but extends to sub-shell processes in that window. - On Windows, commands executed in a sub-shell require separate authorization. ## Accepted risks - A user or application with root/administrator level privileges on the same system may be able to circumvent one or more security measures and could obtain access to 1Password accounts through 1Password CLI without authorization if (and only if) the 1Password app is unlocked. - Applications that are granted accessibility permissions on macOS may be able to circumvent the authorization prompt. ## Technical design ### Session credentials Session credentials are used to identify the terminal window or application where 1Password CLI is invoked. The goal is to restrict the granted authorization to a single terminal. If a user authorizes `account X` in one terminal window, using `account y` in another terminal window requires another approval from the user. These credentials don't consist of any sensitive or secret information. **Mac:** The session credential for macOS is an ID that's based on the current `tty`, plus the start time. This way every session credential is unique, even after an ID gets reused. **Linux:** The session credential for Linux is an ID that's based on the current `tty`, plus the start time. This way every session credential is unique, even after an ID gets reused. **Windows:** The session credential for Windows is an ID that's based on the PID of the process that invokes 1Password CLI, plus the start time. This way every session credential is unique, even after an ID gets reused. ### How does 1Password CLI communicate with the 1Password app? 1Password CLI uses inter-process communication to reach out to the 1Password app to obtain access to the accounts stored in the app. **Mac:** The `NSXPCConnection` XPC API is used for IPC. The 1Password app sets up a service (`1Password Browser Helper`) that acts as an XPC server. Both 1Password CLI and the 1Password app connect to this server. Authenticity of both is confirmed by verifying the code signature. The `1Password Browser Helper` acts as a message relay between the 1Password app and 1Password CLI. **Linux:** 1Password CLI connects to a Unix socket opened by the 1Password app. The socket is owned by the current user/group, allowing any process started by this user to connect to it. 1Password CLI is owned by the `onepassword-cli` group and has the `set-gid` bit set on Linux. The 1Password app verifies the authenticity of 1Password CLI by checking if the GID of the process connecting on the unix socket is equal to that of the `onepassword-cli` group. If the GID doesn't match, the connection is reset before any messages are accepted. **Windows:** 1Password CLI connects to a named pipe opened by the 1Password app. The app verifies the authenticity of the process connecting on the named pipe by verifying the Authenticode signature of the process's executable. 1Password CLI verifies the 1Password app's authenticity in the same way. ### Authorization prompts The user is prompted for authorization to confirm that they actually want to allow an account to be accessible through 1Password CLI. **Mac:** On macOS the OS's default biometrics prompt is used to request authorization, if available. Either TouchID or an Apple Watch can be used to confirm this prompt. If biometrics are not available a prompt confirming the user's device password is used instead. **Linux:** On Linux, PolKit is used to spawn a prompt that includes an authentication challenge for the user (commonly fingerprint or the user's OS password). **Windows:** On Windows, Windows Hello is used to spawn a prompt that includes an authentication challenge for the user (commonly fingerprint, face, or the user's OS password). Without Windows Hello, biometrics cannot be used with 1Password CLI. --- ## Use the 1Password desktop app to sign in to 1Password CLI You can use the [1Password desktop app](https://1password.com/downloads) integration to quickly and securely sign in to [1Password CLI](/docs/cli/get-started/). The app integration allows you to: - Seamlessly sign to the 1Password accounts you've added to the app in your terminal. - Authenticate 1Password CLI the same way you unlock your device, like with your fingerprint, face, Apple Watch, Windows Hello PIN, or device user password. - Track recent 1Password CLI activity from your 1Password app. ## Requirements **Mac:** - [1Password subscription](https://1password.com/pricing/password-manager) - [1Password for Mac](https://1password.com/downloads/mac) **Windows:** - [1Password subscription](https://1password.com/pricing/password-manager) - [1Password for Windows](https://1password.com/downloads/windows) **Linux:** - [1Password subscription](https://1password.com/pricing/password-manager) - [1Password for Linux](https://1password.com/downloads/linux) - [PolKit](https://gitlab.freedesktop.org/polkit/polkit) (included in many popular distributions) - A PolKit authentication agent running ## Set up the app integration ### Step 1: Turn on the app integration **Mac:** 1. Open and unlock the [1Password app](https://1password.com/downloads/). 2. Select your account or collection at the top of the sidebar. 3. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**. 4. Select **Integrate with 1Password CLI**. 5. If you want to authenticate 1Password CLI with your fingerprint, turn on **[Touch ID](https://support.1password.com/touch-id-mac/)** in the app. _[The 1Password Developer settings pane with the Integrate with 1Password CLI option selected.]_ **Windows:** 1. Open and unlock the [1Password app](https://1password.com/downloads/). 2. Select your account or collection at the top of the sidebar. 3. Turn on **[Windows Hello](https://support.1password.com/windows-hello/)** in the app. 4. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**. 5. Select **Integrate with 1Password CLI**. _[The 1Password Developer settings pane with the Integrate with 1Password CLI option selected.]_ **Linux:** 1. Open and unlock the [1Password app](https://1password.com/downloads/). 2. Select your account or collection at the top of the sidebar. 3. Navigate to **Settings** > **[Security](onepassword://settings/security)**. 4. Turn on **[Unlock using system authentication](https://support.1password.com/system-authentication-linux/)**. 5. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**. 6. Select **Integrate with 1Password CLI**. _[The 1Password Developer settings pane with the Integrate with 1Password CLI option selected.]_ ### Step 2: Enter any command to sign in After you've turned on the app integration, enter any command and you'll be prompted to authenticate. For example, run this command to see all the vaults in your account: ```shell op vault list ``` #### If you have multiple accounts If you've added multiple 1Password accounts to your desktop app, you can use [`op signin`](/docs/cli/reference/commands/signin/) to select an account to sign in to with 1Password CLI. Use the arrow keys to choose from the list of all accounts added to your 1Password app. ```shell {2} op signin #code-result Select account [Use arrows to move, type to filter] > ACME Corp (acme.1password.com) AgileBits (agilebits.1password.com) Add another account ``` You can also [select an account on a per-command basis using the `--account` flag](/docs/cli/use-multiple-accounts#specify-an-account-per-command-with-the---account-flag) with your account's sign-in address or ID. ```shell op vault ls --account my.1password.com ``` If you're signed in to multiple accounts in the app but only want to use a specific account with 1Password CLI, you can [set the `OP_ACCOUNT` environment variable](/docs/cli/use-multiple-accounts#set-an-account-with-the-op_account-environment-variable) to your account's sign-in address or ID. ### Optional: Remove previously added account details :::warning[caution] Make sure you have access to your Secret Key and account password before removing account details from your configuration file. ::: If you previously [added an account to 1Password CLI manually](/docs/cli/sign-in-manually/) and now want to exclusively use the 1Password app to sign in, you can remove your account details from your configuration file. Your configuration file is in one of the following locations: - `~/.op/config` - `~/.config/op/config` - `~/.config/.op/config` Use the [account forget](/docs/cli/reference/management-commands/account#account-forget) command to remove all existing account information from your configuration file. This won't impact the accounts added to your 1Password app. ```shell op account forget --all ``` ### Optional: Set the biometric unlock environment variable You can use the `OP_BIOMETRIC_UNLOCK_ENABLED` environment variable to temporarily toggle the app integration on or off. **Bash, Zsh, sh:** To turn on the integration: ```shell export OP_BIOMETRIC_UNLOCK_ENABLED=true ``` To turn off the integration: ```shell export OP_BIOMETRIC_UNLOCK_ENABLED=false ``` **fish:** To turn on the integration: ```shell set -x OP_BIOMETRIC_UNLOCK_ENABLED true ``` To turn off the integration: ```shell set -x OP_BIOMETRIC_UNLOCK_ENABLED false ``` **PowerShell:** To turn on the integration: ```powershell $Env:OP_BIOMETRIC_UNLOCK_ENABLED = "true" ``` To turn off the integration: ```powershell $Env:OP_BIOMETRIC_UNLOCK_ENABLED = "false" ``` **Set a default account to use with the 1Password app integration**(Beta) Run `op account use` to set a default 1Password account to use with the 1Password app integration in your current terminal session. 1Password CLI will prompt you to select an account. ```shell op account use --account my.1password.com ``` ## Track 1Password CLI activity You can track 1Password CLI activity authenticated with the 1Password app, including the command, when it was run, the application where it was run, and the name of the account accessed. To see your 1Password CLI activity log: 1. Open and unlock the 1Password desktop app. 2. Select your account or collection at the top of the sidebar and choose **Settings** > [**Developer**](onepassword://settings/developers). 3. Turn on **Show 1Password Developer in Sidebar**. 4. Close the settings window, then select **Developer** in the sidebar. 5. Select **View CLI**. _[The 1Password CLI activity log.]_ You'll see a table with your recent 1Password CLI activity. Learn more about [1Password Developer](https://support.1password.com/developer/). ## Troubleshooting ### If `op signin` doesn't list your account `op signin` returns a list of all accounts you've added to the 1Password desktop app. To sign in to 1Password CLI with a new 1Password account, you'll need to [add the account to the app](https://support.1password.com/add-account/). ### If you see a connection error If you see a `connectionreset` error, or an error that 1Password CLI couldn't connect to the 1Password desktop app, try the following: **Mac:** Open **System Settings** > **General** > **Login Items** and make sure **Allow in background** is turned on for 1Password. If you still see an error, try the following: 1. Make sure you're using the latest version of the 1Password desktop app. 2. Restart the app. If you're using 1Password for Mac version 8.10.12 or earlier, the 1Password CLI binary must be located in the `/usr/local/bin/` directory. **Windows:** 1. Make sure you're using the latest version of the 1Password desktop app. 2. Restart the app. **Linux:** 1. Make sure you're using the latest version of the 1Password desktop app. 2. Restart the app. If you see a `LostConnectionToApp` error when you try to authenticate: **Mac:** Make sure the option to keep 1Password in the menu bar is turned on: 1. Open and unlock the 1Password desktop app. 2. Select your account or collection at the top of the sidebar. 3. Select **Settings** > **General**. 4. Make sure "Keep 1Password in the menu bar" is selected. **Windows:** Make sure the option to keep 1Password in the notification area is turned on: 1. Open and unlock the 1Password desktop app. 2. Select your account or collection at the top of the sidebar. 3. Select **Settings** > **General**. 4. Make sure "Keep 1Password in the notification area" is selected. **Linux:** Make sure the option to keep 1Password in the system tray is turned on: 1. Open and unlock the 1Password desktop app. 2. Select your account or collection at the top of the sidebar. 3. Select **Settings** > **General**. 4. Make sure "Keep 1Password in the system tray" is selected. ### If you aren't prompted to authenticate with your preferred method If you've turned on the app integration, but aren't prompted to sign in to 1Password CLI with your expected authentication method: **Mac:** Make sure you've set up [Touch ID](https://support.1password.com/touch-id-mac/) or an [Apple Watch](https://support.1password.com/apple-watch-mac/) to unlock 1Password on your Mac. **Windows:** Make sure you've set up [Windows Hello](https://support.1password.com/windows-hello/) to unlock 1Password on your Windows PC. **Linux:** 1. Make sure you've set up [system authentication](https://support.1password.com/system-authentication-linux/) to unlock 1Password on your Linux computer. 2. Update the authentication method in your Linux settings to use a [fingerprint](https://help.ubuntu.com/stable/ubuntu-help/session-fingerprint.html.en) or other biometrics instead of your Linux user password. ## Learn more - [Use multiple 1Password accounts with 1Password CLI](/docs/cli/use-multiple-accounts/) - [Add accounts to the 1Password app](https://support.1password.com/add-account/) - [1Password app integration security](/docs/cli/app-integration-security/) --- ## 1Password CLI best practices 1Password CLI brings 1Password to your terminal. The following are best practices we recommend when using 1Password CLI. ### Use the latest version of 1Password CLI Practice good software update hygiene and regularly update to the [latest version of the 1Password CLI](https://app-updates.agilebits.com/product_history/CLI2). You can check for available updates with [`op update`](/docs/cli/reference/commands/update). ### Apply the principle of least privilege to your infrastructure secrets You can follow the [principle of least privilege ](https://csrc.nist.gov/glossary/term/least_privilege) with [1Password Service Accounts](/docs/service-accounts), which support restricting 1Password CLI access to only the items required for a given purpose. Use dedicated vaults with service accounts that are properly scoped for secrets management use cases. Do not grant access to more vaults than needed. Learn more about [managing group and vault permissions using the principle of least privilege](https://support.1password.com/business-security-practices#access-management-and-the-principle-of-least-privilege). ### Use template files when creating items that contain sensitive values When creating items with [`op item create`](/docs/cli/reference/management-commands/item#item-create) we recommend using a [JSON template](/docs/cli/item-create#with-an-item-json-template) to enter any sensitive values. --- ## How 1Password CLI detects configuration directories 1Password CLI configuration directories default to: - `${XDG_CONFIG_HOME}/op` when `${XDG_CONFIG_HOME}` is set - `~/.config/op` when `${XDG_CONFIG_HOME}` is not set 1Password CLI detects the configuration directory to read or write to in this order of precedence: 1. A directory specified with `--config` 2. A directory set with the `OP_CONFIG_DIR` environment variable. 3. `~/.op` (following [go-homedir ](https://github.com/mitchellh/go-homedir) to determine the home directory) 4. `${XDG_CONFIG_HOME}/.op` 5. `~/.config/op` (following [go-homedir ](https://github.com/mitchellh/go-homedir) to determine the home directory) 6. `${XDG_CONFIG_HOME}/op` --- ## 1Password CLI environment variables You can use the following environment variables with 1Password CLI: | Environment variable | Description | | --- | --- | | `OP_ACCOUNT` | Specifies a default 1Password account to execute commands. Accepts an [account sign-in address or ID](/docs/cli/use-multiple-accounts#find-an-account-sign-in-address-or-id). An account specified with the `--account` flag takes precedence.| | `OP_BIOMETRIC_UNLOCK_ENABLED` | Toggles the [1Password app integration](/docs/cli/app-integration#optional-set-the-biometric-unlock-environment-variable) on or off. Options: `true`, `false`. | | `OP_CACHE` | Toggles the option to [store and use cached information](/docs/cli/reference#cache-item-and-vault-information) on or off. Options: `true`, `false`. Default: `true`. | | `OP_CONFIG_DIR` | Specifies a [configuration directory](/docs/cli/config-directories) to read and write to. A directory specified with the `--config` flag takes precedence. | | `OP_CONNECT_HOST` | Sets a [Connect server instance host URL](/docs/connect/cli/) to use with 1Password CLI. | | `OP_CONNECT_TOKEN` | Sets a [Connect server token](/docs/connect/cli/) to use with 1Password CLI. | | `OP_DEBUG` | Toggles debug mode on or off. Options: `true`, `false`. Default: `false`.| | `OP_FORMAT` | Sets the output format for 1Password CLI commands. Options: `human-readable`, `json`. Default: `human-readable`.| | `OP_INCLUDE_ARCHIVE` | Allows items in the archive to be retrieved with [`op item get`](/docs/cli/reference/management-commands/item#item-get) and [`op document get`](/docs/cli/reference/management-commands/document#document-get) commands. Options: `true`, `false`. Default: `false`. | | `OP_ISO_TIMESTAMPS` | Toggles the option to format timestamps according to ISO 8601 and RFC 3339 standards on or off. Options: `true`, `false`. Default: `false`. | | `OP_RUN_NO_MASKING` | Toggles masking off for the output of [`op run`](/docs/cli/reference/commands/run). | | `OP_SESSION` | Stores a session token when you [sign in to 1Password CLI manually](/docs/cli/sign-in-manually). | | `OP_SERVICE_ACCOUNT_TOKEN` | Configures 1Password CLI to [authenticate with a service account](/docs/service-accounts/use-with-1password-cli). | --- ## Get started with 1Password CLI 1Password CLI brings 1Password to your terminal. Learn how to install the CLI, then integrate it with your 1Password app and sign in with Touch ID, Windows Hello, or another system authentication option. ## Step 1: Install 1Password CLI **Requirements** **Mac:** - [1Password subscription](https://1password.com/pricing/password-manager) - [1Password for Mac](https://1password.com/downloads/mac)* - macOS Big Sur 11.0.0 or later Supported shells: Bash, Zsh, sh, fish *Required to integrate 1Password CLI with the 1Password app. **Windows:** - [1Password subscription](https://1password.com/pricing/password-manager) - [1Password for Windows](https://1password.com/downloads/windows) Supported shells: PowerShell **Linux:** - [1Password subscription](https://1password.com/pricing/password-manager) - [1Password for Linux](https://1password.com/downloads/linux)* - [PolKit](https://github.com/polkit-org/polkit)* - A PolKit authentication agent running* Supported shells: Bash, Zsh, sh, fish *Required to integrate 1Password CLI with the 1Password app. **Mac:** **homebrew:** 1. To install 1Password CLI with [homebrew](https://brew.sh/): ```shell brew install 1password-cli ``` 2. Check that 1Password CLI installed successfully: ```shell op --version ``` The 1Password Homebrew cask is maintained by both Homebrew and 1Password developers in the open-source [Homebrew Cask repository. ](https://github.com/Homebrew/homebrew-cask) 1Password CLI downloads from our CDN on agilebits.net/.com domains. **Manual:** To manually install 1Password CLI on macOS: 1. Download [the latest release of 1Password CLI](https://app-updates.agilebits.com/product_history/CLI2). Learn how to [verify its authenticity](/docs/cli/verify/). 2. - **Package file**: Open `op.pkg` and install 1Password CLI in the default location (`usr/local/bin`). - **ZIP file**: Open `op.zip` and unzip the file, then move `op` to `usr/local/bin`. 3. Check that 1Password CLI was installed successfully: ```shell op --version ``` **Windows:** **winget:** 1. To install 1Password CLI with winget: ```powershell winget install 1password-cli ``` 2. Check that 1Password CLI installed successfully: ```powershell op --version ``` **Manual:** To manually install 1Password CLI on Windows: 1. Download [the latest release of 1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) and extract `op.exe`. Learn how to [verify its authenticity](/docs/cli/verify/). 2. Open PowerShell **as an administrator**. 3. Create a folder to move `op.exe` into. For example, `C:\Program Files\1Password CLI`. ```powershell mkdir "C:\Program Files\1Password CLI" ``` 4. Move the `op.exe` file to the new folder. ```powershell mv ".\op.exe" "C:\Program Files\1Password CLI" ``` 5. **Add the folder containing the `op.exe` file to your PATH.** **Windows 10 and later** Search for Advanced System Settings in the Start menu. Select Environment Variables. In the System Variables section, select the PATH environment variable and select Edit. In the prompt, select New and add the directory where `op.exe` is located. Sign out and back in to Windows for the change to take effect. 6. Check that 1Password CLI installed successfully: ```shell op --version ``` If you'd rather install 1Password CLI with a single block of commands, run the following in PowerShell as administrator: ```powershell $arch = (Get-CimInstance Win32_OperatingSystem).OSArchitecture switch ($arch) { '64-bit' { $opArch = 'amd64'; break } '32-bit' { $opArch = '386'; break } Default { Write-Error "Sorry, your operating system architecture '$arch' is unsupported" -ErrorAction Stop } } $installDir = Join-Path -Path $env:ProgramFiles -ChildPath '1Password CLI' Invoke-WebRequest -Uri "https://cache.agilebits.com/dist/1P/op2/pkg/v2.32.1/op_windows_$($opArch)_v2.32.1.zip" -OutFile op.zip Expand-Archive -Path op.zip -DestinationPath $installDir -Force $envMachinePath = [System.Environment]::GetEnvironmentVariable('PATH','machine') if ($envMachinePath -split ';' -notcontains $installDir){ [Environment]::SetEnvironmentVariable('PATH', "$envMachinePath;$installDir", 'Machine') } Remove-Item -Path op.zip ``` If your Windows operating system uses a language other than English, you'll need to manually set `$arch` in the first line. To do this, replace `$arch = (Get-CimInstance Win32_OperatingSystem).OSArchitecture` with `$arch = "64-bit"` or `$arch = "32-bit"`. **Linux:** **APT:** To install 1Password CLI using APT on Debian- and Ubuntu-based distributions: 1. Run the following command: ```shell curl -sS https://downloads.1password.com/linux/keys/1password.asc | \ sudo gpg --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpg && \ echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/1password-archive-keyring.gpg] https://downloads.1password.com/linux/debian/$(dpkg --print-architecture) stable main" | \ sudo tee /etc/apt/sources.list.d/1password.list && \ sudo mkdir -p /etc/debsig/policies/AC2D62742012EA22/ && \ curl -sS https://downloads.1password.com/linux/debian/debsig/1password.pol | \ sudo tee /etc/debsig/policies/AC2D62742012EA22/1password.pol && \ sudo mkdir -p /usr/share/debsig/keyrings/AC2D62742012EA22 && \ curl -sS https://downloads.1password.com/linux/keys/1password.asc | \ sudo gpg --dearmor --output /usr/share/debsig/keyrings/AC2D62742012EA22/debsig.gpg && \ sudo apt update && sudo apt install 1password-cli ``` **See a step-by-step version of the script** 1. Add the key for the 1Password `apt` repository: ```shell curl -sS https://downloads.1password.com/linux/keys/1password.asc | \ sudo gpg --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpg ``` 2. Add the 1Password `apt` repository: ```shell echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/1password-archive-keyring.gpg] https://downloads.1password.com/linux/debian/$(dpkg --print-architecture) stable main" | sudo tee /etc/apt/sources.list.d/1password.list ``` 3. Add the debsig-verify policy: ```shell sudo mkdir -p /etc/debsig/policies/AC2D62742012EA22/ curl -sS https://downloads.1password.com/linux/debian/debsig/1password.pol | \ sudo tee /etc/debsig/policies/AC2D62742012EA22/1password.pol && \ sudo mkdir -p /usr/share/debsig/keyrings/AC2D62742012EA22 && \ curl -sS https://downloads.1password.com/linux/keys/1password.asc | \ sudo gpg --dearmor --output /usr/share/debsig/keyrings/AC2D62742012EA22/debsig.gpg ``` 4. Install 1Password CLI: ```shell sudo apt update && sudo apt install 1password-cli ``` 2. Check that 1Password CLI installed successfully: ```shell op --version ``` Alternatively, download the latest 1Password CLI `.deb` package directly from one of the following links: - [amd64](https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb) - [386](https://downloads.1password.com/linux/debian/386/stable/1password-cli-386-latest.deb) - [arm](https://downloads.1password.com/linux/debian/arm/stable/1password-cli-arm-latest.deb) - [arm64](https://downloads.1password.com/linux/debian/arm64/stable/1password-cli-arm64-latest.deb) **YUM:** To install 1Password CLI using YUM on RPM-based distributions: 1. Run the following commands: ```shell sudo rpm --import https://downloads.1password.com/linux/keys/1password.asc sudo sh -c 'echo -e "[1password]\nname=1Password Stable Channel\nbaseurl=https://downloads.1password.com/linux/rpm/stable/\$basearch\nenabled=1\ngpgcheck=1\nrepo_gpgcheck=1\ngpgkey=\"https://downloads.1password.com/linux/keys/1password.asc\"" > /etc/yum.repos.d/1password.repo' sudo dnf check-update -y 1password-cli && sudo dnf install 1password-cli ``` **The above script is comprised of the following steps** 1. Import the public key: ```shell sudo rpm --import https://downloads.1password.com/linux/keys/1password.asc ``` 2. Configure the repository information: ```shell sudo sh -c 'echo -e "[1password]\nname=1Password Stable Channel\nbaseurl=https://downloads.1password.com/linux/rpm/stable/\$basearch\nenabled=1\ngpgcheck=1\nrepo_gpgcheck=1\ngpgkey=\"https://downloads.1password.com/linux/keys/1password.asc\"" > /etc/yum.repos.d/1password.repo' ``` 3. Install 1Password CLI: ```shell sudo dnf check-update -y 1password-cli && sudo dnf install 1password-cli ``` 2. Check that 1Password CLI installed successfully: ```shell op --version ``` Alternatively, download the latest 1Password CLI `.rpm` package directly from one of the following links: - [x86_64](https://downloads.1password.com/linux/rpm/stable/x86_64/1password-cli-latest.x86_64.rpm) - [i386](https://downloads.1password.com/linux/rpm/stable/i386/1password-cli-latest.i386.rpm) - [aarch64](https://downloads.1password.com/linux/rpm/stable/aarch64/1password-cli-latest.aarch64.rpm) - [armv7l](https://downloads.1password.com/linux/rpm/stable/armv7l/1password-cli-latest.armv7l.rpm) **Alpine:** To install 1Password CLI on Alpine x86_64 distributions: 1. Run the following commands: ```shell echo https://downloads.1password.com/linux/alpinelinux/stable/ >> /etc/apk/repositories wget https://downloads.1password.com/linux/keys/alpinelinux/support@1password.com-61ddfc31.rsa.pub -P /etc/apk/keys apk update && apk add 1password-cli ``` **The above script is comprised of the following steps** 1. Add Password CLI to your list of repositories: ```shell echo https://downloads.1password.com/linux/alpinelinux/stable/ >> /etc/apk/repositories ``` 2. Add the public key to validate the APK to your keys directory: ```shell wget https://downloads.1password.com/linux/keys/alpinelinux/support@1password.com-61ddfc31.rsa.pub -P /etc/apk/keys ``` 3. Install 1Password CLI: ```shell apk update && apk add 1password-cli ``` 2. Check that 1Password CLI installed successfully: ```shell op --version ``` **NixOS:** :::warning[caution] The Nix package is available from the NixOS open source community. ::: To install 1Password CLI on your NixOS system: 1. Add 1Password to your `/etc/nixos/configuration.nix` file, or `flake.nix` if you're using a flake. For example, the following snippet includes 1Password CLI and the 1Password app: ```nix # NixOS has built-in modules to enable 1Password # along with some pre-packaged configuration to make # it work nicely. You can search what options exist # in NixOS at https://search.nixos.org/options # Enables the 1Password CLI programs._1password = { enable = true; }; # Enables the 1Password desktop app programs._1password-gui = { enable = true; # this makes system auth etc. work properly polkitPolicyOwners = [ "" ]; }; ``` 2. After you make changes to your configuration file, apply them: - If you added 1Password to `/etc.nixos/configuration.nix`, run: ```shell sudo nixos-rebuild switch ``` - If you added 1Password to `flake.nix`, replace `` with the directory your flake is in and `` with the name of the flake output containing your system configuration, then run the command. ```shell sudo nixos-rebuild switch --flake .# ``` 3. Check that 1Password CLI installed successfully: ```shell op --version ``` Learn more about [using 1Password on NixOS. ](https://nixos.wiki/wiki/1Password) **Manual:** To install 1Password CLI on Linux without a package manager: ```shell ARCH="" && \ wget "https://cache.agilebits.com/dist/1P/op2/pkg/v2.32.1/op_linux_${ARCH}_v2.32.1.zip" -O op.zip && \ unzip -d op op.zip && \ sudo mv op/op /usr/local/bin/ && \ rm -r op.zip op && \ sudo groupadd -f onepassword-cli && \ sudo chgrp onepassword-cli /usr/local/bin/op && \ sudo chmod g+s /usr/local/bin/op ``` **Or follow the extended guide** 1. Download the [latest release of 1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) and extract it. To verify its authenticity: ```shell gpg --keyserver keyserver.ubuntu.com --receive-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22 gpg --verify op.sig op ``` 2. Move `op` to `/usr/local/bin`, or another directory in your `$PATH`. 3. Check that 1Password CLI installed successfully: ```shell op --version ``` 4. Create the `onepassword-cli` group if it doesn't yet exist: ```shell sudo groupadd onepassword-cli ``` 5. Set the correct permissions on the `op` binary: ```shell sudo chgrp onepassword-cli /usr/local/bin/op && \ sudo chmod g+s /usr/local/bin/op ``` ## Step 2: Turn on the 1Password desktop app integration **Mac:** 1. Open and unlock the [1Password app](https://1password.com/downloads/). 2. Select your account or collection at the top of the sidebar. 3. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**. 4. Select **Integrate with 1Password CLI**. 5. If you want to authenticate 1Password CLI with your fingerprint, turn on **[Touch ID](https://support.1password.com/touch-id-mac/)** in the app. _[The 1Password Developer settings pane with the Integrate with 1Password CLI option selected.]_ **Windows:** 1. Open and unlock the [1Password app](https://1password.com/downloads/). 2. Select your account or collection at the top of the sidebar. 3. Turn on **[Windows Hello](https://support.1password.com/windows-hello/)** in the app. 4. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**. 5. Select **Integrate with 1Password CLI**. _[The 1Password Developer settings pane with the Integrate with 1Password CLI option selected.]_ **Linux:** 1. Open and unlock the [1Password app](https://1password.com/downloads/). 2. Select your account or collection at the top of the sidebar. 3. Navigate to **Settings** > **[Security](onepassword://settings/security)**. 4. Turn on **[Unlock using system authentication](https://support.1password.com/system-authentication-linux/)**. 5. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**. 6. Select **Integrate with 1Password CLI**. _[The 1Password Developer settings pane with the Integrate with 1Password CLI option selected.]_ [Learn more about the 1Password desktop app integration.](/docs/cli/app-integration/) ## Step 3: Enter any command to sign in After you've turned on the app integration, enter any command and you'll be prompted to authenticate. For example, run this command to see all the vaults in your account: ```shell op vault list ``` #### If you have multiple accounts If you've added multiple 1Password accounts to your desktop app, you can use [`op signin`](/docs/cli/reference/commands/signin/) to select an account to sign in to with 1Password CLI. Use the arrow keys to choose from the list of all accounts added to your 1Password app. ```shell {2} op signin #code-result Select account [Use arrows to move, type to filter] > ACME Corp (acme.1password.com) AgileBits (agilebits.1password.com) Add another account ``` [Learn more about using multiple accounts with 1Password CLI.](/docs/cli/use-multiple-accounts/) ## Next steps 1. [Get started with basic 1Password CLI commands.](/docs/cli/reference/) 2. [Set up 1Password Shell Plugins to handle authentication for your other command-line tools.](/docs/cli/shell-plugins/) 3. [Learn how to securely load secrets from your 1Password account without putting any plaintext secrets in code.](/docs/cli/secret-references/) ## Learn more - [1Password app integration troubleshooting](/docs/cli/app-integration#troubleshooting) - [1Password app integration security](/docs/cli/app-integration-security/) - [How 1Password CLI detects configuration directories](/docs/cli/config-directories) --- ## Grant and revoke vault permissions With 1Password CLI, you can manage the permissions each [user](/docs/cli/reference/management-commands/vault#vault-user) or [group](/docs/cli/reference/management-commands/vault#vault-group) has in each vault, so that everyone has access to the items they need. Some permissions require [dependent permissions](/docs/cli/vault-permissions/). On interactive shells, you can specify any permission, and 1Password CLI will ask you whether you want to add or revoke dependent permissions. If you're using scripts, or your shell isn't interactive, you must [include dependent permissions](#scripting) in the command. [Learn what permissions are available for your account type.](/docs/cli/vault-permissions/) ## Requirements Before you can use 1Password CLI to , you'll need to: - Sign up for 1Password - Install 1Password CLI You can manage vault permissions if you're an owner, administrator, or if you have the `manage_vault` permission in a vault. ## Grant permissions in vaults ### Users Use [`op vault user grant`](/docs/cli/reference/management-commands/vault#vault-user-grant) to grant a user permissions in a vault. For example, to grant the user Wendy Appleseed permission to edit items and manage vault permissions in the Prod vault: ```shell op vault user grant --user wendy.appleseed@agilebits.com --vault Prod --permissions allow_editing,allow_managing ``` If the permissions you want to grant require dependent permissions to be granted alongside them, 1Password CLI will prompt you to grant those permissions: ``` In order to grant [allow_editing,allow_managing], the permission(s) [allow_viewing] are also required. Would you like to grant them as well? [Y/n] ``` To confirm which users have access to a vault and their current permissions: ```shell op vault user list ``` ### Groups Use [`op vault group grant`](/docs/cli/reference/management-commands/vault#vault-group-grant) to grant a group permissions in a vault. For example, to grant the group IT permission to edit items and manage vault permissions in the Prod vault: ```shell op vault group grant --group "IT" --vault Prod --permissions allow_editing,allow_managing ``` If the permissions you want to grant require dependent permissions to be granted alongside them, 1Password CLI will prompt you to grant those permissions: ``` In order to grant [allow_editing,allow_managing], the permission(s) [allow_viewing] are also required. Would you like to grant them as well? [Y/n] ``` To confirm which groups have access to a vault and their current permissions: ```shell op vault group list ``` ## Revoke permissions in vaults ### Users Use [`op vault user revoke`](/docs/cli/reference/management-commands/vault#vault-user-revoke) to revoke a user's permissions in a vault. For example, to revoke the user Wendy Appleseed's permission to view items in the Prod vault: ```shell op vault user revoke --user wendy.appleseed@agilebits.com --vault Prod --permissions allow_viewing ``` If the permission you want to revoke requires dependent permissions to be revoked alongside it, 1Password CLI will prompt you to revoke those permissions: ``` In order to revoke [allow_viewing], the permission(s) [allow_editing,allow_managing] are also required. Would you like to revoke them as well? [Y/n] ``` To confirm that the user's permissions have been revoked: ```shell op vault user list ``` ### Groups Use [`op vault group revoke`](/docs/cli/reference/management-commands/vault#vault-group-grant) to revoke a group's permissions in a vault. For example, to revoke the group IT's permission to view items in the Prod vault: ```shell op vault group revoke --group "IT" --vault Prod --permissions allow_viewing ``` If the permission you want to revoke requires dependent permissions to be revoked alongside it, 1Password CLI will prompt you to revoke those permissions: ``` In order to revoke [allow_viewing], the permission(s) [allow_editing,allow_managing] are also required. Would you like to revoke them as well? [Y/n] ``` To confirm the group's permissions have been revoked: ```shell op vault group list ``` ## Scripting If you're using scripts to grant and revoke vault permissions, or if your shell isn't interactive, you'll need to include the `--no-input` flag and specify all [dependent permissions](/docs/cli/vault-permissions/) in a comma-separated list after the `--permissions` flag. For example, the `allow_managing` permission requires the `allow_editing` and `allow_viewing` permission. To grant the user Wendy Appleseed permission to manage vault permissions in the Prod vault: ```shell op vault user grant --no-input --user wendy.appleseed@agilebits.com --vault Prod --permissions allow_managing,allow_editing,allow_viewing ``` To revoke `allow_editing` from a group that currently also has `allow_managing` granted in a vault: ```shell op vault group revoke --no-input --group "IT" --vault Prod --permissions allow_managing,allow_editing ``` ## Learn more - [Vault permission dependencies](/docs/cli/vault-permissions/) --- ## Install 1Password CLI on a server There are several different ways to install 1Password CLI on a server. To install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) on a Linux `amd64` host, you can use this one-line command: ```shell ARCH="amd64"; \ OP_VERSION="v$(curl https://app-updates.agilebits.com/check/1/0/CLI2/en/2.0.0/N -s | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')"; \ curl -sSfo op.zip \ https://cache.agilebits.com/dist/1P/op2/pkg/"$OP_VERSION"/op_linux_"$ARCH"_"$OP_VERSION".zip \ && unzip -od /usr/local/bin/ op.zip \ && rm op.zip ``` To install with Docker, you can use the [1Password CLI 2 Docker image](https://hub.docker.com/r/1password/op/tags): ```shell docker pull 1password/op:2 ``` If you want to add the CLI installation to your Dockerfile, then add this line: ```docker title="Dockerfile" COPY --from=1password/op:2 /usr/local/bin/op /usr/local/bin/op ``` ## Learn more - [Install 1Password CLI on your machine](/docs/cli/get-started#step-1-install-1password-cli) --- ## Create items with 1Password CLI # Create items To create a new item in your 1Password account and assign information to it, use the [`op item create`](/docs/cli/reference/management-commands/item#item-create) command. You can [specify basic information about the item](#create-an-item) with flags and use assignment statements to [assign built-in and custom fields](#create-a-customized-item). To assign sensitive values, [use a JSON template](#with-an-item-json-template). ## Requirements Before you can use 1Password CLI to create items, you'll need to: - [Sign up for 1Password](https://1password.com/pricing/password-manager) - [Install 1Password CLI](/docs/cli/get-started#step-1-install-1password-cli) :::info Follow along If you want to follow along with the examples in this guide, [sign in to your account](/docs/cli/get-started#step-3-enter-any-command-to-sign-in) then create a new vault named `Tutorial` where the example items will be saved: ```shell op vault create Tutorial ``` ::: ## Create an item To create a new item, use [`op item create`](/docs/cli/reference/management-commands/item#item-create) and specify basic information about the item with flags. For example, to create a Login item named `Netflix` in the `Tutorial` vault: **Bash, Zsh, sh, fish:** ```shell [{ "badge": 1, "color": "tangerine", "lineNo": 2, "substr": "--category login" }, { "badge": 2, "color": "sunbeam", "lineNo": 3, "substr": "--title \\"Netflix\\"" }, { "badge": 3, "color": "lagoon", "lineNo": 4, "substr": "--vault Tutorial" }, { "badge": 4, "color": "intrepidblue", "lineNo": 5, "substr": "--url 'https://www.netflix.com/login'" }, { "badge": 5, "color": "bitsblue", "lineNo": 6, "substr": "--generate-password='letters,digits,symbols,32'" }, { "badge": 6, "color": "dahlia", "lineNo": 7, "substr": "--tags tutorial,entertainment" }] op item create \ --category login \ --title "Netflix" \ --vault Tutorial \ --url 'https://www.netflix.com/login' \ --generate-password='letters,digits,symbols,32' \ --tags tutorial,entertainment ``` **PowerShell:** ```powershell [{ "badge": 1, "color": "tangerine", "lineNo": 2, "substr": "--category login" }, { "badge": 2, "color": "sunbeam", "lineNo": 3, "substr": "--title \\"Netflix\\"" }, { "badge": 3, "color": "lagoon", "lineNo": 4, "substr": "--vault Tutorial" }, { "badge": 4, "color": "intrepidblue", "lineNo": 5, "substr": "--url 'https://www.netflix.com/login'" }, { "badge": 5, "color": "bitsblue", "lineNo": 6, "substr": "--generate-password='letters,digits,symbols,32'" }, { "badge": 6, "color": "dahlia", "lineNo": 7, "substr": "--tags tutorial,entertainment" }] op item create ` --category login ` --title "Netflix" ` --vault Tutorial ` --url 'https://www.netflix.com/login' ` --generate-password='letters,digits,symbols,32' ` --tags tutorial,entertainment ``` Here's what each of the above flags does: --category Sets the item category, in this case a Login item. Use `op item template list` to get a list of available categories. The category value is case-insensitive and ignores whitespace characters. For example, the `Social Security Number` category can also be specified as `socialsecuritynumber`. --title Gives the item a name so that you can easily identify it. If unspecified, 1Password CLI selects a default name. For example, `Untitled Login item`. --vault Specifies which vault the item should be created in. If unspecified, the item will be created in your built-in Personal, Private, or Employee vault. The name of this vault varies depending on your account type. --url Sets the website where 1Password suggests and fills a Login, Password, or API Credential item. --generate-password Generates a strong password for Login and Password category items. You can specify a password recipe, as shown in the example. If left unspecified, a default recipe will be used to generate a 32-character password consisting of letters, digits, and symbols. --tags Adds tags to the item using a comma-separated list. ## Create a customized item Each item category has its own set of built-in fields that you can use to save more information to the item. You can also create custom fields to save additional details about the item. Learn more about [built-in and custom fields](/docs/cli/item-fields/). You can assign built-in and custom fields to your item in two ways: - [With assignment statements](#with-assignment-statements) - [With an item JSON template](#with-an-item-json-template) ### With assignment statements :::danger Command arguments can be visible to other processes on your machine. If you're assigning sensitive values, use [an item JSON template](#with-an-item-json-template) instead. ::: The [`op item create`](/docs/cli/reference/management-commands/item#item-create) command can take a list of assignment statements as arguments to create fields on an item. Assignment statements are formatted like this: ```shell [{ "badge": 1, "color": "sunbeam", "lineNo": 1, "substr": "
" }, { "badge": 2, "color": "lagoon", "lineNo": 1, "substr": "" }, { "badge": 3, "color": "intrepidblue", "lineNo": 1, "substr": "" }, { "badge": 4, "color": "dahlia", "lineNo": 1, "substr": "" }] [
.][[]]= ``` - section (Optional) The name of the section where you want to create the field. - field The name of the field you want to create. - fieldType The type of field you want to create. If unspecified, `fieldType` will default to `password`. - value The information you want to save in the field. For built-in fields, the field name should match the [built-in field `id`](/docs/cli/item-fields#built-in-fields) in the item category template. Don't include a fieldType for built-in fields. For custom fields, the fieldType should match the [custom field `type`](/docs/cli/item-fields#custom-fields) you want to create. The field name can be anything you want. If you need to use periods, equal signs, or backslashes in the name of a section or field, use a backslash character to escape them. Don't use backslashes to escape the value. Here's an example of an assignment statement for the built-in field username on a Login item, set to john.doe@acme.org: ```shell [{ "badge": 2, "color": "lagoon", "lineNo": 1, "substr": "username" }, { "badge": 4, "color": "dahlia", "lineNo": 1, "substr": "john.doe@acme.org" }] 'username=john.doe@acme.org' ``` And here's an example of an assignment statement for a custom field type titled date, which is set to 2022-12-31, in a field named Renewal Date within a section titled Subscription Info: ```shell [{ "badge": 1, "color": "sunbeam", "lineNo": 1, "substr": "Subscription Info" }, { "badge": 2, "color": "lagoon", "lineNo": 1, "substr": "Renewal Date" }, { "badge": 3, "color": "intrepidblue", "lineNo": 1, "substr": "date" }, { "badge": 4, "color": "dahlia", "lineNo": 1, "substr": "2022-12-31" }] 'Subscription Info.Renewal Date[date]=2022-12-31' ``` To add both of the above assignment statements to a new item, `HBO Max`, in the `Tutorial` vault: **Bash, Zsh, sh, fish:** ```shell op item create \ --category login \ --title "HBO Max" \ --vault Tutorial \ --url 'https://www.hbomax.com' \ --generate-password='letters,digits,symbols,32' \ --tags tutorial,entertainment \ 'username=john.doe@acme.org' \ 'Subscription Info.Renewal Date[date]=2022-12-31' ``` **PowerShell:** ```powershell op item create ` --category login ` --title "HBO Max" ` --vault Tutorial ` --url 'https://www.hbomax.com' ` --generate-password='letters,digits,symbols,32' ` --tags tutorial,entertainment ` 'username=john.doe@acme.org' ` 'Subscription Info.Renewal Date[date]=2022-12-31' ``` ### With an item JSON template To assign sensitive values, fill out an item JSON template for the category of item you want to create. If you combine field assignment statements with a template, the assignment statements overwrite the template's values. To see a list of available templates, run [`op item template list`](/docs/cli/reference/management-commands/item#item-template-list). To get a template for a category, run [`op item template get `](/docs/cli/reference/management-commands/item#item-template-get). For example, to create a new Login item using a template: 1. Get the template for a Login item and save it in your current directory: ```shell op item template get --out-file=login.json "Login" ``` 2. Edit [the template file](/docs/cli/item-template-json/) to add your information. 3. Create the item using the `--template` flag to specify the path to the template file: ```shell op item create --template=login.json ``` This example template file creates a Login item named `Hulu` in a vault [specified by its ID](/docs/cli/reference#unique-identifiers-ids). It specifies values for built-in `username`, `password`, and `notesPlain` fields. It also adds a custom `date` field. **Example Login template** ```json title="login.json" { "title": "Hulu", "vault": { "id": "sor33rgjjcg2xykftymcmqm5am" }, "category": "LOGIN", "fields": [ { "id": "username", "type": "STRING", "purpose": "USERNAME", "label": "username", "value": "wendy.appleseed@gmail.com" }, { "id": "password", "type": "CONCEALED", "purpose": "PASSWORD", "label": "password", "password_details": { "strength": "" }, "value": "Dp2WxXfwN7VFJojENfEHLEBJmAGAxup@" }, { "id": "notesPlain", "type": "STRING", "purpose": "NOTES", "label": "notesPlain", "value": "This is Wendy's Hulu account." }, { "id": "date", "type": "date", "label": "Subscription renewal date", "value": "2023-04-05" } ] } ``` 4. Delete the edited template file from your computer. You can also create an item from standard input using a template: ```shell op item template get Login | op item create --vault Tutorial - ``` ## Create an item from an existing item You can create a new item from an existing item by piping the item JSON from standard input. For example, to create a new item based on the `HBO Max` item you created in the assignment statement section, with a new title, username, and password: ```shell op item get "HBO Max" --format json | op item create --vault Tutorial --title "Wendy's HBO Max" - 'username=wendy.appleseed@acme.org' 'password=Dp2WxXfwN7VFJojENfEHLEBJmAGAxup@' ``` ## Add a one-time password to an item You can attach a [one-time password](https://support.1password.com/one-time-passwords/) to an item using a custom field [assignment statement](#with-assignment-statements). The `fieldType` should be `otp` and the `value` should be the [otpauth:// URI](https://github.com/google/google-authenticator/wiki/Key-Uri-Format) for the one-time password. **Bash, Zsh, sh, fish:** ```shell op item create \ --category login \ --title='My OTP Example' \ --vault Tutorial \ --url 'https://www.acme.com/login' \ --generate-password='letters,digits,symbols,32' \ --tags tutorial,entertainment \ 'Test Section 1.Test Field3[otp]=otpauth://totp/:?secret=&issuer=' ``` **PowerShell:** ```powershell op item create ` --category login ` --title='My OTP Example' ` --vault Tutorial ` --url 'https://www.acme.com/login' ` --generate-password='letters,digits,symbols,32' ` --tags tutorial,entertainment ` 'Test Section 1.Test Field3[otp]=otpauth://totp/:?secret=&issuer=' ``` ## Attach a file to an item You can attach a file to an item using a custom field [assignment statement](#with-assignment-statements). The `field` should be the name the file will have in 1Password, the `fieldType` should be `file`, and the `value` should be the path to the file. ```shell myFileName[file]=/path/to/your/file ``` The file in the above example will be named `myFileName`. To preserve the original file name, you can omit the `field`: ```shell [file]=/path/to/your/file ``` Here's what an example `PlayStation Store` login would look like with the file `/wendyappleseed/documents/receipt.png` attached, named `JanuaryReceipt`. **Bash, Zsh, sh, fish:** ```shell op item create \ --category login \ --title "PlayStation Store" \ --vault Tutorial \ --url 'https://store.playstation.com/' \ --generate-password='letters,digits,symbols,32' \ --tags tutorial,entertainment \ 'JanuaryReceipt[file]=/wendyappleseed/documents/receipt.png' ``` **PowerShell:** ```powershell op item create ` --category login ` --title "PlayStation Store" ` --vault Tutorial ` --url 'https://store.playstation.com/' ` --generate-password='letters,digits,symbols,32' ` --tags tutorial,entertainment ` 'JanuaryReceipt[file]=/wendyappleseed/documents/receipt.png' ``` ## Next steps If you want to continue learning about item management, keep the example items you created and move on to the [edit items](/docs/cli/item-edit) tutorial. If you created a Tutorial vault and don't want to continue on, you can delete the vault and the examples items you created by running: ```shell op vault delete "Tutorial" ``` ## Learn more - [`op item create` reference documentation](/docs/cli/reference/management-commands/item#item-create) - [Built-in and custom item fields](/docs/cli/item-fields) - [Item JSON template](/docs/cli/item-template-json) --- ## Edit items with 1Password CLI # Edit items To edit an existing item in your 1Password account, use the [`op item edit`](/docs/cli/reference/management-commands/item#item-edit) command. You can [edit basic information about the item](#edit-an-items-basic-information) with flags and use assignment statements to [edit an item's built-in and custom fields](#edit-built-in-and-custom-fields). To edit sensitive values, [use a JSON template](#edit-an-item-using-a-json-template). You can't use `op item edit` to edit SSH keys. Learn more about managing SSH keys with 1Password CLI. ## Requirements Before you can use 1Password CLI to edit items, you'll need to: - [Sign up for 1Password](https://1password.com/pricing/password-manager) - [Install 1Password CLI](/docs/cli/get-started#step-1-install-1password-cli) :::info Follow along If you want to follow along with the examples in this guide, [create the example items in the guide to creating items](/docs/cli/item-create) first. ::: ## Edit an item's basic information To edit an item, use [`op item edit`](/docs/cli/reference/management-commands/item#item-edit) and specify the item by name, [unique identifier (ID)](/docs/cli/reference#unique-identifiers-ids), or sharing link. You can use flags to generate a new password and edit an item's title, vault, or tags. You can also change the website where 1Password suggests and fills a Login, Password, or API Credential item. For example, to change the name of the example item `Netflix`, move it from the `Tutorial` vault to the `Private` vault, update its tags, edit its website, and generate a new random password: **Bash, Zsh, sh, fish:** ```shell op item edit "Netflix" \ --title "Edited Netflix" \ --vault Private \ --tags tutorial \ --url https://www.netflix.com \ --generate-password='letters,digits,symbols,32' ``` **PowerShell:** ```powershell op item edit "Netflix" ` --title "Edited Netflix" ` --vault Private ` --tags tutorial ` --url https://www.netflix.com ` --generate-password='letters,digits,symbols,32' ``` To change the example item name back to `Netflix` and move it back to the `Tutorial` vault: **Bash, Zsh, sh, fish:** ```shell op item edit "Edited Netflix" \ --title "Netflix" \ --vault Tutorial ``` **PowerShell:** ```powershell op item edit "Edited Netflix" ` --title "Netflix" ` --vault Tutorial ``` ## Edit built-in and custom fields :::danger Command arguments can be visible to other processes on your machine. To edit sensitive values, use [an item JSON template](#edit-an-item-using-a-json-template) instead. ::: The `op item edit` command can take a list of assignment statements as arguments to edit an item's [built-in and custom fields](/docs/cli/item-fields). ```shell [{ "badge": 1, "color": "sunbeam", "lineNo": 1, "substr": "
" }, { "badge": 2, "color": "lagoon", "lineNo": 1, "substr": "" }, { "badge": 3, "color": "intrepidblue", "lineNo": 1, "substr": "" }, { "badge": 4, "color": "dahlia", "lineNo": 1, "substr": "" }] [
.][[]]= ``` - section (Optional) The name of the section where the field is saved. - field The name of the field. - fieldType The type of field. If unspecified, the fieldType stays the same. - value The information you want to save in the field. If unspecified, the value stays the same. For example, to change the subscription renewal date on the `HBO Max` item: **Bash, Zsh, sh, fish:** ```shell op item edit "HBO Max" \ 'Renewal Date=2023-5-15' ``` **PowerShell:** ```powershell op item edit "HBO Max" ` 'Renewal Date=2023-5-15' ``` ### Delete a custom field To delete a custom field, specify `[delete]` in place of the fieldType. If you remove all the fields in a section, the section is also removed. You can't delete empty fields, but you can set them to empty strings. To use an assignment statement to delete the subscription renewal date on the example `HBO Max` item: **Bash, Zsh, sh, fish:** ```shell op item edit "HBO Max" \ 'Renewal Date[delete]=2023-5-15' ``` **PowerShell:** ```powershell op item edit "HBO Max" ` 'Renewal Date[delete]=2023-5-15' ``` ## Edit an item using a JSON template :::danger JSON item templates do not support passkeys. If you use a JSON template to update an item that contains a passkey, the passkey will be overwritten. To fix this, you can [restore a previous version of the item](https://support.1password.com/item-history/). ::: To edit sensitive values on an item, use an [item JSON template](/docs/cli/item-template-json). 1. Get the JSON output for the item you want to edit and save it to a file. ```shell op item get --format json > newItem.json ``` If you prefer to start over, you can get a blank template for the item's category with `op item template get`. 2. Edit the file. 3. Use the `--template` flag to specify the path to the edited file and apply the changes to the item: ```shell op item edit --template=newItem.json ``` 4. Delete the file. You can also edit an item using piped input: ```shell cat newItem.json | op item edit ``` To avoid collisions, you can't combine piped input and the `--template` flag in the same command. ## Next steps If you created a Tutorial vault, you can delete the vault and the examples items you created: ```shell op vault delete "Tutorial" ``` ## Learn more - [`op item` reference documentation](/docs/cli/reference/management-commands/item) - [Built-in and custom item fields](/docs/cli/item-fields) - [Item JSON template](/docs/cli/item-template-json) --- ## Item fields When you [use 1Password CLI to create items](/docs/cli/item-create/), you can customize your items with [built-in](#built-in-fields) and [custom](#custom-fields) fields. Learn how to [add built-in and custom fields to your items](/docs/cli/item-create#create-a-customized-item) with either assignment statements or a JSON template. ## Built-in fields Each item category includes a set of default fields, some of which may be specific to the category. You can identify available built-in fields by looking at the [JSON template](/docs/cli/item-template-json/) for the item category: ``` op item template get ``` **View all categories** - API Credential - Bank Account - Credit Card - Crypto Wallet - Database - Document - Driver License - Email Account - Identity - Login - Medical Record - Membership - Outdoor License - Passport - Password - Reward Program - Secure Note - Server - Social Security Number - Software License - SSH Key - Wireless Router For example, the built-in fields available on a Login item are `username`, `password`, and `notesPlain`. **View a Login item JSON template** ```shell {6,13,23} { "title": "", "category": "LOGIN", "fields": [ { "id": "username", "type": "STRING", "purpose": "USERNAME", "label": "username", "value": "" }, { "id": "password", "type": "CONCEALED", "purpose": "PASSWORD", "label": "password", "password_details": { "strength": "TERRIBLE" }, "value": "" }, { "id": "notesPlain", "type": "STRING", "purpose": "NOTES", "label": "notesPlain", "value": "" } ] } ``` When you use [assignment statements](/docs/cli/item-create#with-assignment-statements) to assign built-in fields, use the `id` from the JSON template as the `field` in the assignment statement. Don't include a fieldType for built-in fields. For example, to add a note to a Login item using an assignment statement: ```shell 'notesPlain=This is a note.' ``` ## Custom fields Custom fields can be added to any item, regardless of the item's category. Use the `fieldType` with [assignment statements](/docs/cli/item-create#with-assignment-statements) and the `type` with an [item JSON template](/docs/cli/item-create#with-an-item-json-template). Available custom field types are: | `fieldType` | `type` | description | | --- | --- | --- | | `password` | `CONCEALED` | A concealed password. | | `text` | `STRING` | A text string. | | `email` | `EMAIL` | An email address. | | `url` | `URL` | A web address to copy or open in your default web browser, not used for autofill behavior. Use the `--url` flag to set the website where 1Password suggests and fills a Login, Password, or API Credential item. | | `date` | `DATE` | A date with the format `YYYY-MM-DD`. | | `monthYear` | `MONTH_YEAR` | A date with the format `YYYYMM` or `YYYY/MM`. | | `phone` | `PHONE` | A phone number. | | `otp` | `OTP` | A one-time password. Accepts an [`otpauth://` URI](https://github.com/google/google-authenticator/wiki/Key-Uri-Format) as the value. | | `file` | N/A | A file attachment. Accepts the path to the file as the value. Can only be added with [assignment statements](/docs/cli/item-create#with-assignment-statements). | ## Learn more - [`op item` reference documentation](/docs/cli/reference/management-commands/item/) - [Create an item](/docs/cli/item-create/) - [Item JSON template](/docs/cli/item-template-json/) --- ## Item JSON template 1Password CLI supports item JSON templates that you can use to take control of how you create items in 1Password. Item JSON templates allow you to [create an item with all of its details specified](/docs/cli/item-create#with-an-item-json-template), including custom sections and fields. Item templates are formatted similarly to the JSON output for [`op item get`](/docs/cli/reference/management-commands/item#item-get), so you can easily create new items based on existing items. Each item category has its own template. You can get a list of all item categories with [`op item template list`](/docs/cli/reference/management-commands/item#item-template-list). And you can retrieve the template for an item category with [`op item template get `](/docs/cli/reference/management-commands/item#item-template-get). ## Item template keys Item JSON templates have common language keys that allow you to identify how the fields in the template correspond to the item in 1Password. ```json [{ "badge": 1, "color": "tangerine", "lineNo": 2, "substr": "\\"title\\"" }, { "badge": 2, "color": "sunbeam", "lineNo": 3, "substr": "\\"category\\"" }, { "badge": 3, "color": "lagoon", "lineNo": 6, "substr": "\\"id\\"" }, { "badge": 4, "color": "bitsblue", "lineNo": 7, "substr": "\\"label\\"" }, { "badge": 5, "color": "lagoon", "lineNo": 12, "substr": "\\"id\\"" }, { "badge": 6, "color": "lagoon", "lineNo": 14, "substr": "\\"id\\"" }, { "badge": 7, "color": "intrepidblue", "lineNo": 16, "substr": "\\"type\\"" }, { "badge": 8, "color": "bitsblue", "lineNo": 17, "substr": "\\"label\\"" }, { "badge": 9, "color": "dahlia", "lineNo": 18, "substr": "\\"value\\"" }] { "title": " ", "category": " ", "sections": [ { "id": " ", "label": " " }, ], "fields": [ { "id": " ", "section": { "id": " " }, "type": " ", "label": " ", "value": " " } ] } ``` **Item** | Name | Description | | --- | --- | | title | The name of the item displayed in 1Password. | | category | The item's category. | **Section** | Name | Description | | --- | --- | | id | The identifier for the section. If the item has multiple sections, each ID must be unique. | | label | The name of the section displayed in 1Password. | To add a custom section, insert a section JSON object into the `sections` array. **View a section JSON object** ```json { "id": " ", "label": " " } ``` **Field** | Name | Description | | --- | --- | | id | The field's ID. Each ID should be unique. If left empty, 1Password will generate a random ID. | | section id | The ID of the section where the field is located. Only required if located in a custom section. | | type | The field's type. [Learn more about custom field types.](/docs/cli/item-fields#custom-fields) | | label | The name of the field displayed in 1Password. | | value | The information saved in the field. Depending on its type, it can be a string, a secret, a number, or a date. | To add a custom field to the template, insert a new field JSON object into the `fields` array. **View a field JSON object** ```json { "id": " ", "section": { "id": " " }, "type": " ", "label": " ", "value": " " } ``` ## Example JSON representation This is an item `mysql` in the 1Password app, and the same item represented in an item JSON template. **In the app:** _[MySQL item in 1Password]_ **In the JSON template:** ```json { "id": "4l3udxihvvuhszh2kxyjbblxl4", "title": "mysql", "version": 3, "vault": { "id": "uteieiwkhgv6hau7xkorejyvru" }, "category": "DATABASE", "last_edited_by": "IU2OKUBKAFGQPFPFZEG7X3NQ4U", "created_at": "2021-11-25T14:50:14Z", "updated_at": "2022-02-25T18:12:12Z", "sections": [ { "id": "g52gfotnw7nhnkgq477si2hmmi", "label": "Database Owner" } ], "fields": [ { "id": "notesPlain", "type": "STRING", "purpose": "NOTES", "label": "notesPlain" }, { "id": "database_type", "type": "MENU", "label": "type", "value": "mysql" }, { "id": "hostname", "type": "STRING", "label": "server", "value": "http://localhost" }, { "id": "port", "type": "STRING", "label": "port", "value": "5432" }, { "id": "database", "type": "STRING", "label": "database", "value": "app-database" }, { "id": "username", "type": "STRING", "label": "username", "value": "mysql-user" }, { "id": "password", "type": "CONCEALED", "label": "password", "value": "T4Kn7np2bLJXAFoYPoVC" }, { "id": "sid", "type": "STRING", "label": "SID" }, { "id": "alias", "type": "STRING", "label": "alias" }, { "id": "options", "type": "STRING", "label": "connection options" }, { "id": "tpcs7jrjikehw5o4tzbe5pklca", "section": { "id": "g52gfotnw7nhnkgq477si2hmmi", "label": "Database Owner" }, "type": "STRING", "label": "admin", "value": "Wendy Appleseed" }, { "id": "sdqueijyulxryvu5ceuwktjkiq", "section": { "id": "g52gfotnw7nhnkgq477si2hmmi", "label": "Database Owner" }, "type": "EMAIL", "label": "email", "value": "appleseed.wendy@gmail.com" } ] } ``` ## Learn more - [Create an item](/docs/cli/item-create/) - [Work with items](/docs/cli/reference/management-commands/item/) - [Work with vaults](/docs/cli/reference/management-commands/vault/) --- ## 1Password CLI 1Password CLI brings 1Password to your terminal. Sign in to 1Password CLI with your fingerprint, and securely access everything you need during development. ## Use cases - **Eliminate plaintext secrets in code**: Inject secrets from 1Password anywhere you need them. - **Automate administrative tasks**: Use scripts to manage items and provision team members at scale. - **Sign in to any CLI with your fingerprint**: Store API keys for your favorite CLIs in 1Password. ## [Quick start](/docs/cli/get-started/) If you're installing 1Password CLI for the first time, [start here](/docs/cli/get-started/). ## Guides ### Manage items and users - [Create and retrieve items](/docs/cli/item-create/). - [Add and remove team members](/docs/cli/provision-users/). - [Manage your team members' vault permissions](/docs/cli/grant-revoke-vault-permissions/). - [Manage your team members' group permissions](/docs/cli/reference/management-commands/group/). ### Provision secrets - [Securely load environment variables from 1Password Environments into your applications](/docs/cli/secrets-environment-variables/). - [Access secrets in your code with secret references](/docs/cli/secret-references/) instead of plaintext secrets. Secret references are replaced with the actual secrets they reference in 1Password at runtime. - [Securely load secrets from the environment into your applications](/docs/cli/secrets-environment-variables/) using secret references. - [Securely inject secrets into configuration files](/docs/cli/secrets-config-files/) using secret references. ### Authenticate with biometrics - [Use shell plugins to securely authenticate third-party CLIs](/docs/cli/shell-plugins/) with biometrics. - [Build your own shell plugin](/docs/cli/shell-plugins/contribute/) if the CLI you want to authenticate isn't already supported. ### Use 1Password CLI with other tools - Use [1Password for VS Code](/docs/vscode/) to bring 1Password CLI functionality to VS Code. - Use [1Password Service Accounts](/docs/service-accounts/get-started#create-a-service-account) to limit the vaults 1Password CLI can access or run automated scripts if your personal account uses SSO or MFA. - Use with [1Password Environments](/docs/environments) to quickly load your project secrets from 1Password. - Use a [1Password Connect Server](/docs/connect/cli/) with 1Password CLI to securely access your items in your company's apps and cloud infrastructure using a private REST API. - Use [1Password CI/CD Integrations](/docs/ci-cd/) with 1Password CLI to allow jobs in your pipeline to securely access secrets stored in 1Password. - Use the [1Password Events API](/docs/events-api/generic-scripts#usage) with 1Password CLI to provision bearer tokens at runtime using [secret references](/docs/cli/secret-references/). ## Reference documentation - Read the full [command reference](/docs/cli/reference/) to learn about all 1Password CLI commands and how they can be used. - Learn about [CLI best practices](/docs/cli/best-practices). - Learn about the [1Password app integration](/docs/cli/app-integration/). - Learn about the [shell plugins security model](/docs/cli/shell-plugins/security/). --- ## Add and remove team members with 1Password CLI # Add and remove team members ## Requirements Before you can use 1Password CLI to add and remove team members, you'll need to: 1. [Sign up for 1Password Business](https://1password.com/pricing/password-manager). 2. [Install 1Password CLI](/docs/cli/get-started#step-1-install-1password-cli). ## Turn on automated provisioning with 1Password CLI To get started, an owner or administrator must visit the [Provisioning settings page on 1Password.com](https://start.1password.com/settings/provisioning/cli) and select **Turn On CLI Provisioning**. This will create a [Provision Managers](https://support.1password.com/groups#provision-managers) group with the permissions needed to provision and confirm team members, as well as recover accounts. The person who created the group will be added to it. ## Manage who can provision team members By default, the owner or administrator who created the [Provision Managers](https://support.1password.com/groups#provision-managers) group is the only person added to it. If other team members need to be able to provision users, use [`op group user grant`](/docs/cli/reference/management-commands/group#group-user-grant) to add them to the group. For example, to add Wendy Appleseed to the Provision Managers group: ```shell op group user grant --group "Provision Managers" --user "wendy.appleseed@agilebits.com" ``` To see a list of everyone in the Provision Managers group: ```shell op group user list "Provision Managers" ``` ## Add team members To invite people to your team, use [`op user provision`](/docs/cli/reference/management-commands/user#user-provision) with the team member's name and email address. For example, to invite Wendy Appleseed to join your 1Password account: ```shell op user provision --name "Wendy Appleseed" --email "wendy.appleseed@agilebits.com" ``` The person will receive an email invitation to join the team. After they've accepted the invitation, a member of the Provision Managers group can confirm them. ## Confirm team members Anyone who belongs to the [Provision Managers](https://support.1password.com/groups#provision-managers) group can confirm new team members with [`op user confirm`](#with-op-user-confirm) or [on 1Password.com](#on-1passwordcom). ### With `op user confirm` To confirm a team member on the command line, use [`op user confirm`](/docs/cli/reference/management-commands/user#user-confirm) with their name or email address. To confirm all unconfirmed team members, include the `--all` flag. For example, to confirm Wendy Appleseed: ```shell op user confirm "wendy.appleseed@agilebits.com" ``` To confirm all pending users: ```shell op user confirm --all ``` ### On 1Password.com To confirm a team member on 1Password.com: 1. [Sign in](https://start.1password.com/signin) to your account on 1Password.com. 2. Select **[People](https://start.1password.com/people)** in the sidebar. 3. Select the name of any team member with the Pending Provision status. 4. Select **Confirm** or **Reject**. If you don't see the option to confirm or reject a team member, ask your administrator to [add you to the Provision Managers group](#manage-who-can-provision-team-members). ## Remove team members To remove someone's access to vaults and items, you can suspend or delete their account. ### Suspend an account temporarily Use [`op user suspend`](/docs/cli/reference/management-commands/user#user-suspend) to suspend a team member temporarily. Include the `--deauthorize-devices-after` flag, followed by the number of seconds, minutes, or hours (for example, `600s`, `10m`, or `1h`) to set the time after suspension to deauthorize the suspended team member's devices. The maximum time permitted is 24 hours. If unspecified, their devices will be deauthorized immediately. For example, to suspend Wendy Appleseed temporarily and deauthorize her devices after 10 minutes: ```shell op user suspend "wendy.appleseed@agilebits.com --deauthorize-devices-after 10m" ``` You can reactivate a suspended user with [`op user reactivate`](/docs/cli/reference/management-commands/user#user-reactivate). ### Remove an account permanently Use [`op user delete`](/docs/cli/reference/management-commands/user#user-delete) to permanently remove a team member's access to vaults and items and delete all of their data from the account. For example, to remove Wendy Appleseed: ```shell op user delete "wendy.appleseed@agilebits.com" ``` ## Learn more - [Add and remove team members on 1Password.com](https://support.1password.com/add-remove-team-members/) - [Automate provisioning in 1Password Business using SCIM](https://support.1password.com/scim/) --- ## Recover accounts using 1Password CLI You can use 1Password CLI to begin the account recovery process for a family or team member if they can't sign in to or unlock 1Password. When you recover an account for someone: - They'll receive a new Secret Key and create a new 1Password account password. If your team uses Unlock with SSO, they'll be able to link a new app or browser to their account again. - They'll be able to access all the data they had before. - They'll need to sign in again on all their devices once recovery is complete. - Their two-factor authentication will be reset. ## Requirements - [Sign up for 1Password](https://1password.com/pricing/password-manager). - [Install 1Password CLI](/docs/cli/get-started#step-1-install-1password-cli) version `2.32.0` or later. You can recover accounts for other people if: - You're a team [administrator](https://support.1password.com/groups#administrators) or [owner](https://support.1password.com/groups#owners). - You belong to a [custom group](https://support.1password.com/custom-groups/) that has the "Recover Accounts" permission. - You're a [family organizer](https://support.1password.com/family-organizer/). ## Begin recovery Use the command `op user recovery begin` with a person's name, email address, or [unique identifier (ID)](/docs/cli/reference#unique-identifiers-ids) to begin the account recovery process. You can recover up to ten accounts with each command. ```shell op user recovery begin { | | } ``` For example, to begin recovery for multiple accounts using each person's ID: ```shell op user recovery begin ZMAE4RTRONHN7LGELNYYO373KM WHPOFIMMYFFITBVTOTZUR3R324 FGH76DFS89FYCU6342CSDWIFJU ``` The person whose account you're recovering will get an email from 1Password. When they select **Recover my account** in the email, a page will open in their browser and they'll be asked to confirm their email address. Then they'll get a new Secret Key and create a new account password. ## Complete recovery After the person whose account you recovered creates a new account password, you'll need to complete the recovery process before they can access their account. Learn how to [complete account recovery for one or more people](https://support.1password.com/recovery#complete-recovery). ## Learn more - [Add and remove team members](/docs/cli/provision-users) - [Grant and revoke vault permissions](/docs/cli/grant-revoke-vault-permissions) - [Sign back in to 1Password after your account has been recovered](https://support.1password.com/after-recovery/) --- ## account | 1Password CLI # account Manage your locally configured 1Password accounts. ### Subcommands {#subcommands} - [account add](#account-add): Add an account to sign in to for the first time - [account forget](#account-forget): Remove a 1Password account from this device - [account get](#account-get): Get details about your account - [account list](#account-list): List users and accounts set up on this device ## account add Add a new 1Password account to 1Password CLI manually with your account password and Secret Key, instead of [signing in using your 1Password app](/docs/cli/app-integration/). ```shell op account add [flags] ``` ### Flags {#account-add-flags} ``` --address string The sign-in address for your account. --email string The email address associated with your account. --raw Only return the session token. --shorthand string Set a custom account shorthand for your account. --signin Immediately sign in to the added account. ``` To sign in to manually-added accounts: **Bash, Zsh, sh, fish:** ```shell eval $(op signin) ``` **PowerShell:** ```powershell Invoke-Expression $(op signin) ``` [Learn more about signing in manually.](/docs/cli/sign-in-manually/) When you sign in manually, 1Password CLI creates a session token and sets the `OP_SESSION` environment variable to it. Session tokens expire after 30 minutes of inactivity, after which you’ll need to sign in again. If you add multiple 1Password accounts, 1Password CLI determines which to use in this order: 1. An account specified with the `--account` flag. 2. An account specified with the `OP_ACCOUNT` environment variable. 3. The account most recently signed in to with `op signin` in the current terminal window. ### Examples {#examples} Add an account using flags to specify account details: ```shell op account add --address my.1password.com --email user@example.org ``` Add an account and immediately sign in to it: **Bash, Zsh, sh, fish:** ```shell eval $(op account add --signin) ``` **PowerShell:** ```powershell Invoke-Expression $(op account add --signin) ``` Sign in to a specific account: **Bash, Zsh, sh, fish:** ```shell eval $(op signin --account my) ``` **PowerShell:** ```powershell Invoke-Expression $(op signin --account my) ``` ## account forget Remove a 1Password account from this device. ``` op account forget [ ] [flags] ``` ### Flags {#account-forget-flags} ``` --all Forget all authenticated accounts. ``` ## account get Get details about your account. ``` op account get [flags] ``` ## account list List users and accounts set up on this device. ``` op account list [flags] ``` --- ## completion | 1Password CLI # completion Generate shell completion information for 1Password CLI. ```shell op completion [flags] ``` If you use Bash, Zsh, fish, or PowerShell, you can add shell completion for 1Password CLI. With completions loaded, after you start typing a command, press Tab to see available commands and options. #### Load shell completion information for Bash To always load the completion information for Bash, add this to your `.bashrc` file: ```shell source <(op completion bash) ``` To use shell completion in Bash, you’ll need the `bash-completion` package. #### Load shell completion information for Zsh To always load the completion information for Zsh, add this to your `.zshrc` file: ```shell eval "$(op completion zsh)"; compdef _op op ``` #### Load shell completion information for fish To always load the completion information for fish, add this to your `.fish` file: ```shell op completion fish | source ``` #### Load shell completion information for PowerShell To always load the completion information for PowerShell, add this to your `.ps1` file: ```powershell op completion powershell | Out-String | Invoke-Expression ``` :::note To use shell completion in PowerShell, you need to enable execution of scripts. To do that, start a PowerShell window as administrator and run the following command: ::: ```powershell Set-ExecutionPolicy -ExecutionPolicy RemoteSigned ``` --- ## connect | 1Password CLI # connect Manage Connect server instances and tokens in your 1Password account. :::tip Looking up a Connect server by its [ID](/docs/cli/reference#unique-identifiers-ids) is more efficient than using the Connect server's name. ::: ### Subcommands {#subcommands} - [connect group](#connect-group): Manage group access to Secrets Automation - [connect server](#connect-server): Manage Connect servers - [connect token](#connect-token): Manage Connect server tokens - [connect vault](#connect-vault): Manage Connect server vault access ## connect group ### Subcommands {#connect-group-subcommands} - [connect group grant](#connect-group-grant): Grant a group access to manage Secrets Automation - [connect group revoke](#connect-group-revoke): Revoke a group's access to manage Secrets Automation ## connect group grant Grant a group access to manage Secrets Automation. ``` op connect group grant [flags] ``` ### Flags {#connect-group-grant-flags} ``` --all-servers Grant access to all current and future servers in the authenticated account. --group group The group to receive access. --server server The server to grant access to. ``` If you don't specify a server, it adds the group to the list of Secrets Automation managers. ## connect group revoke Revoke a group's access to manage Secrets Automation. ``` op connect group revoke [flags] ``` ### Flags {#connect-group-revoke-flags} ``` --all-servers Revoke access to all current and future servers in the authenticated account. --group group The group to revoke access from. --server server The server to revoke access to. ``` ## connect server ### Subcommands {#connect-server-subcommands} - [connect server create](#connect-server-create): Set up a Connect server - [connect server delete](#connect-server-delete): Remove a Connect server - [connect server edit](#connect-server-edit): Rename a Connect server - [connect server get](#connect-server-get): Get a Connect server - [connect server list](#connect-server-list): List Connect servers ## connect server create Add a 1Password Connect server to your account and generate a credentials file for it. 1Password CLI saves the `1password-credentials.json` file in the current directory. Note: You can't grant a Connect server access to your built-in [Personal](https://support.1password.com/1password-glossary#personal-vault), [Private](https://support.1password.com/1password-glossary#private-vault), or [Employee](https://support.1password.com/1password-glossary#employee-vault) vault. ``` op connect server create [flags] ``` ### Flags {#connect-server-create-flags} ``` -f, --force Do not prompt for confirmation when overwriting credential files. --vaults strings Grant the Connect server access to these vaults. ``` 1Password CLI saves the `1password-credentials.json` file in the current directory. ## connect server delete Remove a Connect server. Specify the server by name or ID. ``` op connect server delete [{ | | - }] [flags] ``` The credentials file and all the tokens for the server will no longer be valid. ## connect server edit Rename a Connect server. Specify the server by name or ID. ``` op connect server edit { | } [flags] ``` ### Flags {#connect-server-edit-flags} ``` --name name Change the server's name. ``` ## connect server get Get details about a Connect server. Specify the server by name or ID. ``` op connect server get [{ | | - }] [flags] ``` ## connect server list Get a list of Connect servers. ``` op connect server list [flags] ``` ## connect token ### Subcommands {#connect-token-subcommands} - [connect token create](#connect-token-create): Issue a token for a 1Password Connect server - [connect token delete](#connect-token-delete): Revoke a token for a Connect server - [connect token edit](#connect-token-edit): Rename a Connect server token - [connect token list](#connect-token-list): Get a list of tokens ## connect token create Issue a new token for a Connect server. ``` op connect token create [flags] ``` ### Flags {#connect-token-create-flags} ``` --expires-in duration Set how long the Connect token is valid for in (s)econds, (m)inutes, (h)ours, (d)ays, and/or (w)eeks. --server string Issue a token for this server. --vault stringArray Issue a token on these vaults. ``` Returns a token. You can only provision Connect server tokens to vaults that the Connect server has access to. Use `op connect vault grant` to grant access to vaults. Note: You can't grant a Connect server access to your built-in [Personal](https://support.1password.com/1password-glossary#personal-vault), [Private](https://support.1password.com/1password-glossary#private-vault), or [Employee](https://support.1password.com/1password-glossary#employee-vault) vault. By default, the `--vaults` option grants the same permissions as the server. To further limit the permissions a token has to read-only or write-only, add a comma and `r` or `w` after the vault specification. For example: ``` op connect token create "Dev k8s token" --server Dev --vaults Kubernetes,r \ --expires-in=30d ``` ``` op connect token create "Prod: Customer details" --server Prod --vault "Customers,w" \ --vault "Vendors,r" ``` ## connect token delete Revoke a token for a Connect server. ``` op connect token delete [ ] [flags] ``` ### Flags {#connect-token-delete-flags} ``` --server string Only look for tokens for this 1Password Connect server. ``` ## connect token edit Rename a Connect server token. ``` op connect token edit [flags] ``` ### Flags {#connect-token-edit-flags} ``` --name string Change the token's name. --server string Only look for tokens for this 1Password Connect server. ``` ## connect token list List tokens for Connect servers. ``` op connect token list [flags] ``` ### Flags {#connect-token-list-flags} ``` --server server Only list tokens for this Connect server. ``` Returns both active and revoked tokens. The `integrationId` is the ID for the Connect server the token belongs to. ## connect vault ### Subcommands {#connect-vault-subcommands} - [connect vault grant](#connect-vault-grant): Grant a Connect server access to a vault - [connect vault revoke](#connect-vault-revoke): Revoke a Connect server's access to a vault ## connect vault grant Grant a Connect server access to a vault. ``` op connect vault grant [flags] ``` Note: You can't grant a Connect server access to your built-in [Personal](https://support.1password.com/1password-glossary#personal-vault), [Private](https://support.1password.com/1password-glossary#private-vault), or [Employee](https://support.1password.com/1password-glossary#employee-vault) vault. ### Flags {#connect-vault-grant-flags} ``` --server string The server to be granted access. --vault string The vault to grant access to. ``` ## connect vault revoke Revoke a Connect server's access to a vault. ``` op connect vault revoke [flags] ``` ### Flags {#connect-vault-revoke-flags} ``` --server server The server to revoke access from. --vault vault The vault to revoke a server's access to. ``` --- ## document | 1Password CLI # document Perform CRUD operations on Document items in your vaults. ### Subcommands {#subcommands} - [document create](#document-create): Create a document item - [document delete](#document-delete): Delete or archive a document item - [document edit](#document-edit): Edit a document item - [document get](#document-get): Download a document - [document list](#document-list): Get a list of documents ## document create Create a document item and receive a JSON object that contains the item's ID. ``` op document create [{ | - }] [flags] ``` ### Flags {#document-create-flags} ``` --file-name name Set the file's name. --tags tags Set the tags to the specified (comma-separated) values. --title title Set the document item's title. --vault vault Save the document in this vault. Default: Private. ``` By default, the document is saved in your built-in [Personal](https://support.1password.com/1password-glossary#personal-vault), [Private](https://support.1password.com/1password-glossary#private-vault), or [Employee](https://support.1password.com/1password-glossary#employee-vault) vault. Specify a different vault with the `--vault` option. #### Create a file from standard input To create the file contents from standard input (stdin), enter a hyphen (`-`) instead of a path. You can use the `--file-name` option to change the name of the file. ### Examples {#document-create-examples} Create a document by specifying the file path: ``` op document create "../demos/videos/demo.mkv" --title "2020-06-21 Demo Video" ``` Create a document from standard input: ``` cat auth.log.* | op document create - --title "Authlogs 2020-06" --file-name "auth.log.2020.06" ``` ## document delete Permanently delete a document. Specify the document to delete by its name or ID. Use the `--archive` option to move it to the Archive instead. ``` op document delete [{ | | - }] [flags] ``` ### Flags {#document-delete-flags} ``` --archive Move the document to the Archive. --vault vault Delete the document in this vault. ``` #### Specify items on standard input The command treats each line of information on standard input (stdin) as an object specifier. Run `op help` to learn more about how to specify objects. You can also input a list or array of JSON objects. The command will get an item for any object that has an ID. This is useful for passing information from one `op` command to another. ### Examples {#document-delete-examples} Permanently delete a document: ``` op document delete "2019 Contracts" ``` Move a document to the Archive: ``` op document delete "2019 Contracts" --archive ``` ## document edit Edit a document item. Specify the document item to edit by its name or ID. ``` op document edit { | } [{ | - }] [flags] ``` ### Flags {#document-edit-flags} ``` --file-name name Set the file's name. --tags tags Set the tags to the specified (comma-separated) values. An empty value removes all tags. --title title Set the document item's title. --vault vault Look up document in this vault. ``` Replaces the file contents of a Document item with the provided file or with the information on standard input (stdin). #### Update a file from standard input To update the file contents from standard input (stdin), enter a hyphen (`-`) instead of a path. You can use the `--file-name` option to change the name of the file. ## document get Download a document and print the contents. Specify the document by its name or ID. ``` op document get { | } [flags] ``` ### Flags {#document-get-flags} ``` --file-mode filemode Set filemode for the output file. It is ignored without the --out-file flag. (default 0600) --force Forcibly print an unintelligible document to an interactive terminal. If --out-file is specified, save the document to a file without prompting for confirmation. --include-archive Include document items in the Archive. Can also be set using OP_INCLUDE_ARCHIVE environment variable. -o, --out-file path Save the document to the file path instead of stdout. --vault vault Look for the document in this vault. ``` Prints to standard output (stdout) by default. To print to a file, use the `--out-file path/to/file.ext` flag. #### Save to a file Use the `--out-file` option to have `op` save the document. This may be useful in some shells as a way to preserve the file's original encoding. The `--out-file` option won't overwrite an existing file. The destination path must be an empty file or not exist. ### Examples {#document-get-examples} Save a document to a file called `secret-plans.text`: ``` op document get "Top Secret Plan B" --out-file=../documents/secret-plans.text ``` ## document list List documents. ``` op document list [flags] ``` ### Flags {#document-list-flags} ``` --include-archive Include document items in the Archive. Can also be set using OP_INCLUDE_ARCHIVE environment variable. --vault vault Only list documents in this vault. ``` Returns a list of all documents the account has read access to by default. Excludes items in the Archive by default. --- ## environment | 1Password CLI # environment (Beta) :::note The `--environments` flag is available in [the latest beta build of 1Password CLI](/docs/cli/reference#beta-builds), version `2.33.0-beta.02` or later. ::: [1Password Environments](/docs/environments) allow you to organize and manage your project's environment variables, separately from the rest of the items in your 1Password vaults. You can create an Environment for each project or development stage, then securely access your variables directly from 1Password when you need them. ### Subcommands {#subcommands} - [environment read](#environment-read): Read environment variables from a 1Password Environment ## environment read Read environment variables from a 1Password Environment. ```shell op environment read [flags] ``` Specify the 1Password Environment by its ID. To find an Environment's ID, open the 1Password app, navigate to **Developer** > **View Environments** > then select **View environment** > **Manage environment** > **Copy environment ID**. ### Examples {#environment-read-examples} Read variables from a 1Password Environment: ```shell op environment read ``` --- ## events-api | 1Password CLI # events-api Manage Events API integrations in your 1Password account. Requires a business account. ### Subcommands {#subcommands} - [events-api create](#events-api-create): Set up an integration with the Events API ## events-api create Create an Events API integration token. ``` op events-api create [flags] ``` ### Flags {#events-api-create-flags} ``` --expires-in duration Set how the long the events-api token is valid for in (s)econds, (m)inutes, (h)ours, (d)ays, and/or (w)eeks. --features features Set the comma-separated list of features the integration token can be used for. Options: `signinattempts`, `itemusages`, `auditevents`. ``` 1Password CLI prints the token when successful. Requires a business account. ### Examples {#events-api-create-examples} Create an Events API integration to report sign-in attempts that expires in one hour: ``` op events-api create SigninEvents --features signinattempts --expires-in 1h ``` Create an Events API integration that reports all supported events that does not expire: ``` op events-api create AllEvents ``` --- ## group | 1Password CLI # group Manage the groups in your 1Password account. Groups can be used to organize your team and delegate administrative responsibilities. You can give groups access to vaults and assign them permissions, so you don't have to keep track of everyone separately. ### Subcommands {#subcommands} - [group create](#group-create): Create a group - [group delete](#group-delete): Remove a group - [group edit](#group-edit): Edit a group's name or description - [group get](#group-get): Get details about a group - [group list](#group-list): List groups - [group user](#group-user): Manage group membership ## group create Create a group and receive a JSON object with the group's ID. ``` op group create [flags] ``` ### Flags {#group-create-flags} ``` --description string Set the group's description. ``` ## group delete Remove a group. Specify the group to delete by its name or ID. ``` op group delete [{ | | - }] [flags] ``` ## group edit Edit a group's name or description. Specify the group to edit by its name or ID. ``` op group edit [{ | | - }] [flags] ``` ### Flags {#group-edit-flags} ``` --description description Change the group's description. --name name Change the group's name. ``` ## group get Get details about a group. Specify the group by its name or ID. ``` op group get [{ | | - }] [flags] ``` #### Use standard input to specify objects If you enter a hyphen (`-`) instead of a single object for this command, the tool will read object specifiers from standard input (stdin). Separate each specifier with a new line. For more information about how to specify objects, run `op help`. You can also pass the command a list or array of JSON objects. The tool will get an item for any object that has an ID, ignoring line breaks. This is useful for passing information from one `op` command to another. ### Examples {#group-get-examples} Get details for all groups: ``` op group list --format=json | op group get - ``` Get details for the groups who have access to a vault: ``` op group list --vault "Production keys" --format=json | op group get - ``` ## group list List groups. ``` op group list [flags] ``` ### Flags {#group-list-flags} ``` --user user List groups that a user belongs to. --vault vault List groups that have direct access to a vault. ``` Returns all groups in an account by default. ### Examples {#group-list-examples} Get details for all groups: ``` op group list | op group get - ``` Get details for the groups that have access to a vault: ``` op group list --vault Staging --format=json | op group get - ``` Get details for the groups that a user belongs to: ``` op group list --user wendy_appleseed@1password.com --format=json | op group get - ``` ## group user ### Subcommands {#group-user-subcommands} - [group user grant](#group-user-grant): Add a user to a group - [group user list](#group-user-list): Retrieve users that belong to a group - [group user revoke](#group-user-revoke): Remove a user from a group ## group user grant Grant a user access to a group. ``` op group user grant [flags] ``` ### Flags {#group-user-grant-flags} ``` --group string Specify the group to grant the user access to. --role string Specify the user's role as a member or manager. Default: member. --user string Specify the user to grant group access to. ``` ## group user list Retrieve users that belong to a group. ``` op group user list [flags] ``` ## group user revoke Revoke a user's access to a group. ``` op group user revoke [flags] ``` ### Flags {#group-user-revoke-flags} ``` --group string Specify the group to remove the user from. --help Get help with group user revoke. --user string Specify the user to remove from the group. ``` --- ## inject | 1Password CLI # inject Inject secrets into a file templated with secret references. ``` op inject [flags] ``` ### Flags {#flags} ``` --file-mode filemode Set filemode for the output file. It is ignored without the --out-file flag. (default 0600) -f, --force Do not prompt for confirmation. -i, --in-file string The filename of a template file to inject. -o, --out-file string Write the injected template to a file instead of stdout. ``` [Learn more about secret references.](/docs/cli/secret-references) You can pass in a config file templated with secret references and receive a config file with the actual secrets substituted. Make sure to delete the resolved file when you no longer need it. [Learn more about loading secrets into config files.](/docs/cli/secrets-config-files) ### Examples {#examples} Inject secrets into a config template from stdin: ``` echo "db_password: {{ op://app-prod/db/password }}" | op inject db_password: fX6nWkhANeyGE27SQGhYQ ``` Inject secrets into a config template file: ``` cat config.yml.tpl db_password: {{ op://app-prod/db/password }} ``` ``` op inject -i config.yml.tpl -o config.yml && cat config.yml db_password: fX6nWkhANeyGE27SQGhYQ ``` Multiple secrets can be concatenated: ``` echo "db_url: postgres://{{ op://lcl/db/user }}:{{ op://lcl/db/pw }}@{{ op://lcl/db/host }}:{{ op://lcl/db/port }}/{{ op://my-app-prd/db/db }}" | op inject db_url: postgres://admin:admin@127.0.0.1:5432/my-app" ``` Use variables in secret references to switch between different sets of secrets for different environments: ``` echo "db_password: op://$env/db/password" | env=prod op inject db_password: fX6nWkhANeyGE27SQGhYQ ``` --- ## item | 1Password CLI # item Perform CRUD operations on the 1Password items in your vaults. ### Subcommands {#subcommands} - [item create](#item-create): Create an item - [item delete](#item-delete): Delete or archive an item - [item edit](#item-edit): Edit an item's details - [item get](#item-get): Get an item's details - [item list](#item-list): List items - [item move](#item-move): Move an item between vaults - [item share](#item-share): Share an item - [item template](#item-template): Manage templates ## item create Create a new item. ``` op item create [ - ] [ ... ] [flags] ``` ### Flags {#item-create-flags} ``` --category category Set the item's category. --dry-run Test the command and output a preview of the resulting item. --favorite Add item to favorites. --generate-password[=recipe] Add a randomly-generated password to a Login or Password item. --reveal Don't conceal sensitive fields. --ssh-generate-key The type of SSH key to create: Ed25519 or RSA. For RSA, specify 2048, 3072, or 4096 (default) bits. Possible values: ed25519, rsa, rsa2048, rsa3072, rsa4096. (default Ed25519) --tags tags Set the tags to the specified (comma-separated) values. --template string Specify the filepath to read an item template from. --title title Set the item's title. --url URL Set the website where 1Password suggests and fills a Login, Password, or API Credential item. --vault vault Save the item in this vault. Default: Private. ``` Get a list of all item categories: ```shell op item template list ``` Use assignment statements or an item category JSON template to save details in built-in or custom fields. [Learn more about creating items.](/docs/cli/item-create/) [Learn more about item fields and fieldTypes.](/docs/cli/item-fields/) #### Generate a password Use the `--generate-password` option to set a random password for a Login or Password item. The default is 32-characters, and includes upper and lowercase letters, numbers, and symbols (`!@.-_*`). You can specify the password length (between 1 and 64 characters) and the character types to use: ```shell --generate-password='letters,digits,symbols,32' ``` #### Set additional fields with assignment statements You can use assignment statements as command arguments to set built-in and custom fields. ``` [
.][[]]= ``` Command arguments get logged in your command history, and can be visible to other processes on your machine. If you’re assigning sensitive values, use a JSON template instead. For example, to create a text field named "host" within a section named "Database Credentials", with the value set to 33.166.240.221: ```shell DatabaseCredentials.host[text]=33.166.240.221 ``` The section name is optional unless multiple sections contain fields with the same name. Use a backslash to escape periods, equal signs, or backslashes in section or field names. Don’t use backslashes to escape the value. You can omit spaces in the section or field name, or refer to the field by its JSON short name (`name` or `n`). #### Create an item using a json template Use an item JSON template to assign sensitive values to an item. If you combine a template with assignment statements, assignment statements take precedence. 1. Save the appropriate item category template to a file: ```shell op item template get --out-file login.json "Login" ``` 2. Edit the template. 3. Create a new item using the `-—template` flag to specify the path to the edited template: ```shell op item create --template=login.json ``` 4. After 1Password CLI creates the item, delete the edited template. You can also create an item from standard input using an item JSON template. Pass the `-` character as the first argument, followed by any assignment statements. ```shell op item template get Login | op item create --vault personal - ``` You can’t use both piping and the `--template` flag in the same command, to avoid collisions. ### Examples {#item-create-examples} Create a Login item with a random password and website set using flags and custom and built-in fields set with assignment statements, including a one-time password field and a file attachment: ```shell op item create --category=login --title='My Example Item' --vault='Test' \ --url https://www.acme.com/login \ --generate-password=20,letters,digits \ username=jane@acme.com \ 'Test Section 1.Test Field3[otp]=otpauth://totp/:?secret=&issuer=' \ 'FileName[file]=/path/to/your/file' ``` Create an item by duplicating an existing item from another vault and modifying it with assignment statements: ```shell op item get "My Item" --format json | op item create --vault prod - \ username="My Username" password="My Password" ``` Duplicate all items in a vault in one account to a vault in another account: ```shell op item list --vault test-vault --format json --account agilebits | \ op item get --format json --account agilebits - | \ op item create --account work - ``` ## item delete Delete or archive items you no longer need. ``` op item delete [{ | | | - }] [flags] ``` ### Flags {#item-delete-flags} ``` --archive Move the item to the Archive. --vault string Look for the item in this vault. ``` Deleted items remain available for 30 days in Recently Deleted. You can restore or permanently delete items from Recently Deleted in the 1Password apps. Use the `--archive` option to move an item to the Archive instead. Specify an item to delete or archive by its name, ID, or sharing link. #### Specify items on standard input The command treats each line of information on standard input (stdin) as an object specifier. Run `op help` to learn more about how to specify objects. The input can also be a list or array of JSON objects. The command will get an item for any object that has an ID. This is useful for passing information from one `op` command to another. ### Examples {#item-delete-examples} Delete an item: ``` op item delete "Defunct Login" ``` Move an item to the Archive: ``` op item delete "Defunct Login" --archive ``` ## item edit Edit an item's details. ``` op item edit { | | } [ ... ] [flags] ``` ### Flags {#item-edit-flags} ``` --dry-run Perform a dry run of the command and output a preview of the resulting item. --favorite Whether this item is a favorite item. Options: true, false. --generate-password[=recipe] Give the item a randomly generated password. --reveal Don't conceal sensitive fields. --tags tags Set the tags to the specified (comma-separated) values. An empty value will remove all tags. --template string Specify the filepath to read an item template from. --title title Set the item's title. --url URL Set the website where 1Password suggests and fills a Login, Password, or API Credential item. --vault vault Edit the item in this vault. ``` Specify the item by its name, ID, or sharing link. Use flags to update the title, tags, or generate a new random password. You can use assignment statements as command arguments to update built-in or custom fields. For sensitive values, use a template instead. #### Edit an item using assignment statements Caution: Command arguments can be visible to other processes on your machine. ```shell [
.][[]]= ``` To create a new field or section, specify a field or section name that doesn’t already exist on the item. To edit an existing field, specify the current section and field name, then make changes to the fieldType or value. If you don’t specify a fieldType or value, it will stay the same. To delete a custom field, specify `[delete]` in place of the fieldType. If a section no longer has any fields, the section will also be deleted. You can't delete built-in fields, but you can set them to empty strings. Learn more about assignment statements: `op item create –-help`. [Learn more about available fields and fieldTypes.](/docs/cli/item-fields) #### Edit an item using a template :::danger JSON item templates do not support passkeys. If you use a JSON template to update an item that contains a passkey, the passkey will be overwritten. To fix this, you can [restore a previous version of the item](https://support.1password.com/item-history/). ::: You can use a JSON template to edit an item, alone or in combination with command arguments. Field assignment statements overwrite values in the template. 1. Get the item you want to edit in JSON format and save it to a file: ``` op item get oldLogin --format=json > updatedLogin.json ``` 2. Edit the file. 3. Use the `--template` flag to specify the path to the edited file and edit the item: op item edit oldLogin --template=updatedLogin.json 4. Delete the file. You can also edit an item using piped input: ```shell cat updatedLogin.json | op item edit oldLogin ``` To avoid collisions, you can't combine piped input and the `--template` flag in the same command. ### Examples {#item-edit-examples} Add a 32-character random password that includes upper- and lower-case letters, numbers, and symbols to an item: ```shell op item edit 'My Example Item' --generate-password='letters,digits,symbols,32' ``` Edit a custom field's value without changing the fieldType: ``` op item edit 'My Example Item' 'field1=new value' ``` Edit a custom field's fieldType without changing the value: ``` op item edit 'My Example Item' 'field1[password]' ``` Edit a custom field's type and value: ``` op item edit 'My Example Item' 'field1[monthyear]=2021/09' ``` Add a new custom field to an item: ``` op item edit 'My Example Item' 'section2.field5[phone]=1-234-567-8910' ``` Remove an existing custom field: ``` op item edit 'My Example Item' 'section2.field5[delete]' ``` Set the built-in username field to an empty value: ``` op item edit 'My Example Item' 'username=' ``` Edit an item using a template alongside command arguments and assignment statements: ```shell op item edit oldLogin --vault Private 'username=Lucky' --template=updatedLogin.json ``` ## item get Get details about an item. Specify the item by its name, ID, or sharing link. ``` op item get [{ | | | - }] [flags] ``` ### Flags {#item-get-flags} ``` --fields strings Return data from specific fields. Use `label=` to get the field by name or `type=` to filter fields by type. Specify multiple in a comma-separated list. --include-archive Include items in the Archive. Can also be set using OP_INCLUDE_ARCHIVE environment variable. --otp Output the primary one-time password for this item. --reveal Don't conceal sensitive fields. --share-link Get a shareable link for the item. --vault vault Look for the item in this vault. ``` If you have multiple items with the same name, or if you’re concerned about API rate limits, specify the item by its ID or limit the scope of the search with the `--vault` flag. [Learn more about IDs and caching.](/docs/cli/reference) To retrieve the contents of a specific field, use `op read` instead. When using service accounts, you must specify a vault with the `--vault` flag or through piped input. #### Specify items on standard input `op item get` treats each line of information on standard input (stdin) as an object specifier. You can also input a list or array of JSON objects, and the command will get an item for any object that has an ID key. This is useful for passing information from one command to another. #### Items in the archive Items in the Archive are ignored by default. To get details for an item in the Archive, specify the item by ID or use the `--include-archive` option. ### Examples {#item-get-examples} Get details for all items with a specified tag: ``` op item list --tags documentation --format json | op item get - ``` Get a CSV list of the username, and password for all logins in a vault: ``` op item list --categories Login --vault Staging --format json | op item get - --fields label=username,label=password ``` Get a JSON object of an item's username and password fields: ``` op item get Netflix --fields label=username,label=password --format json ``` Get a list of fields by type: ``` op item get Netflix --fields type=concealed ``` Get an item's one-time password: ``` op item get Google --otp ``` Retrieve a shareable link for the item referenced by ID: ``` op item get kiramv6tpjijkuci7fig4lndta --vault "Ops Secrets" --share-link ``` ## item list List items. ``` op item list [flags] ``` ### Flags {#item-list-flags} ``` --categories categories Only list items in these categories (comma-separated). --favorite Only list favorite items. --include-archive Include items in the Archive. Can also be set using OP_INCLUDE_ARCHIVE environment variable. --long Output a more detailed item list. --tags tags Only list items with these tags (comma-separated). --vault vault Only list items in this vault. ``` Returns a list of all items the account has read access to by default. Use flags to filter results. Excludes items in the Archive by default. Categories are: - API Credential - Bank Account - Credit Card - Database - Document - Driver License - Email Account - Identity - Login - Membership - Outdoor License - Passport - Password - Reward Program - Secure Note - Server - Social Security Number - Software License - Wireless Router ### Examples {#item-list-examples} Get details for all items with a specified tag: ``` op item list --tags documentation --format=json | op item get - ``` Get a CSV list of the username, and password for all logins in a vault: ``` op item list --categories Login --vault Staging --format=json | op item get - --fields username,password ``` Selecting a tag `` will also return items with tags sub-nested to ``. For example: ``. ## item move Move an item between vaults. Moving an item creates a copy of the item in the destination vault and deletes the item from the current vault. As a result, the item gets a new ID. ``` op item move [{ | | | - }] [flags] ``` ### Flags {#item-move-flags} ``` --current-vault string Vault where the item is currently saved. --destination-vault string The vault you want to move the item to. --reveal Don't conceal sensitive fields. ``` To restore or permanently delete the original item, find the item in Recently Deleted in your 1Password app or on 1Password.com. Moving an item between vaults may change who has access to the item. ### Examples {#item-move-examples} Move an item from the Private vault to the Shared vault: ``` op item move "My Example Item" --current-vault Private --destination-vault Shared ``` ## item share Share an item. ``` op item share { | } [flags] ``` ### Flags {#item-share-flags} ``` --emails strings Email addresses to share with. --expires-in duration Expire link after the duration specified in (s)econds, (m)inutes, (h)ours, (d)ays, and/or (w)eeks. (default 7d) --vault string Look for the item in this vault. --view-once Expire link after a single view. ``` You can securely share copies of passwords and other items you've saved in 1Password with anyone, even if they don't use 1Password. When you share an item, you'll get a unique link that you can send to others. Copy the URL, then send the link to the person or people you want to share the item copy with, like in an email or text message. Anyone with the link can view the item copy unless you specify addresses with the emails flag. If you edit an item, your changes won't be shared until you share the item again. Note that file attachments and Document items cannot be shared. ## item template ### Subcommands {#item-template-subcommands} - [item template get](#item-template-get): Get an item template - [item template list](#item-template-list): Get a list of templates ## item template get Return a template for an item type. ``` op item template get [{ | - }] [flags] ``` ### Flags {#item-template-get-flags} ``` --file-mode filemode Set filemode for the output file. It is ignored without the --out-file flag. (default 0600) -f, --force Do not prompt for confirmation. -o, --out-file string Write the template to a file instead of stdout. ``` You can create a new item with a template. Run `op item create --help` for more information. Categories are: - API Credential - Bank Account - Credit Card - Database - Document - Driver License - Email Account - Identity - Login - Membership - Outdoor License - Passport - Password - Reward Program - Secure Note - Server - Social Security Number - Software License - Wireless Router ## item template list Lists available item type templates. ``` op item template list [flags] ``` Use `op item template get ` to get a template. --- ## 1Password CLI reference :::info Get started If you're new to 1Password CLI, [learn how to set it up and sign in to your account](/docs/cli/get-started/). ::: ## Command structure ``` op [command] ``` 1Password CLI uses a noun-verb command structure that groups commands by topic rather than by operation. The basic structure of a command starts with the 1Password program `op`, then the command name (noun), often followed by a subcommand (verb), then flags (which include additional information that gets passed to the command). For example, to retrieve a list of all the items in your Private vault: ```shell [{ "badge": 1, "color": "sunbeam", "lineNo": 1, "substr": "item" }, { "badge": 2, "color": "tangerine", "lineNo": 1, "substr": "list" }, { "badge": 3, "color": "dahlia", "lineNo": 1, "substr": "--vault Private" }] op item list --vault Private ``` To get a list of all global commands and flags, run the following: ​ ```shell op --help ``` ## Command reference - [account](/docs/cli/reference/management-commands/account): Manage your locally configured 1Password accounts - [completion](/docs/cli/reference/commands/completion): Generate shell completion information - [connect](/docs/cli/reference/management-commands/connect): Manage Connect server instances and tokens in your 1Password account - [document](/docs/cli/reference/management-commands/document): Perform CRUD operations on Document items in your vaults - [environment](/docs/cli/reference/management-commands/environment): Manage your 1Password Environments and their variables (Beta) - [events-api](/docs/cli/reference/management-commands/events-api): Manage Events API integrations in your 1Password account - [group](/docs/cli/reference/management-commands/group): Manage the groups in your 1Password account - [inject](/docs/cli/reference/commands/inject): Inject secrets into a config file - [item](/docs/cli/reference/management-commands/item): Perform CRUD operations on the 1Password items in your vaults - [plugin](/docs/cli/reference/management-commands/plugin): Manage the shell plugins you use to authenticate third-party CLIs - [read](/docs/cli/reference/commands/read): Read a secret reference - [run](/docs/cli/reference/commands/run): Pass secrets as environment variables to a process - [service-account](/docs/cli/reference/management-commands/service-account): Manage service accounts - [signin](/docs/cli/reference/commands/signin): Sign in to a 1Password account - [signout](/docs/cli/reference/commands/signout): Sign out of a 1Password account - [update](/docs/cli/reference/commands/update): Check for and download updates - [user](/docs/cli/reference/management-commands/user): Manage users within this 1Password account - [vault](/docs/cli/reference/management-commands/vault): Manage permissions and perform CRUD operations on your 1Password vaults - [whoami](/docs/cli/reference/commands/whoami): Get information about a signed-in account ## Global flags ``` --account string Select the account to execute the command by account shorthand, sign-in address, account ID, or user ID. For a list of available accounts, run 'op account list'. Can be set as the OP_ACCOUNT environment variable. --cache Store and use cached information. Caching is enabled by default on UNIX-like systems. Caching is not available on Windows. Options: true, false. Can also be set with the OP_CACHE environment variable. (default true) --config directory Use this configuration directory. --debug Enable debug mode. Can also be enabled by setting the OP_DEBUG environment variable to true. --encoding type Use this character encoding type. Default: UTF-8. Supported: SHIFT_JIS, gbk. --format string Use this output format. Can be 'human-readable' or 'json'. Can be set as the OP_FORMAT environment variable. (default "human-readable") -h, --help Get help for op. --iso-timestamps Format timestamps according to ISO 8601 / RFC 3339. Can be set as the OP_ISO_TIMESTAMPS environment variable. --no-color Print output without color. --session token Authenticate with this session token. 1Password CLI outputs session tokens for successful `op signin` commands when 1Password app integration is not enabled. ``` ## Unique identifiers (IDs) When you retrieve information about an object using the `get` and `list` subcommands, you'll see a string of 26 numbers and letters that make up the object's unique identifier (ID). You can use names or IDs in commands that take any [account](/docs/cli/reference/management-commands/account#account-get), [user](/docs/cli/reference/management-commands/user#user-get), [vault](/docs/cli/reference/management-commands/vault#vault-get), or [item](/docs/cli/reference/management-commands/item#item-get) as an argument. IDs are the most stable way to reference an item. An item's ID only changes when you move the item to a different vault. Commands provided with an ID are also faster and more efficient. You can get information about an item, including the item's ID and the ID for the vault where it's stored, with [`op item get`](/docs/cli/reference/management-commands/item#item-get). ```shell op item get Netflix # code-result ID: t2Vz6kMDjByzEAcq6peKnHL4k3 Title: Netflix Vault: Private (sdfsdf7werjgdf8gdfgjdfgkj) Created: 6 months ago Updated: 1 month ago by Wendy Appleseed Favorite: false Version: 1 Category: LOGIN ``` To only fetch the item ID, use the same command with the format set to JSON, then use [jq ](https://jqlang.github.io/jq/) to parse the output. ```shell op item get Netflix --format json | jq .id #code-result "t2Vz6kMDjByzEAcq6peKnHL4k3" ``` To get the IDs for all vaults in an account: ```shell op vault list #code-result ID NAME cfqtakqiutfhiewomztljx4woy Development rr3ggvrlr6opoete23q7c22ahi Personal 2gq6v6vzorl7jfxdurns4hl66e Work ``` ## Shell completion You can add shell completion so that 1Password CLI automatically completes your commands. With shell completion enabled, start typing an `op` command, then press Tab to see the available commands and options. **Bash:** To enable shell completion with Bash: 1. Install the bash-completion package 2. Add this line to your `.bashrc` file: ``` source <(op completion bash) ``` **Zsh:** To enable shell completion with Zsh, add this line to your `.zshrc` file: ``` eval "$(op completion zsh)"; compdef _op op ``` **fish:** To enable shell completion with fish, add this to your `.fish` file: ``` op completion fish | source ``` **PowerShell:** To enable shell completion with PowerShell, add this to your `.ps1` file: ```powershell op completion powershell | Out-String | Invoke-Expression ``` You'll need to enable script execution in PowerShell to start using shell completion. To do that, start a PowerShell window as an administrator and enter: ```powershell Set-ExecutionPolicy -ExecutionPolicy RemoteSigned ``` ## Cache item and vault information 1Password CLI can use its daemon process to cache items, vault information, and the keys to access information in an account. The daemon stores encrypted information in memory using the same encryption methods as on 1Password.com. It can read the information to pass to 1Password CLI, but can’t decrypt it. On UNIX-like systems, caching between commands is enabled by default. This helps maximize performance and reduce the number of API calls. If you use 1Password CLI in an environment where caching is not possible, you can turn it off by appending the `--cache=false` flag to your commands, or by setting the `OP_CACHE` environment variable to false. Caching is not currently available on Windows. ## Alternative character encoding By default, 1Password CLI processes input and output with UTF-8 encoding. You can use an alternative character encoding with the `--encoding` option. Supported alternative character encoding types: - `gbk` - `shift-jis` ## Parse JSON output with jq You can use the `--format` flag or the `OP_FORMAT` environment variable to set your 1Password CLI command output to `json`. To parse JSON output, we recommend using the command-line tool [jq. ](https://jqlang.github.io/jq/) For example, to use jq to retrieve a secret reference for the password saved on an item named `GitHub`: ```shell op item get GitHub --format json --fields password | jq .reference #code-result "op://development/GitHub/password" ``` ## Beta builds To download 1Password CLI beta builds, navigate to [the 1Password CLI downloads page](https://app-updates.agilebits.com/product_history/CLI2) and select **Show betas**. On Linux, you can switch the channel from "stable" to "beta" when adding the 1Password repository in your package manager. ## Example commands ### Items To get information about an item: ```shell op item get ``` You'll see the item's [ID](#unique-identifiers-ids), title, vault, when it was created, when it was last modified, the item's version, if it's marked as a favorite, the type of item it is, and the item's fields. If an item name includes spaces or special characters, enclose it in quotes. For example: ```shell op item get "work email" #code-result ID: a5w3is43ohs25qonzajrqaqx4q Title: work email Vault: Work (2gq6v6vzorl7jfxdurns4hl66e) Created: 6 years ago Updated: 9 months ago by Wendy Appleseed Favorite: true Version: 1 Category: LOGIN Fields: username: wendy.c.appleseed@agilebits.com password: NLuXcEtg27JMjGmiBHXZMGCgce URLs: website: https://www.gmail.com (primary) ``` To use `op item get` to retrieve specific fields, include the `--fields` flag followed by a comma-separated list, with the prefix `label=` before each field name. For example, to only retrieve the username and password for the item `work email`: ```shell op item get "work email" --fields label=username,label=password #code-result wendy.c.appleseed@agilebits.com,NLuXcEtg27JMjGmiBHXZMGCgce ``` Learn more about working with [items](/docs/cli/reference/management-commands/item/). ### Users and groups To get details about a user: ```shell op user get "Wendy Appleseed" #code-result ID: SPRXJFTDHTA2DDTPE5F7DA64RQ Name: Wendy Appleseed Email: wendy.c.appleseed@agilebits.com State: ACTIVE Type: MEMBER Created: 6 years ago Updated: 4 months ago Last Authentication: 1 month ago ``` To list the users who belong to a group: ``` op group user list "Provision Managers" #code-result ID NAME EMAIL STATE TYPE ROLE 7YEOODASGJE6VAEIOHYWGP33II Wendy Appleseed wendy.c.appleseed@agilebits.com ACTIVE MEMBER UKCYFVOJSFEXLKKZREG7M2MZWM Johnny Appleseed johnny.appleseed@agilebits.com RECOVERY_STARTED MEMBER ``` Learn more about working with [users](/docs/cli/reference/management-commands/user/) and [groups](/docs/cli/reference/management-commands/group/). ### Vaults To create a new vault named `Test`: ```shell op vault create Test ``` To get details about an existing vault: ```shell op vault get Work #code-result ID: jAeq2tfunmifZfG4WkuWvsaGGj Name: Work Type: USER_CREATED Attribute version: 3 Content version: 241 Items: 25 Created: 1 year ago Updated: 1 month ago ``` To list the vaults in an account: ```shell op vault list #code-result ID NAME vw8qjYEvsdCcZoULJRCqopy7Rv Development 2RNjh43dpHB9sDqZXEHiiw7zTe Personal cGxbZbV2pxKBmVJe9oWja4K8km Work ``` Learn more about working with [vaults](/docs/cli/reference/management-commands/vault/). ### Secrets To insert a secret into an environment variable, config file, or script without putting the plaintext secret in code, use a [secret reference](/docs/cli/secret-reference-syntax/) that specifies where the secret is stored in your 1Password account: ``` op://vault-name/item-name/[section-name/]field-name ``` Then, you can use [`op read`](/docs/cli/reference/commands/read/), [`op run`](/docs/cli/reference/commands/run/), or [`op inject`](/docs/cli/reference/commands/inject/) to replace the secret reference with the actual secret at runtime. To resolve a secret reference and confirm it outputs correctly: ```shell op read "op://Work/work email/username" #code-result wendy.c.appleseed@agilebits.com ``` Learn more about [loading secrets](/docs/cli/secret-references/). ## Get help For help with any command, use the `--help` option: ``` op [subcommand] --help ``` --- ## plugin | 1Password CLI # plugin Manage your shell plugin configurations. You can use shell plugins to securely authenticate third-party CLIs with 1Password, rather than storing your CLI credentials in plaintext. After you configure a plugin, 1Password CLI will prompt you to authenticate the third-party CLI with your fingerprint or other system authentication option. [Learn more about shell plugins.](/docs/cli/shell-plugins) ### Subcommands {#subcommands} - [plugin clear](#plugin-clear): Clear shell plugin configuration - [plugin init](#plugin-init): Configure a shell plugin - [plugin inspect](#plugin-inspect): Inspect your existing shell plugin configurations - [plugin list](#plugin-list): List all available shell plugins - [plugin run](#plugin-run): Provision credentials from 1Password and run this command ## plugin clear Clear an existing shell plugin configuration. ```shell op plugin clear [flags] ``` ### Flags {#plugin-clear-flags} ``` --all Clear all configurations for this plugin that apply to this directory and/or terminal session, including the global default. -f, --force Apply immediately without asking for confirmation. ``` You can clear one configuration at a time, in this order of precedence: - Terminal session default - Directory default, from the current directory to `$HOME` - Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear aws` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear aws --all`. ## plugin init Choose a shell plugin to install and configure your default credentials. Bash, Zsh, and fish shells are supported. ```shell op plugin init [ ] [flags] ``` Shell plugins require the [1Password desktop app integration](/docs/cli/shell-plugins/). To see all available plugins, run `op plugin list`. #### Configure your default credentials 1Password CLI prompts you to select or import the credentials you want to use with the third-party CLI, then returns a command to source your `plugins.sh` file and make the plugin alias usable. To use the plugin beyond the current terminal session, make sure to add the source command to your RC file or shell profile (e.g. `~/.bashrc`, `~/.zshrc`, `~/.config/fish/config.fish`). For example: ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` #### Configuration options You can choose whether 1Password CLI remembers your configuration. With any option, your credentials never leave your 1Password account. - "Prompt me for each new terminal session" only configures the credentials for the current terminal session. Once you exit the terminal, your default is removed. - "Use automatically when in this directory or subdirectories" makes your credentials the default in the current directory and all its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. - "Use as global default on my system" sets the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## plugin inspect Inspect your existing shell plugin configurations. ```shell op plugin inspect [ ] [flags] ``` You can run `op plugin inspect` to select a plugin from the list of all available plugins, or `op plugin inspect ` to inspect a specific plugin. 1Password CLI returns a list of the credentials you've configured to use with the plugin and their default scopes, as well as configured alias details. ## plugin list Lists all available shell plugins, their usage, name, and required fields. ```shell op plugin list [flags] ``` To get started with a shell plugin, run `op plugin init `. ## plugin run Provision credentials from 1Password and run this command. ```shell op plugin run ... [flags] ``` `op plugin run` passes your credentials saved in 1Password to the underlying CLI and runs the provided command. If you haven't configured your default credentials, 1Password CLI will prompt you to select an item that contains your credentials. After this, you will be automagically authenticated with this CLI, and your selection will be recorded for future calls to this plugin in the current terminal session. To configure a default credential, see `op plugin init --help`. --- ## read | 1Password CLI # read Read the value of the field in 1Password specified by a secret reference. [Learn more about secret references and query parameters.](/docs/cli/secret-reference-syntax/) ``` op read [flags] ``` ### Flags {#flags} ``` --file-mode filemode Set filemode for the output file. It is ignored without the --out-file flag. (default 0600) -f, --force Do not prompt for confirmation. -n, --no-newline Do not print a new line after the secret. -o, --out-file string Write the secret to a file instead of stdout. ``` ### Examples {#examples} Print the secret saved in the field `password`, on the item `db`, in the vault `app-prod`: ```shell op read op://app-prod/db/password ``` Use a secret reference with a query parameter to retrieve a one-time password: ```shell op read "op://app-prod/db/one-time password?attribute=otp" ``` Use a secret reference with a query parameter to get an SSH key's private key in the OpenSSH format: ```shell op read "op://app-prod/ssh key/private key?ssh-format=openssh" ``` Save the SSH key found on the item `ssh` in the `server` vault as a new file `key.pem` on your computer: ```shell op read --out-file ./key.pem op://app-prod/server/ssh/key.pem ``` Use `op read` in a command with secret references in place of plaintext secrets: ```shell docker login -u $(op read op://prod/docker/username) -p $(op read op://prod/docker/password) ``` --- ## run | 1Password CLI # run Pass secrets as environment variables to an application or script. ``` op run -- ... [flags] ``` ### Flags {#flags} ``` --env-file stringArray Enable Dotenv integration with specific Dotenv files to parse. For example: --env-file=.env. --no-masking Disable masking of secrets on stdout and stderr. ``` Use `op run` to securely load project secrets from 1Password, then run a provided command in a subprocess with the secrets made available as environment variables only for the duration of the subprocess. To limit which 1Password items processes in your authorized terminal session can access, make sure to authenticate 1Password CLI with a service account that only has access to the required secrets. You can scope service accounts to specific vaults and 1Password Environments. [Learn more about service accounts.](/docs/service-accounts/) [Learn more about loading secrets with `op run`.](/docs/cli/secrets-environment-variables) #### Load secrets using secret references `op run` can scan environment variables and files for secret references, then load the provided command with the referenced secrets made available as environment variables. Secret references are URIs that point to the ID or name of the vault, item, section, and field where a secret is stored in 1Password. You can export environment variables to secret references on the command line or using an .env file. Secrets printed to stdout or stderr are concealed by default. Include the `--no-masking` flag to turn off masking. When referencing an environment variable assigned to a secret reference within a command, `op run` must replace the reference with the actual secret value before the variable expands. To make sure this order of operations is followed, run the command that expands the variable in a subshell. #### Load variables from environments (Beta) :::note The `--environments` flag is available in [the latest beta build of 1Password CLI](/docs/cli/reference#beta-builds), version `2.33.0-beta.02` or later. ::: Use `op run` with the `--environments` flag and an Environment's ID to load variables from a 1Password Environment. To find an Environment's ID, open the 1Password app, navigate to Developer > View Environments > then select View environment > Manage environment > Copy environment ID. Load variables from a 1Password Environment: ```shell op run --environment -- printenv ``` #### Environment variable precedence If the same environment variable name exists in multiple sources, the source with higher precedence takes effect. Precedence from highest to lowest: 1. 1Password Environments (--environment) 2. Environment files (--env-file) 3. Shell environment variables If the same environment variable name exists in multiple environment files, the last environment file takes precedence. If the same environment variable name exists in multiple 1Password Environments, the last Environment specified takes precedence. ### Examples {#examples} Print secret value: ``` export DB_PASSWORD="op://app-prod/db/password" ``` ``` op run -- printenv DB_PASSWORD ``` ``` op run --no-masking -- printenv DB_PASSWORD fX6nWkhANeyGE27SQGhYQ ``` Specify an environment file and use it: ``` echo "DB_PASSWORD=op://app-dev/db/password" > .env ``` ``` op run --env-file="./.env" -- printenv DB_PASSWORD password ``` Use variables in secret references to switch between different sets of secrets for different environments: ``` cat .env DB_USERNAME = op://$APP_ENV/db/username DB_PASSWORD = op://$APP_ENV/db/password ``` ``` export APP_ENV="dev" op run --env-file="./.env" -- printenv DB_PASSWORD dev ``` ``` export APP_ENV="prod" op run --env-file="./.env" -- printenv DB_PASSWORD prod ``` --- ## service-account | 1Password CLI # service-account Manage service accounts. ### Subcommands {#subcommands} - [service-account create](#service-account-create): Create a service account - [service-account ratelimit](#service-account-ratelimit): Retrieve rate limit usage for a service account ## service-account create Create a service account to gain programmatic access to your secrets using 1Password CLI. ```shell op service-account create [flags] ``` ### Flags {#service-account-create-flags} ``` --can-create-vaults Allow the service account to create new vaults. --expires-in duration Set how long the service account is valid for in (s)econds, (m)inutes, (h)ours, (d)ays, or (w)eeks. --raw Only return the service account token. --vault stringArray Give access to this vault with a set of permissions. Has syntax :[,] ``` You can specify the vaults the service account can access, as well as the permissions it will have for each vault using the `--vault` flag. The syntax looks like this: ```shell --vault :, ``` The permissions can be one of the following: - `read_items` - `write_items` (requires `read_items`) - `share_items` (requires `read_items`) If no permissions are specified, it will default to `read_items`. You can set an expiry to a service account using the `--expires-in` flag. 1Password CLI only returns the service account token once. Save the token in 1Password immediately to avoid losing it. Treat this token like a password, and don't store it in plaintext. :::note You can't grant a service account access to your built-in [Personal](https://support.1password.com/1password-glossary#personal-vault), [Private](https://support.1password.com/1password-glossary#private-vault), or [Employee](https://support.1password.com/1password-glossary#employee-vault) vault. ::: ### Examples {#service-account-create-examples} Create a new service account: ```shell op service-account create my-service-account --vault Dev:read_items --vault Test:read_items,write_items ``` Create a service account with an expiry: ```shell op service-account create my-service-account --expires-in=24h ``` Create a service account that can create new vaults: ```shell op service-account create my-service-account --can-create-vaults ``` ## service-account ratelimit Retrieve hourly and daily rate limit usage for a service account. ```shell op service-account ratelimit [{ | }] [flags] ``` --- ## signin | 1Password CLI # signin Sign in to 1Password CLI using the 1Password desktop app. ```shell op signin [flags] ``` ### Flags {#flags} ``` -f, --force Ignore warnings and print raw output from this command. --raw Only return the session token. ``` To turn on the 1Password app integration: 1. Open the 1Password app. 2. Navigate to **Settings** > **Security** and turn on Touch ID, Windows Hello, or a Linux system authentication option. 3. Navigate to **Developer** > **Settings** and select **Integrate with 1Password CLI**. [Learn more about the app integration.](/docs/cli/app-integration/) If you add multiple 1Password accounts to the 1Password app, 1Password CLI determines which to use in this order: 1. The account specified with the `--account` flag. 2. The account specified by the `OP_ACCOUNT` environment variable. 3. The account you most recently signed in to with `op signin` in any terminal window. `op signin` is idempotent. It only prompts for authentication if you aren't already authenticated. ### Examples {#examples} Sign in and set the environment variable in one step: ```shell eval $(op signin --account acme.1password.com) ``` --- ## signout | 1Password CLI # signout Sign out of a 1Password account. ``` op signout [flags] ``` ### Flags {#flags} ``` --all Sign out of all signed-in accounts. --forget Remove the details for a 1Password account from this device. ``` Signs out of the most recently used account by default. --- ## Update to the latest version of 1Password CLI To make sure you're up to date with the latest features and security improvements, always use the latest version of 1Password CLI. To check what version you currently have installed, use `op --version`. ## Download the latest version There are two ways you can download the latest version for your platform and architecture: - Visit our [release page](https://app-updates.agilebits.com/product_history/CLI2) and download the latest version of 1Password CLI. - Use `op update` to download the latest version from the command line. Set the `--directory` flag to choose where to download the installer (defaults to `~/Downloads`) and confirm the download. You can use `op update` without signing in. After downloading the appropriate installer, follow the [installation instructions](/docs/cli/get-started#step-1-install-1password-cli) to finish the update. ## Update with a package manager If you installed 1Password CLI with a package manager, use the following commands to update your installation. **Mac:** **Brew** ```shell brew upgrade --cask 1password-cli ``` **Linux:** **Apt:** ```shell sudo apt update && sudo apt install 1password-cli ``` **Yum:** ```shell sudo dnf check-update -y 1password-cli && sudo dnf install 1password-cli ``` **Alpine:** ```shell apk add --update-cache 1password-cli ``` --- ## update | 1Password CLI # update Check for updates to `op` and download an updated version, if available. ``` op update [flags] ``` ### Flags {#flags} ``` --directory path Download the update to this path. --channel string Look for updates from a specific channel. allowed: stable, beta ``` --- ## user | 1Password CLI # user ### Subcommands {#subcommands} - [user confirm](#user-confirm): Confirm a user - [user delete](#user-delete): Remove a user and all their data from the account - [user edit](#user-edit): Edit a user's name or Travel Mode status - [user get](#user-get): Get details about a user - [user list](#user-list): List users - [user provision](#user-provision): Provision a user in the authenticated account - [user reactivate](#user-reactivate): Reactivate a suspended user - [user recovery](#user-recovery): Manage user recovery in your 1Password account - [user suspend](#user-suspend): Suspend a user ## user confirm Specify the user by their e-mail address, name, or ID. ```shell op user confirm [{ | | | - }] [flags] ``` ### Flags {#user-confirm-flags} ``` --all Confirm all unconfirmed users. ``` Specify the user by their e-mail address, name, or ID. ### Examples {#user-confirm-examples} Confirm a user by specifying their name: ```shell op user confirm "Wendy Appleseed" ``` Confirm a user by specifying their email: ```shell op user confirm "wendy.appleseed@example.com" ``` ## user delete Remove a user and all their data from the account. ```shell op user delete [{ | | | - }] [flags] ``` Specify the user by their e-mail address, name, or ID. ## user edit Change a user's name or Travel Mode status. ```shell op user edit [{ | | | - }] [flags] ``` ### Flags {#user-edit-flags} ``` --name string Set the user's name. --travel-mode on|off Turn Travel Mode on or off for the user. (default off) ``` Specify the user by their e-mail address, name, or ID. ## user get Get details about a user. ```shell op user get [{ | | | --me | - }] [flags] ``` ### Flags {#user-get-flags} ``` --fingerprint Get the user's public key fingerprint. --me Get the authenticated user's details. --public-key Get the user's public key. ``` Specify the user by their e-mail address, name, or ID. #### Use standard input to specify objects If you enter a hyphen (`-`) instead of a single object for this command, the tool will read object specifiers from standard input (stdin). Separate each specifier with a new line. For more information about how to specify objects, run `op help`. You can also pass the command a list or array of JSON objects. The tool will get an item for any object that has an ID, ignoring line breaks. This is useful for passing information from one `op` command to another. ### Examples {#user-get-examples} Look up a user by name: ```shell op user get "Wendy Appleseed" ``` Look up a user by e-mail: ```shell op user get wendy.appleseed@example.com ``` Get details for all users: ```shell op user list --format=json | op user get - ``` Get the public key for all users in a group: ```shell op user list --group "Frontend Developers" --format=json | op user get - --publickey ``` Get details for all users who have access to a vault: ```shell op user list --vault Staging --format=json | op user get - ``` ## user list List users. ```shell op user list [flags] ``` ### Flags {#user-list-flags} ``` --group group List users who belong to a group. --vault vault List users who have direct access to vault. ``` Returns all users in an account by default. Use flags to filter results. When you use the `--group` option, the output includes the user's role in the group. ### Examples {#user-list-examples} Get details for all users: ```shell op user list --format=json | op user get - ``` Get the public key for all users in a group: ```shell op user list --group "Frontend Developers" --format=json | op user get - --publickey ``` Get details for all users who have access to a vault: ```shell op user list --vault Staging --format=json | op user get - ``` ## user provision Provision a user in the authenticated account. ```shell op user provision [flags] ``` ### Flags {#user-provision-flags} ``` --email string Provide the user's email address. --language string Provide the user's account language. (default "en") --name string Provide the user's name. ``` Provisioned users will receive an invitation email to join the 1Password account. Once a user accepts an invitation, an admin must confirm them on 1Password.com or using the `op user confirm` command. Invited users will not be considered for billing until they accept their invitation. ### Examples {#user-provision-examples} Invite a user by specifying their e-mail address and name: ```shell op user provision --name "Wendy Appleseed" --email "wendy.appleseed@example.com" ``` ## user reactivate Reactivate a suspended user. ```shell op user reactivate [{ | | | - }] [flags] ``` A user may be specified by their e-mail address, name, or ID. ## user recovery ### Subcommands {#user-recovery-subcommands} - [user recovery begin](#user-recovery-begin): Begin recovery for users in your 1Password account ## user recovery begin Begin recovery for users in your 1Password account: ```shell op user recovery begin [ { | | } ] [flags] ``` ### Examples {#user-recovery-begin-examples} Begin recovery for multiple users by UUID: ```shell op user recovery begin ZMAE4RTRONHN7LGELNYYO373KM WHPOFIMMYFFITBVTOTZUR3R324 ``` ## user suspend Suspend a user. ```shell op user suspend [{ | | | - }] [flags] ``` ### Flags {#user-suspend-flags} ``` --deauthorize-devices-after duration Deauthorize the user's devices after a time (rounded down to seconds). ``` Specify the user by their e-mail address, name, or ID. A suspended user will immediately be logged out of all devices and will not be able to log in or access any data. Users in a suspended state are not considered in billing. You can reactivate a suspended user with the `op user reactivate` command. --- ## vault | 1Password CLI # vault Manage permissions and perform CRUD operations on your 1Password vaults. ### Subcommands {#subcommands} - [vault create](#vault-create): Create a new vault - [vault delete](#vault-delete): Remove a vault - [vault edit](#vault-edit): Edit a vault's name, description, icon, or Travel Mode status - [vault get](#vault-get): Get details about a vault - [vault group](#vault-group): Manage group vault access - [vault list](#vault-list): List all vaults in the account - [vault user](#vault-user): Manage user vault access ## vault create Create a new vault ``` op vault create [flags] ``` ### Flags {#vault-create-flags} ``` --allow-admins-to-manage true|false Set whether administrators can manage the vault. If not provided, the default policy for the account applies. --description description Set the vault's description. --icon string Set the vault icon. ``` Valid icon keywords are: airplane, application, art-supplies, bankers-box, brown-briefcase, brown-gate, buildings, cabin, castle, circle-of-dots, coffee, color-wheel, curtained-window, document, doughnut, fence, galaxy, gears, globe, green-backpack, green-gem, handshake, heart-with-monitor, house, id-card, jet, large-ship, luggage, plant, porthole, puzzle, rainbow, record, round-door, sandals, scales, screwdriver, shop, tall-window, treasure-chest, vault-door, vehicle, wallet, wrench ## vault delete Remove a vault. Specify the vault to delete by name or ID. ``` op vault delete [{ | | - }] [flags] ``` A vault may be specified by name or ID. ## vault edit Edit a vault's name, description, icon, or Travel Mode status. Specify the vault by name or ID. ``` op vault edit [{ | | - }] [flags] ``` ### Flags {#vault-edit-flags} ``` --description description Change the vault's description. --icon icon Change the vault's icon. --name name Change the vault's name. --travel-mode on|off Turn Travel Mode on or off for the vault. Only vaults with Travel Mode enabled are accessible while a user has Travel Mode turned on. (default off) ``` A vault may be specified by name or ID. Valid icon keywords are: airplane, application, art-supplies, bankers-box, brown-briefcase, brown-gate, buildings, cabin, castle, circle-of-dots, coffee, color-wheel, curtained-window, document, doughnut, fence, galaxy, gears, globe, green-backpack, green-gem, handshake, heart-with-monitor, house, id-card, jet, large-ship, luggage, plant, porthole, puzzle, rainbow, record, round-door, sandals, scales, screwdriver, shop, tall-window, treasure-chest, vault-door, vehicle, wallet, wrench ## vault get Get details about a vault. Specify the vault by name or ID. ``` op vault get [{ | | - }] [flags] ``` A vault may be specified by name or ID. #### Use standard input to specify objects If you enter a hyphen (`-`) instead of a single object for this command, the tool will read object specifiers from standard input (stdin). Separate each specifier with a new line. For more information about how to specify objects, run `op help`. You can also pass the command a list or array of JSON objects. The tool will get an item for any object that has an ID, ignoring line breaks. This is useful for passing information from one `op` command to another. ### Examples {#vault-get-examples} Get details for all vaults: ``` op vault list --format=json | op vault get - ``` Get details for the vaults that a group has access to: ``` op vault list --group security --format=json | op vault get - ``` ## vault group ### Subcommands {#vault-group-subcommands} - [vault group grant](#vault-group-grant): Grant a group permissions to a vault - [vault group list](#vault-group-list): List all the groups that have access to the given vault - [vault group revoke](#vault-group-revoke): Revoke a portion or the entire access of a group to a vault ## vault group grant Grant a group permissions in a vault. ``` op vault group grant [flags] ``` ### Flags {#vault-group-grant-flags} ``` --group group The group to receive access. --no-input input Do not prompt for input on interactive terminal. --permissions permissions The permissions to grant to the group. --vault vault The vault to grant group permissions to. ``` Permissions are specified in a comma separated list such as: ``` view_items,view_and_copy_passwords,edit_items ``` 1Password Teams includes three permissions: ``` allow_viewing, allow_editing, allow_managing ``` 1Password Business includes the permissions above as well as more granular options: allow_viewing ``` view_items, view_and_copy_passwords, view_item_history ``` allow_editing ``` create_items, edit_items, archive_items, delete_items, import_items, export_items, copy_and_share_items, print_items ``` allow_managing ``` manage_vault ``` When granting or revoking permissions, some permissions require dependent permissions to be granted or revoked alongside them. [Learn more about managing vault permissions.](/docs/cli/vault-permissions/) ### Examples {#vault-group-grant-examples} Grant a group certain permissions in a vault with a business account: ``` op vault group grant --vault VAULT --group GROUP \ --permissions view_items,create_items,allow_viewing ``` ``` op vault group grant --vault VAULT --group GROUP \ --permissions allow_viewing,export_items ``` Grant a group certain permissions in a vault with a team account: ``` op vault group grant --vault VAULT --group GROUP \ --permissions allow_viewing,allow_editing ``` ## vault group list List all the groups that have access to the given vault. ``` op vault group list [{ | - }] [flags] ``` ## vault group revoke Revoke a group's permissions in a vault, in part or in full. ``` op vault group revoke [flags] ``` ### Flags {#vault-group-revoke-flags} ``` --group group The group to revoke access from. --no-input input Do not prompt for input on interactive terminal. --permissions permissions The permissions to revoke from the group. --vault vault The vault to revoke access to. ``` Not specifying any permissions revokes the group's access to the vault. Removing all existing permissions also revokes the group’s access to the vault. Permissions are specified in a comma separated list such as: ``` view_items,view_and_copy_passwords,edit_items ``` 1Password Teams includes three permissions: ``` allow_viewing, allow_editing, allow_managing ``` 1Password Business includes the permissions above as well as more granular options: allow_viewing ``` view_items, view_and_copy_passwords, view_item_history ``` allow_editing ``` create_items, edit_items, archive_items, delete_items, import_items, export_items, copy_and_share_items, print_items ``` allow_managing ``` manage_vault ``` When granting or revoking permissions, some permissions require dependent permissions to be granted or revoked alongside them. [Learn more about managing vault permissions.](/docs/cli/vault-permissions/) ### Examples {#vault-group-revoke-examples} Remove a group from a vault: ``` op vault group revoke --vault VAULT --group GROUP ``` Revoke certain permissions from a group in a vault with a business account: ``` op vault group revoke --vault VAULT --group GROUP \ --permissions view_items,create_items,allow_editing ``` Revoke certain permissions from a group in a vault with a team account: ``` op vault group revoke --vault VAULT --group GROUP \ --permissions allow_viewing,allow_editing ``` ## vault list List vaults. ``` op vault list [flags] ``` ### Flags {#vault-list-flags} ``` --group string List vaults a group has access to. --permission permissions List only vaults that the specified user/group has this permission for. --user string List vaults that a given user has access to. ``` By default, returns all vaults the current user has read access to. ### Examples {#vault-list-examples} Get details for all vaults: ``` op vault list --format=json | op vault get - ``` Get details for vaults that a group has access to: ``` op vault list --group Security --format=json | op vault get - ``` Get details for vaults that a user has access to: ``` op vault list --user wendy_appleseed@1password.com --format=json | op vault get - ``` Only list vaults for which the user/group has a specific set of permissions: ``` op vault list --user wendy_appleseed@1password.com --permission manage_vault ``` ## vault user ### Subcommands {#vault-user-subcommands} - [vault user grant](#vault-user-grant): Grant a user access to a vault - [vault user list](#vault-user-list): List all users with access to the vault and their permissions - [vault user revoke](#vault-user-revoke): Revoke a portion or the entire access of a user to a vault ## vault user grant Grant a user permissions in a vault. ``` op vault user grant [flags] ``` ### Flags {#vault-user-grant-flags} ``` --no-input input Do not prompt for input on interactive terminal. --permissions permissions The permissions to grant to the user. --user user The user to receive access. --vault vault The vault to grant access to. ``` Permissions are specified in a comma separated list such as: ``` view_items,view_and_copy_passwords,edit_items ``` 1Password Teams and 1Password Families include three permissions: ``` allow_viewing, allow_editing, allow_managing ``` 1Password Business includes the permissions above as well as more granular options: allow_viewing ``` view_items, view_and_copy_passwords, view_item_history ``` allow_editing ``` create_items, edit_items, archive_items, delete_items, import_items, export_items, copy_and_share_items, print_items ``` allow_managing ``` manage_vault ``` When granting or revoking permissions, some permissions require dependent permissions to be granted or revoked alongside them. [Learn more about managing vault permissions.](/docs/cli/vault-permissions/) ### Examples {#vault-user-grant-examples} Grant a user certain permissions in a vault with a business account: ``` op vault user grant --vault VAULT --user USER \ --permissions view_items,create_items,allow_viewing ``` ``` op vault user grant --vault VAULT --user USER \ --permissions allow_viewing,export_items ``` Grant a user certain permissions in a vault with a team account: ``` op vault user grant --vault VAULT --user USER \ --permissions allow_viewing,allow_editing ``` ## vault user list List all users with access to the vault and their permissions. ``` op vault user list [flags] ``` ## vault user revoke Revoke a user's permissions in a vault, in part or in full. ``` op vault user revoke [flags] ``` ### Flags {#vault-user-revoke-flags} ``` --no-input input Do not prompt for input on interactive terminal. --permissions permissions The permissions to revoke from the user. --user user The user to revoke access from. --vault vault The vault to revoke access to. ``` Not specifying any permissions revokes the user's access to the vault. Removing all existing permissions also revokes the user’s access to the vault. Permissions are specified in a comma separated list such as: ``` view_items,view_and_copy_passwords,edit_items ``` 1Password Teams and 1Password Families include three permissions: ``` allow_viewing, allow_editing, allow_managing ``` 1Password Business includes the permissions above as well as more granular options: allow_viewing ``` view_items, view_and_copy_passwords, view_item_history ``` allow_editing ``` create_items, edit_items, archive_items, delete_items, import_items, export_items, copy_and_share_items, print_items ``` allow_managing ``` manage_vault ``` When granting or revoking permissions, some permissions require dependent permissions to be granted or revoked alongside them. [Learn more about managing vault permissions.](/docs/cli/vault-permissions/) ### Examples {#vault-user-revoke-examples} Remove a user from a vault: ``` op vault user revoke --vault VAULT --user USER ``` Revoke certain permissions from a user in a vault with a business account: ``` op vault user revoke --vault VAULT --user USER \ --permissions view_items,create_items,allow_editing ``` Revoke certain permissions from a user in a vault with a team account: ``` op vault user revoke --vault VAULT --user USER \ --permissions allow_viewing,allow_editing ``` --- ## whoami | 1Password CLI # whoami Get information about a signed-in account. ``` op whoami [flags] ``` Returns the currently active account or service account. The command returns an error if no accounts are currently authenticated. Get information about a specific account with the `--account ` flag. --- ## Example scripts The 1Password Solutions team manages [a repository of example 1Password CLI scripts](https://github.com/1Password/solutions) that you can use as inspiration for your own projects. You'll need to install [jq](https://stedolan.github.io/jq/), a command-line JSON processor, for the example scripts to work correctly. You can find demo scripts to help you: - [Migrate from another password solution](https://github.com/1Password/solutions/tree/main/1password/migration) - [Provision new users from a CSV](https://github.com/1Password/solutions/tree/main/1password/scripted-provisioning) - [Audit or manage existing users](https://github.com/1Password/solutions/tree/main/1password/user-management) - [Manage your vaults and groups](https://github.com/1Password/solutions/tree/main/1password/account-management) - [Create, update, and share items](https://github.com/1Password/solutions/tree/main/1password/item-management) ## Learn more - [Get started with secret references](/docs/cli/secret-references/) - [Load secrets into scripts](/docs/cli/secrets-scripts/) - [Load secrets into the environment](/docs/cli/secrets-environment-variables/) - [Load secrets into config files](/docs/cli/secrets-config-files/) --- ## 1Password CLI Secret Reference Syntax # Secret reference syntax _[An environment file using a plaintext secret and the same file using a secret reference.]_ Secret reference URIs point to where a secret is saved in your 1Password account using the names (or [unique identifiers](/docs/cli/reference#unique-identifiers-ids)) of the vault, item, section, and field where the information is stored. ```shell [{ "badge": 1, "color": "sunbeam", "lineNo": 1, "substr": "vault-name" }, { "badge": 2, "color": "lagoon", "lineNo": 1, "substr": "item-name" }, { "badge": 3, "color": "intrepidblue", "lineNo": 1, "substr": "section-name" }, { "badge": 4, "color": "dahlia", "lineNo": 1, "substr": "field-name" }] op:////[section-name/] ``` Secret references remove the risk of exposing plaintext secrets in your code and reflect changes you make in your 1Password account, so when you run a script you get the latest value. You can use secret references with: - **1Password CLI**: Load secrets into environment variables, configuration files, and scripts. Learn more - **1Password SDKs**: Programmatically access your secrets with Go, JavaScript, and Python. Learn more - **Secrets Automation**: Use secret references to secure your secrets management workflows. Learn more - **VS Code**: Create, preview, and read secret references in your code. Learn more - **1Password integrations**: Securely access your secrets in Kubernetes, CircleCI, GitHub Actions, Jenkins, Terraform, Pulumi, Postman, and more. Learn more ## Get secret references ### With the 1Password desktop app To see the option to copy secret references in the 1Password desktop app, first turn on the [integration with 1Password CLI](/docs/cli/app-integration). Then: 1. Open the item where the secret you want to reference is stored. 2. Select next to the field that contains the secret you want to reference, then select Copy Secret Reference. _[An item in 1Password with the Copy Secret Reference option selected.]_ ### With 1Password for VS Code You can use 1Password for VS Code to [insert secret references](/docs/vscode#get-values) from 1Password as you edit your code. First, [install the extension](/docs/vscode/). Then: 1. Open the **[Command Palette ](https://code.visualstudio.com/api/ux-guidelines/command-palette)**. 2. Enter `1Password: Get from 1Password`. 3. Enter the item name or ID. 4. Select the field to use. ### With 1Password CLI To get a secret reference with 1Password CLI, run [`op item get`](/docs/cli/reference/management-commands/item#item-get) with the `--format json` flag and include the `--fields` flag to specify a field label. Then use [jq ](https://jqlang.github.io/jq/) to retrieve the secret reference from the JSON output. For example: ```shell op item get GitHub --format json --fields username | jq .reference #code-result "op://development/GitHub/username" ``` To get secret references for every field on an item, use [`op item get`](/docs/cli/reference/management-commands/item#item-get) with the `--format json` flag without specifying a field. **Example JSON output** ```shell op item get GitHub --format json ``` Each field object will include a `reference` key that contains its secret reference. For the example `GitHub` item, the output looks like this: ```json {8,17,29,40} "fields": [ { "id": "username", "type": "STRING", "purpose": "USERNAME", "label": "username", "value": "wendy_appleseed@agilebits.com", "reference": "op://development/GitHub/username" }, { "id": "password", "type": "CONCEALED", "purpose": "PASSWORD", "label": "password", "value": "GADbhK6MjNZrRftGMqto", "entropy": 115.5291519165039, "reference": "op://development/GitHub/password", "password_details": { "entropy": 115, "generated": true, "strength": "FANTASTIC" } }, { "id": "notesPlain", "type": "STRING", "purpose": "NOTES", "label": "notesPlain", "reference": "op://development/GitHub/notesPlain" }, { "id": "5ni6bw735myujqe4elwbzuf2ee", "section": { "id": "hv46kvrohfj75q6g45km2uultq", "label": "credentials" }, "type": "CONCEALED", "label": "personal_token", "value": "ghp_WzgPAEutsFRZH9uxWYtw", "reference": "op://development/GitHub/credentials/personal_token" } ] } ``` ## Syntax rules ### Supported characters Secret references are case-insensitive and support the following characters: - alphanumeric characters (`a-z`, `A-Z`, `0-9`) - `-`, `_`, `.` and the whitespace character If a secret reference includes a whitespace, enclose the secret reference in quotation marks. For example: ```shell op read "op://development/aws/Access Keys/access_key_id" ``` Any part of a secret reference that includes an unsupported character must be referred to by its [unique identifier (ID)](/docs/cli/reference#unique-identifiers-ids) instead of its name. To get an ID, run [`op item get`](/docs/cli/reference/management-commands/item#item-get) with the output set to JSON. For example, to get the ID for a custom text field named `test/`: ``` op item get PagerDuty --fields label=test/ --format json #code-result { "id": "hu4vwo3bjkawq2uw2fkn5pkjzu", "section": { "id": "add more" }, "type": "STRING", "label": "text/", "value": "t", "reference": "op://Management/PagerDuty/add more/hu4vwo3bjkawq2uw2fkn5pkjzu" } ``` ### File attachments To reference a file attachment, use the file name in place of a field name: ```shell [{ "badge": 1, "color": "sunbeam", "lineNo": 1, "substr": "vault-name" }, { "badge": 2, "color": "lagoon", "lineNo": 1, "substr": "item-name" }, { "badge": 3, "color": "intrepidblue", "lineNo": 1, "substr": "section-name" }, { "badge": 4, "color": "dahlia", "lineNo": 1, "substr": "file-name" }] op://vault-name/item-name/[section-name/]file-name ``` ### Externally-set variables If you use different sets of secrets in different environments, you can include variables within secret references and then set the variable to switch between secrets. For example, the `APP_ENV` variable in the example below can be set to `dev` to load development credentials or `prod` to load production credentials, assuming the credentials are stored in 1Password vaults named `dev` and `prod`. ```shell title="app.env" MYSQL_DATABASE = "op://$APP_ENV/mysql/database" MYSQL_USERNAME = "op://$APP_ENV/mysql/username" MYSQL_PASSWORD = "op://$APP_ENV/mysql/password" ``` Learn how to use variables to switch between sets of secrets in [environment files](/docs/cli/secrets-environment-variables#step-3-differentiate-between-environments) and [config files](/docs/cli/secrets-config-files#step-3-differentiate-between-environments). ### Field and file metadata attributes You can use secret references with query parameters to get more information about an item. #### Attribute parameter To get information about item fields and file attachments, use the `attribute` (or `attr`) query parameter. ```html title="Fields" op:///[/
]/?attribute= ``` ```html title="File attachments" op:///[/
]/?attribute= ``` Field attributes: | Attribute | Definition | | --- | --- | | `type` | The field's type | | `value` | The field's content | | `id` | The field's unique identifier | | `purpose` | The designation of a built-in field (can be "username", "password", or "notes") | | `otp` | Use with one-time password fields to generate a one-time password code | File attachment attributes: | Attribute | Definition | | --- | --- | | `type` | The field's type | | `content` | The file attachment's content | | `size` | The size of the file attachment | | `id` | The file attachment's unique identifier | | `name` | The name of the file attachment | For example, to retrieve an item's one-time password code: ```shell op read "op://development/GitHub/Security/one-time password?attribute=otp" #code-result 359836 ``` To retrieve a field's type: ```shell op read "op://Personal/aws/access credentials/username?attribute=type" #code-result string ``` To retrieve the name of a file attachment: ```shell op read "op://app-infra/ssh/key.pem?attribute=name" #code-result key.pem ``` #### SSH format parameter To get an SSH private key in the OpenSSH format, include the `ssh-format` query parameter with the value `openssh` on a secret reference for the SSH key's `private key` field. ```shell op read "op://Private/ssh keys/ssh key/private key?ssh-format=openssh" #code-result -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABD3rRrf8J ruD0CxZTYfpbTYAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIJ5B/GnxX6t9jMwQ G7QE7r5daJLkMKTZhNZhWfvzK2y+AAAAkLgQAivYu/+12/YrZhK5keIAZf4ZgsZsZ2JI2q qbx23PqgO93oGy1iCxXe3kngQL4cM6lwOZPsZPKCinkN6KxEr6RnXqFRHJbMpOiGeZhTuD rjeo77HqFdxDqDeckB77XCKL0Ew28H5JlM/WO31XR3Z4VBAgTe+BQLjrFV8WU5UX38hpBJ PMJyRsK72ZUDDaGQ== -----END OPENSSH PRIVATE KEY----- ``` ## Secret reference examples ### A field inside a section To create a secret reference that refers to the PagerDuty email field, which is within the Admin section, use: ```shell [{ "badge": 1, "color": "sunbeam", "lineNo": 1, "substr": "Management" }, { "badge": 2, "color": "lagoon", "lineNo": 1, "substr": "PagerDuty" }, { "badge": 3, "color": "intrepidblue", "lineNo": 1, "substr": "Admin" }, { "badge": 4, "color": "dahlia", "lineNo": 1, "substr": "email" }] op://Management/PagerDuty/Admin/email ``` - Management refers to the vault where the item is saved - PagerDuty refers to the item - Admin refers to the section where the field is a part of - email refers to the field where the secret you want to reference is located _[PagerDuty 1Password item]_ ### A field without a section To create a secret reference for the Stripe publishable-key field, which is not part of a section, use: ```shell [{ "badge": 1, "color": "sunbeam", "lineNo": 1, "substr": "dev" }, { "badge": 2, "color": "lagoon", "lineNo": 1, "substr": "Stripe" }, { "badge": 4, "color": "dahlia", "lineNo": 1, "substr": "publishable-key" }] op://dev/Stripe/publishable-key ``` - dev refers to the vault where the item is saved - Stripe refers to the item - publishable-key refers to the field where the secret you want to reference is located _[Stripe 1Password item]_ ## Learn more - [Use secret references with 1Password CLI](/docs/cli/secret-references/) - [Get started with 1Password SDKs](/docs/sdks/) - [Load secrets into config files](/docs/cli/secrets-config-files/) - [Load secrets into the environment](/docs/cli/secrets-environment-variables/) - [Template syntax](/docs/cli/secrets-template-syntax/) --- ## Use secret references with 1Password CLI :::tip New beta feature You can now [pass secrets as environment variables](/docs/cli/secrets-environment-variables) to applications or scripts from [1Password Environments](/docs/environments). This allows you to more easily access project secrets from 1Password without the need to create secret references. ::: With 1Password CLI, you can use [secret references](/docs/cli/secret-reference-syntax) to securely load information saved in 1Password into environment variables, configuration files, and scripts without exposing any secrets in plaintext. A secret reference URI includes the names (or [unique identifiers](/docs/cli/reference#unique-identifiers-ids)) of the vault, item, section, and field where a secret is stored in your 1Password account: ```shell [{ "badge": 1, "color": "sunbeam", "lineNo": 1, "substr": "vault-name" }, { "badge": 2, "color": "lagoon", "lineNo": 1, "substr": "item-name" }, { "badge": 3, "color": "intrepidblue", "lineNo": 1, "substr": "section-name" }, { "badge": 4, "color": "dahlia", "lineNo": 1, "substr": "field-name" }] op:////[section-name/] ``` To replace secret references with the secrets they refer to at runtime, use [`op read`](#with-op-read), [`op run`](#with-op-run), or [`op inject`](#with-op-inject). :::tip We recommend using [1Password Service Accounts](/docs/service-accounts/) to follow the [principle of least privilege](/docs/cli/best-practices/). Service accounts support restricting 1Password CLI to specific vaults, so that processes in your authorized terminal session can only access items required for a given purpose. ::: ## Requirements Before you can use secret references to securely load your secrets with 1Password CLI, you'll need to: 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. [Install 1Password CLI.](/docs/cli/get-started#step-1-install-1password-cli) 3. Save the secrets you want to reference in your 1Password account. ## Step 1: Get secret references You can get secret references in several ways: - [With the 1Password desktop app](/docs/cli/secret-reference-syntax#with-the-1password-desktop-app): Copy secret references from the app. - [With 1Password for VS Code](/docs/vscode#get-values): Insert secret references from 1Password as you edit code. - [With 1Password CLI](/docs/cli/secret-reference-syntax#with-1password-cli): Get secret references for one or multiple fields with `op item get`. - [With the secret reference syntax](/docs/cli/secret-reference-syntax#syntax-rules): Write secret references manually. ## Step 2: Replace plaintext secrets with secret references After you create secret references, use them in place of plaintext secrets in your code. The example below shows a GitHub environment file with a secret reference pointing to where the GitHub Personal Access Token is stored in 1Password rather than a plaintext token. _[An environment file using a plaintext secret and the same file using a secret reference.]_ ## Step 3: Resolve secret references There are three ways you can replace secret references with the actual secrets they reference at runtime: - [Use `op read` to write secrets to `stdout` or to a file.](#with-op-read) - [Use `op run` to pass secrets as environment variables to a process.](#with-op-run) - [Use `op inject` to inject secrets into configuration files or scripts.](#with-op-inject) ### With `op read` You can use [`op read`](/docs/cli/reference/commands/read/) with a secret reference to print the secret to `stdout`. ```shell op read op://development/GitHub/credentials/personal_token #code-result ghp_WzgPAEutsFRZH9uxWYtw ``` To write the secret to a file instead of `stdout`, include the `--out-file` flag (or `-o`) with the path to the new file. For example, to create a file `token.txt` that contains the GitHub personal access token: ```shell op read --out-file token.txt op://development/GitHub/credentials/personal_token ``` ```shell title="token.txt" ghp_WzgPAEutsFRZH9uxWYtw ``` You can also use `op read` with secret references to [load secrets into scripts](/docs/cli/secrets-scripts/). For example, to use secret references in place of your Docker username and password with the `docker login` command: ```shell title="myscript.sh" #!/bin/bash docker login -u "$(op read op://prod/docker/username)" -p "$(op read op://prod/docker/password)" ``` #### Query parameters You can use secret references with [query parameters](/docs/cli/secret-reference-syntax#field-and-file-metadata-attributes) to get more information about an item. To get information about item fields or file attachments, include the `attribute` (or `attr`) query parameter with the attribute you want to get. ```shell op:///[/
]/?attribute= ``` You can query the following attributes for fields: `type`, `value`, `title`, `id`, `purpose`, `otp` And the following attributes for file attachments: `content`, `size`, `id`, `name`, `type`. For example, to retrieve a one-time password from the one-time password field on a GitHub item: ```shell op read "op://development/GitHub/Security/one-time password?attribute=otp" #code-result 359836 ``` To get an SSH key's private key in the OpenSSH format, include the `ssh-format` query parameter with the value `openssh` on a secret reference for the SSH key's `private key` field. ```shell op read "op://Private/ssh keys/ssh key/private key?ssh-format=openssh" #code-result -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABD3rRrf8J ruD0CxZTYfpbTYAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIJ5B/GnxX6t9jMwQ G7QE7r5daJLkMKTZhNZhWfvzK2y+AAAAkLgQAivYu/+12/YrZhK5keIAZf4ZgsZsZ2JI2q qbx23PqgO93oGy1iCxXe3kngQL4cM6lwOZPsZPKCinkN6KxEr6RnXqFRHJbMpOiGeZhTuD rjeo77HqFdxDqDeckB77XCKL0Ew28H5JlM/WO31XR3Z4VBAgTe+BQLjrFV8WU5UX38hpBJ PMJyRsK72ZUDDaGQ== -----END OPENSSH PRIVATE KEY----- ``` :::info Next step Learn more about [securely loading secrets into scripts](/docs/cli/secrets-scripts/). ::: ### With `op run` You can set environment variables to secret references, then use [`op run`](/docs/cli/reference/commands/run/) to pass secrets to an application or script at runtime. `op run` scans environment variables for secret references, loads the corresponding values from 1Password, then runs the provided command in a subprocess with the secrets made available as environment variables for the duration of the subprocess. :::note When you reference a variable like `$MY_VAR` in the **same command** where you call `op run`, your shell expands `$MY_VAR` before `op run` can substitute the secret reference. To make sure `op run` substitutes the secret before the variable expands, you can either: - **Export the variable** as a secret reference before calling `op run`, or - Set the variable in the same command as `op run`, then **run the command to expand the variable in a subshell**. For example: ```shell MY_VAR=op://vault/item/field op run --no-masking -- sh -c 'echo "$MY_VAR"' ``` ::: #### Pass the secrets to an application or script To pass secrets to your script or application at runtime, wrap the command with `op run`. For example, here's a Node.js app that needs credentials to connect to a database: ```shell $ node app.js [INFO] Launching Node.js app... [ERROR] Missing credentials DB_USER and DB_PASSWORD [INFO] Exiting with code 1 ``` You can set the `DB_USER` and `DB_PASSWORD` environment variables to secret references: **Bash, Zsh, sh:** ```shell export DB_USER="op://app-dev/db/user" export DB_PASSWORD="op://app-dev/db/password" ``` **fish:** ```shell set -x DB_USER="op://app-dev/db/user" set -x DB_PASSWORD="op://app-dev/db/password" ``` **PowerShell:** ```powershell $Env:DB_USER = "DB_USER=op://app-dev/db/user" $Env:DB_PASSWORD = "DB_PASSWORD=op://app-dev/db/password" ``` Then use `op run` to pass the secrets to the `node app.js` command: ```shell op run -- node app.js [INFO] Launching Node.js app... [DEBUG] ✔ Connected to db as user 'mydbuser' with password '' ``` #### Use with environment files You can also use `op run` with environment files. To do this, use secret references instead of plaintext secrets in your environment file: ```html title="node.env" DB_USER="op://app-dev/db/user" DB_PASSWORD="op://app-dev/db/password" ``` Then use `op run` with the `--env-file` flag: ```shell op run --env-file="./node.env" -- node app.js ``` #### Print a secret with or without masking If a subprocess used with `op run` prints a secret to `stdout`, the secret will be concealed by default. You can include the `--no-masking` flag to print the value. **Bash, Zsh, sh:** To export an example environment variable `DB_PASSWORD` to a secret reference: ```shell export DB_PASSWORD=op://app-prod/db/password ``` Use `op run` with the `printenv` command to print the concealed secret: ```shell op run -- printenv DB_PASSWORD #code-result ``` Include the `--no-masking` flag to print the actual secret: ```shell op run --no-masking -- printenv DB_PASSWORD #code-result fX6nWkhANeyGE27SQGhYQ ``` **fish:** To export an example environment variable `DB_PASSWORD` to a secret reference: ```shell set -x DB_PASSWORD=op://app-prod/db/password ``` Use `op run` with the `printenv` command to print the concealed secret: ```shell op run -- printenv DB_PASSWORD #code-result ``` Include the `--no-masking` flag to print the actual secret: ```shell op run --no-masking -- printenv DB_PASSWORD #code-result fX6nWkhANeyGE27SQGhYQ ``` **PowerShell:** To export an example environment variable `DB_PASSWORD` to a secret reference: ```powershell $Env:DB_PASSWORD = "DB_PASSWORD=op://app-prod/db/password" ``` To print the concealed secret: ```powershell op run -- powershell -c '$env:DB_PASSWORD' #code-result ``` Include the `--no-masking` flag to print the actual secret: ```powershell op run --no-masking -- powershell -c '$env:DB_PASSWORD' #code-result fX6nWkhANeyGE27SQGhYQ ``` :::info Next step Learn more about [loading secrets into the environment](/docs/cli/secrets-environment-variables/) with `op run`, including how to use template variables to switch between different sets of secrets for different environments. ::: ### With `op inject` You can use [`op inject`](/docs/cli/reference/commands/inject/) to replace secret references in a script or file with the secrets they reference. By default, `op inject` accepts input on `stdin` and outputs on `stdout`. You can use the `--in-file` flag (or `-i`) to read the input from a file instead, and the `--out-file` flag (or `-o`) to specify where the ouput should be written. To use `op inject` to resolve a secret in a simple command: ```shell echo "here is my GitHub token: op://development/GitHub/credentials/personal_token" | op inject #code-result here is my GitHub token: ghp_WzgPAEutsFRZH9uxWYtw ``` To write the output to a file `token.txt` in the current directory: ```shell echo "here is my GitHub token: op://development/GitHub/credentials/personal_token" >> token.txt | op inject --out-file token.txt ``` ```shell title="token.txt" here is my GitHub token: ghp_WzgPAEutsFRZH9uxWYtw ``` #### Use with configuration files You can use `op inject` to pass in a configuration file templated with secret references and output a configuration file that contains resolved secrets. Configuration files that use secret references instead of plaintext secrets can be safely checked into Git. ```yaml title="config.yml.tpl" database: host: http://localhost port: 5432 username: op://prod/mysql/username password: op://prod/mysql/password ``` ```shell op inject --in-file config.yml.tpl --out-file config.yml ``` :::info Next step Learn more about [loading secrets into configuration files](/docs/cli/secrets-config-files/) with `op inject`, including how to use template variables to switch between different sets of secrets for different environments. ::: ## Learn more - [Secret reference syntax](/docs/cli/secret-reference-syntax/) - [Load secrets into the environment](/docs/cli/secrets-environment-variables/) - [Load secrets into config files](/docs/cli/secrets-config-files/) - [Load secrets into scripts](/docs/cli/secrets-scripts/) - [Use service accounts with 1Password CLI](/docs/service-accounts/use-with-1password-cli) --- ## Inject Secrets Into Config Files # Load secrets into config files With 1Password CLI, you can use [secret references](/docs/cli/secret-reference-syntax/) to automatically load secrets into configuration files from your 1Password account without putting any plaintext secrets in code. This allows you to check config files into source control and keep them in sync throughout developer workstations, CI, and production servers, which is otherwise manual and error-prone work. :::tip We recommend using [1Password Service Accounts](/docs/service-accounts/) to follow the [principle of least privilege](/docs/cli/best-practices/). Service accounts support restricting 1Password CLI to specific vaults, so that processes in your authorized terminal session can only access items required for a given purpose. ::: ## Requirements Before you can use 1Password to secure your config files, you'll need to: 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. [Install 1Password CLI.](/docs/cli/get-started#step-1-install-1password-cli) 3. Store the secrets you want to provision in your 1Password account. ## Step 1: Get secret references You can get secret references in several ways: - [With the 1Password desktop app](/docs/cli/secret-reference-syntax#with-the-1password-desktop-app): Copy secret references from the app. - [With 1Password for VSCode](/docs/vscode#get-values): Insert secret references from 1Password as you edit code. - [With 1Password CLI](/docs/cli/secret-reference-syntax#with-1password-cli): Get secret references for one or multiple fields with `op item get`. - Use the [secret reference syntax rules](/docs/cli/secret-reference-syntax#syntax-rules) to write secret references manually. ## Step 2: Use secret references in your config file Replace the plaintext secrets in your config file with the appropriate secret references, following the [template syntax](/docs/cli/secrets-template-syntax/). For example, if you start with a config file that looks like this: ```yaml title="config.yml" database: host: http://localhost port: 5432 username: mysql-user password: piG1rX5P1QMF6J5k7u7sNb ``` And you saved the `username` and `password` secrets on the `mysql` item in the `prod` vault, you would end up with this templated config file: ```yaml title="config.yml.tpl" database: host: http://localhost port: 5432 username: op://prod/mysql/username password: op://prod/mysql/password ``` ## Step 2: Inject the secrets To load secrets from the config file and provision them at runtime, use `op inject` to inject the secrets directly into your production environment. For example: ```zsh op inject -i config.yml.tpl -o config.yml ``` In the output file, `config.yml`, you'll see the secret references replaced with the plaintext secrets they reference. The config file template is stored together with the code in source control, so that every developer can see the structure of the file. :::danger Make sure to delete the resolved config file when you no longer need it. ::: ## Step 3: Differentiate between environments We highly recommend you organize your 1Password items in the same way across all of your environments. For example: `app/dev/db/password` and `app/prod/db/password`. If you do this, you can use variables in your template file to switch to a different set of secrets. You can have variables for your environment, stage, region, or anything else. For example: ```yaml title="config.yml.tpl" database: host: http://localhost port: 5432 username: op://$APP_ENV/mysql/username password: op://$APP_ENV/mysql/password ``` You can then set the `APP_ENV` variable when you inject into the template, using the [Template Syntax](/docs/cli/secrets-template-syntax/): **Bash, Zsh, sh, fish:** ```shell APP_ENV=prod op inject -i config.yml.tpl -o config.yml ``` **PowerShell:** 1. Set `APP_ENV` to `prod`: ```powershell $Env:APP_ENV = "prod" ``` 2. Inject the secrets: ```powershell op inject -i config.yml.tpl -o config.yml ``` This allows you to use the same template file, stored in source control next to your application, for all your deployments. ## Optional: Use `op inject` in production Now that the application works with the right configuration locally, you can use 1Password CLI to provision secrets in production environments. To do this, you'll first need to: 1. [Install 1Password CLI 2 in your production environment.](/docs/cli/install-server/) 2. [Set up a Secrets Automation workflow](/docs/connect/). 3. [Deploy 1Password Connect Server](/docs/connect/get-started#step-2-deploy-a-1password-connect-server) and make it accessible to your production environment. To use 1Password CLI with a Connect server, set the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` environment variables to your Connect instance's credentials in your production environment. You can now move your secrets to config files and have them readily accessible with `op inject`. The following commands can be used with a Connect server: - `op run` - `op inject` - `op read` - `op item get` ## Learn more - [Load secrets into the environment](/docs/cli/secrets-environment-variables/) - [Secret reference syntax](/docs/cli/secret-reference-syntax/) - [Template syntax](/docs/cli/secrets-template-syntax/) --- ## Load secrets into the environment With [`op run`](/docs/cli/reference/commands/run/), you can provide your project secrets directly from 1Password to an application or script as environment variables at runtime. You can use `op run` with [1Password Environments](/docs/environments), environment variables set to [secret references](/docs/cli/secret-references), or a combination of both. 1Password CLI loads the specified secrets, then runs the provided command in a subprocess with the secrets made available as environment variables only for the duration of the process. This allows you to avoid hardcoding any plaintext secrets and quickly switch between different sets of secrets for different development contexts. ## Choose your configuration 1Password CLI provides multiple methods to load your project secrets: - **[1Password Environments (beta)](/docs/environments)** allow you to create Environments in 1Password that contain all your environment variables for a specific workflow. You can share Environments with your team and create separate Environments for each project, application, or development context (like staging or production). - **[Secret references](/docs/cli/secret-references)** are URIs that point to where a secret is stored in your 1Password account. A secret reference uses the names or unique identifiers of the vault, item, section, and field where the secret is stored in 1Password. You can set environment variables to secret references on the command line or use secret references in your `.env` files. Secret references require more manual setup than 1Password Environments to switch between different sets of environment variables for different contexts, or create shared team workflows. - **Hybrid approach**: You can use `op run` to load variables from a 1Password Environment alongside secret references from `.env` files or exported environment variables. :::tip Authenticate with a [1Password Service Account](/docs/service-accounts/) to follow the [principle of least privilege](/docs/cli/best-practices/). You can scope service account access to specific vaults and 1Password Environments so that processes in your authorized terminal session can only access secrets required for a given purpose. ::: :::warning[caution] You should assume that processes on your computer can access the environment of other processes run by the same user. Be aware of this when supplying secrets through environment variables. ::: ## Requirements **1Password Environment (beta):** 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. [Install the latest beta build of 1Password CLI](/docs/cli/reference#beta-builds), version `2.33.0-beta.02` or later. **Secret references:** Before you can load secrets into the environment, you'll need to: 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. [Install 1Password CLI.](/docs/cli/get-started#step-1-install-1password-cli) ## Step 1: Store your project secrets in 1Password **1Password Environment (beta):** To store your project secrets in a 1Password Environment, [follow the steps to create an Environment](/docs/environments), then import a `.env` file or manually add your environment variables. **Secret references:** To use secret references, save your project secrets as items in a vault in your 1Password account. Then follow the instructions to create secret references for each item using your preferred method: - [With the 1Password desktop app](/docs/cli/secret-reference-syntax#with-the-1password-desktop-app): Copy secret references from the app. - [With 1Password for VSCode](/docs/vscode#get-values): Insert secret references from 1Password as you edit code. - [With 1Password CLI](/docs/cli/secret-reference-syntax#with-1password-cli): Get secret references for one or multiple fields with `op item get`. - Use the [secret reference syntax rules](/docs/cli/secret-reference-syntax#syntax-rules) to write secret references manually. ## Step 2: Pass the secrets to the application **1Password Environment (beta):** To pass your environment variables from 1Password to an application or script: 1. Open the 1Password app and navigate to **Developer** > **Environments**. 2. Select the Environment where your project secrets are stored, then select **Manage environment** > **Copy environment ID**. 3. Use `op run --` with the command for starting the application or script. 1Password will run the provided command in a subprocess with the secrets made available as environment variables for the duration of the process. ```shell op run --environment -- ``` For example: ```shell op run --environment blgexucrwfr2dtsxe2q4uu7dp4 -- ./my-script.sh ``` **Secret references:** Step 1: Map secret references to environment variables To pass secrets to an application or script using `op run` and [secret references](/docs/cli/secret-references), you must first map the secret references to the appropriate environment variables. To do this, you can set environment variables to secret references using an environment file or export them on the command line. **Environment file:** Environment (`.env`) files allow you to define multiple environment variables as secret references with `KEY=VALUE` statements separated by a newline. To use an environment file with `op run`, add key-value pairs for each of your project secrets with the value set to a [secret reference](/docs/cli/secret-references). For example: ```shell title="prod.env" AWS_ACCESS_KEY_ID="op://development/aws/Access Keys/access_key_id" AWS_SECRET_ACCESS_KEY="op://development/aws/Access Keys/secret_access_key" ``` **Environment file syntax rules** The `.env` file parsing engine follows the following rules: - Environment variables are defined as `KEY=VALUE` statements separated by a newline. - Variables can span multiple lines if they are enclosed in either `'` or `"`: ``` MY_VAR = "this is on the first line and this is on the second line" ``` - Empty lines are skipped. - Lines beginning with `#` are treated as comments. Comments can also be placed inline after `KEY=VALUE` statements. - Empty values become empty strings. For example, `EMPTY=` will set the environment variable `EMPTY` to the empty string. - If a value is surrounded by single or double quotes, these quotes do not end up in the evaluated value. So `KEY="VALUE"` and `KEY='VALUE'` both evaluate to `KEY` and `VALUE`. - Occurrences of `$VAR_NAME` or `${VAR_NAME}` are replaced with their respective value from the environment. - A variable defined in a .env file can be referred to later in the same file: ``` SOME_VAR = value OTHER_VAR = ${SOME_VAR} ``` - Special characters can be escaped with `\`. For example, `MY_VAR = "\$SOME_VAR that is not actually replaced."` results in the following value for MY_VAR: `$SOME_VAR that is not actually replaced.`. - Inner quotes are maintained, so `JSON={"foo":"bar"}` evaluates to `JSON` and `{"foo":"bar"}`. - Variables do not get replaced in values that are enclosed in single quotes. So `KEY='$SOME_VAR'` evaluates to `KEY` and `$SOME_VAR`. - Template syntax can be used in the `VALUE` to inject secrets. The `KEY` can only contain template variables. - Template parsing is performed after `.env` file parsing, so you cannot use the former to construct the latter. - Leading and trailing whitespace of both `KEY` and `VALUE` segments are ignored, so `KEY = VALUE` is parsed the same as `KEY=VALUE`. - Single and double quoted values maintain both leading and trailing whitespace, so `KEY=" some value "` evaluates to `KEY` and ` some value `. - These files should use UTF-8 character encoding. Optional: Differentiate between environments :::tip If you need to pass secrets for multiple environments, we recommend using 1Password Environments instead of secret references. 1Password Environments allow you to more easily organize, share, and pass environment variables for multiple contexts. ::: If you have different sets of secrets for different environments, like staging and production, you can check a single environment file into source control and include a variable within the secret references to represent the context. You can then set the variable to the appropriate context when you pass the file to `op run`. To use this approach, you must organize your project secrets in 1Password into different vaults for each environment, with each item's fields structured in the same way. For example: `dev/mysql/password` and `prod/mysql/password`. Then, include an externally set variable (`$VARIABLE_NAME`) in place of the vault name for each secret reference in your environment file. For example, in the following environment file, `$APP_ENV` is the externally set environment variable. It can be set to `dev` or `prod` to load secrets from either the `dev` vault or the `prod` vault in 1Password. ```shell title="app.env" MYSQL_DATABASE = "op://$APP_ENV/mysql/database" MYSQL_USERNAME = "op://$APP_ENV/mysql/username" MYSQL_PASSWORD = "op://$APP_ENV/mysql/password" ``` **Command line:** You can individually export environment variables as [secret references](/docs/cli/secret-reference-syntax/) from the command line. For example, to set the variable `GITHUB_TOKEN` to a secret reference URI that points to the `personal_token` field within a `credentials` section in a `GitHub` item: **Bash, Zsh, sh:** ```shell export GITHUB_TOKEN=op://development/GitHub/credentials/personal_token ``` **fish:** ```shell set -x GITHUB_TOKEN op://development/GitHub/credentials/personal_token ``` **PowerShell:** ```powershell $Env:GITHUB_TOKEN = "op://development/GitHub/credentials/personal_token" ``` Step 2: Pass the resolved secret references to the application **Environment file:** To use an environment file with `op run`, specify the path to the environment file using the `--env-file` flag: ```shell op run --env-file="./prod.env" -- aws ``` If you structured your environment file to load secrets for multiple environments, make sure to also set the variable for the vault (in the example below, `APP_ENV`). For example, to pass secrets from the `dev` vault to an application running in the development environment: **Bash, Zsh, sh, fish:** ```shell APP_ENV=dev op run --env-file="./app.env" -- myapp deploy ``` **PowerShell:** 1. Set the `$APP_ENV` variable: ```powershell $ENV:APP_ENV = "dev" ``` 2. Run `op run` with the environment file: ```powershell op run --env-file="./app.env" -- myapp deploy ``` **Command line:** If you exported environment variables as secret references on the command line, use `op run --` with the command to start the application or script. 1Password will run the provided command in a subprocess with the secrets made available as environment variables for the duration of the process. ```shell op run -- ``` For example: ```shell op run -- gh ``` :::tip Expand variables in a subshell When you reference a variable like `$MY_VAR` in the same command where you call `op run`, your shell expands `$MY_VAR` before `op run` can substitute the secret reference. For example, a command like the following will pass the secret reference URI instead of the secret value from 1Password: ```shell MY_VAR=op://vault/item/field op run --no-masking -- echo "$MY_VAR" ``` To make sure `op run` substitutes the secret before the variable expands, run the command to expand the variable in a subshell: ```shell MY_VAR=op://vault/item/field op run --no-masking -- sh -c 'echo "$MY_VAR"' #code-result open skdjfs7dyrwhk4jhref ``` ::: :::tip Use both methods together You can load environment variables from an Environment in combination with secret references from a `.env` file or flag. For example: ```shell op run --environment --env-file="./extra-secrets.env" -- ``` ::: ## Next step: Run in production Now that the application works locally, choose how to load your secrets in production or CI/CD: - **[1Password Service Account](/docs/service-accounts/use-with-1password-cli)**: Automate access with a service account token. Service accounts support both secret references and 1Password Environments. - **[1Password Connect Server](/docs/connect/cli/)**: Best for self-hosting within your own infrastructure. Connect only supports secret references and does not currently support 1Password Environments. ## Learn more - [Use 1Password Service Accounts with 1Password CLI](/docs/service-accounts/use-with-1password-cli) - [Use 1Password Connect Server with 1Password CLI](/docs/connect/cli#continuous-integration-ci-environments) - [Load secrets into config files](/docs/cli/secrets-config-files/) - [Secret reference syntax](/docs/cli/secret-reference-syntax/) - [Template syntax](/docs/cli/secrets-template-syntax/) --- ## Load secrets into scripts You can use 1Password CLI to load secrets into your scripts, so that the credentials in your scripts are always in sync with the information in your 1Password account and your secrets are never exposed in plaintext. :::tip We recommend using [1Password Service Accounts](/docs/service-accounts/) to follow the [principle of least privilege](/docs/cli/best-practices/). Service accounts support restricting 1Password CLI to specific vaults, so that processes in your authorized terminal session can only access items required for a given purpose. Service accounts are also useful if your personal account has SSO or MFA requirements. ::: You can use the following methods to load secrets into scripts, separately or in combination: 1. [Use `op run` to pass environment variables from a 1Password Environment](#use-op-run-to-pass-environment-variables-from-a-1password-environment) 2. [Use `op run` to load secrets into the environment.](#option-1-use-op-run-to-load-secrets-into-the-environment) 3. [Use `op read` to read secrets.](#option-2-use-op-read-to-read-secrets) 4. [Use `op inject` to load secrets into a config file.](#option-3-use-op-inject-to-load-secrets-into-a-config-file) 5. [Use `op plugin run` to load secrets using a shell plugin.](#option-4-use-op-plugin-run-to-load-secrets-using-a-shell-plugin) ## Requirements Before you can use 1Password CLI to load secrets into your scripts, you'll need to: 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. [Install 1Password CLI.](/docs/cli/get-started#step-1-install-1password-cli) 3. Store the secrets you need for your script in your 1Password account. ## Use `op run` to pass environment variables from a 1Password Environment (Beta) :::note Beta feature To use `op run` with 1Password Environments, you'll need to install the [latest beta build of 1Password CLI](/docs/cli/reference#beta-builds), version `2.33.0-beta.02` or later. ::: You can use [`op run`](/docs/cli/reference/commands/run/) to [pass environment variables](/docs/cli/secrets-environment-variables) stored in a [1Password Environment](/docs/environments) to an application or script at runtime. 1Password CLI runs the application or script in a subprocess with the environment variables stored in your 1Password Environment provisioned for the duration of the process. ## Use `op run` to pass secrets using secret references You can replace the plaintext secrets in your environemnt files with [secret reference URIs](/docs/cli/secret-reference-syntax/) that reference where your project secrets are stored in your 1Password account, then use [`op run`](/docs/cli/reference/commands/run/) to load the corresponding secrets from 1Password and pass them to your script as environment variables at runtime. Learn more about [loading secrets into the environment](/docs/cli/secrets-environment-variables/). ## Use `op read` to read secrets You can use `op read` with secret references [directly in your script](#directly-in-your-script) or [with environment variables](#with-environment-variables). ### Directly in your script With this method, secrets are only passed to the single command that includes the secret reference. For example, to replace your Docker username and password with [secret references](/docs/cli/secret-reference-syntax/) in a command to log in to Docker: ```shell title="yourscript.sh" #!/bin/bash docker login -u "$(op read op://prod/docker/username)" -p "$(op read op://prod/docker/password)" ``` ### With environment variables You can also include a command to set environment variables to `op read` and [secret references](/docs/cli/secret-reference-syntax/) in your script. For example, if you supply an AWS command in your script with secrets using the `AWS_SECRET_ACCESS_KEY` and `AWS_ACCESS_KEY_ID` environment variables, your script might look like this: ```shell title="yourscript.sh" #!/bin/bash export AWS_SECRET_ACCESS_KEY="$(op read op://prod/aws/secret-key)" export AWS_ACCESS_KEY_ID="$(op read op://prod/aws/access-key-id)" aws sts get-caller-identity ``` ## Use `op inject` to load secrets into a config file If your script uses a configuration file, you can template the config file with [secret references](/docs/cli/secret-reference-syntax/), then use [`op inject`](/docs/cli/reference/commands/inject/) to pass the config file with the resolved secrets to your script at runtime. This allows you to check config files into source control and keep them in sync throughout developer workstations, CI, and production servers. And you can include template variables within the secret references to [load different sets of secrets for different environments](/docs/cli/secrets-config-files#step-3-differentiate-between-environments). [Learn how to load secrets into config files](/docs/cli/secrets-config-files/). ## Use `op plugin run` to load secrets using a shell plugin If your script runs interactively and each person using the script authenticates with their own personal token, you can minimize the configuration required in advance of using the script with a [1Password Shell Plugin](/docs/cli/shell-plugins/). Shell plugins prompt each user to select their credentials when the script is executed. Each person using the script will be prompted to configure when their credentials should be used to authenticate. To make sure the credentials they selected will also be used for future invocations of the script, they can configure their credentials as a global or directory default. To use a shell plugin to authenticate an individual command, wrap the command in [`op plugin run`](/docs/cli/reference/management-commands/plugin#plugin-run). For example, to use the AWS shell plugin to provide an AWS Access Key and Secret Key ID to the `sts get-caller-identity` command: ```shell title="yourscript.sh" #!/bin/bash op plugin run -- aws sts get-caller-identity ``` To use a shell plugin throughout a script, you can include an alias for the tool's executable command at the beginning of the script. For example, in this script, the AWS shell plugin would be used to supply secrets for every `aws` command in the script. ```shell title="yourscript.sh" #!/bin/bash alias aws="op plugin run -- aws" aws sts get-caller-identity ``` If a shell plugin doesn't exist for the tool you're using, you can [build a new plugin](/docs/cli/shell-plugins/contribute/). ## Learn more - [Example CLI scripts](/docs/cli/scripts/) - [Get started with secret references](/docs/cli/secret-references/) - [Load secrets into the environment](/docs/cli/secrets-environment-variables/) - [Load secrets into config files](/docs/cli/secrets-config-files/) - [Use 1Password Shell Plugins to securely authenticate third-party CLIs](/docs/cli/shell-plugins/) --- ## 1Password CLI Template Syntax # Template syntax You can create a templated config file that contains [secret references](/docs/cli/secret-reference-syntax/), then [use op inject](/docs/cli/secrets-config-files/) to receive a resolved config file that contains the actual secrets. Here's an example of a template file with enclosed secret references in place of the plaintext secrets: ```yml title="config.yml.tpl" database: host: localhost port: 5432 username: {{ op://prod/database/username }} password: {{ op://prod/database/password }} ``` ## Secret references Secret references included in template files can be formatted as either [unenclosed secret references](#unenclosed-secret-references) or [enclosed secret references](#enclosed-secret-references). ### Unenclosed secret references ```shell op://test-app/database/password ``` An unenclosed secret reference is a string that: - Begins with `op://` and is not preceded by any of the characters from: `alphanumeric`, `-`, `+` , `\`, `.`. - Ends with either the end of the template, or the first encountered character outside the following set: `alphanumeric`, `-`, `?`, `_`, `.`. Examples of good and bad unenclosed secret references: ```yml variant="good" op://prod/docker-credentials/username ``` ```yml variant="good" op://d3v/stripe.keys/s3ct10n/public_key ``` ```yml variant="bad" op://h?ack/1Password!/for"real ``` (contains special characters that are not supported by the syntax) ```yml variant="bad" op://{vault}/[item]/(section)/field ``` (contains special characters that are not supported by the syntax) ### Enclosed secret references ```shell {{ op://test-app/database/password }} ``` An enclosed secret reference is defined as any string that satisifies all of the following: - Begins with two closed braces `{{` - Ends with the two closed braces `}}` - Contains a valid unenclosed secret reference between the two pairs of braces, possibly padded with spaces Examples of good and bad enclosed secret references: ```yml variant="good" {{op://prod/docker-credentials/username}} ``` ```yml variant="good" {{ op://d3v/stripe.keys/s3ct10n/public_key }} ``` ```yml variant="bad" {{op://h?ack/1Password!/for"real}} ``` (the secret reference contains unsupported characters) ### Special characters If you need to escape special characters in your template, you can use curly braces and double quotes: ```yml {{ "{{ test op://prod/docker-credentials/username }}" }} will be resolved to {{ test op://prod/docker-credentials/username }} ``` If the content contains double quotes, they must be escaped with `\`: ```yml {{ "{{ test \"test\" test }}" }} will be resolved to {{ test "test" test }} ``` ## Variables The template syntax also supports variable tags: - `$var` (unenclosed variables) - `${var}` (enclosed variables) When resolving an unenclosed variable of the form `$FOO`, it is replaced with the value of the environment variable named `FOO`. When resolving an enclosed variable of the form `${FOO}`, any whitespace at the beginning or end of `FOO` is discarded and the reference is replaced with the value of the environment variable named `FOO`. Variable names are case-insensitive, cannot start with a number, and can only contain letters, numbers, and underscores. Examples of good and bad unenclosed variables: ```yml variant="good" $my_var ``` ```yml variant="good" $mY_2nd_vAr ``` ```yml variant="bad" $2nd_var ``` (starts with a number) ```yml variant="bad" $var-?notvar! ``` (contains unsupported special characters) Examples of good and bad enclosed variables: ```yml variant="good" ${my_var} ``` ```yml variant="good" ${ mY_2nd_vAr } ``` ```yml variant="bad" ${my_var\} ``` (the closing brace is escaped) ### Default values To set a default value for a template variable, use this syntax: `${VAR_NAME:-}` The default value will be used when the variable can't be found in the environment. For example, `op://${VAULT:-dev}/docker/password` evaluates to `op://dev/docker/password` when the `VAULT` environment variable isn't set. If `VAULT` is set to `prod` instead, it will evaluate to `op://prod/docker/password`. ## Learn more - [Load secrets into config files](/docs/cli/secrets-config-files/) - [Load secrets into the environment](/docs/cli/secrets-environment-variables/) - [Secret reference syntax](/docs/cli/secret-reference-syntax/) --- ## Use 1Password to authenticate the Akamai CLI with biometrics # Use 1Password to securely authenticate the Akamai CLI The Akamai CLI shell plugin allows you to use 1Password to securely authenticate [the Akamai CLI ](https://techdocs.akamai.com/developer/docs/about-clis) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Akamai CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.13.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the Akamai CLI. ](https://techdocs.akamai.com/developer/docs/about-clis) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with Akamai by injecting a temporary config file with the credentials required by the plugin commands directly from your 1Password account. If you saved your Akamai CLI credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | `.edgerc` field | | --- | --- | | Client Secret | `client_secret` | | Host | `host` | | Access Token | `access_token` | | Client Token | `Client_token` | *Thanks to [@wongle](https://github.com/wongle) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/234)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate Argo CD CLI with biometrics # Use 1Password to securely authenticate Argo CD CLI The Argo CD shell plugin allows you to use 1Password to securely authenticate [Argo CD CLI ](https://argo-cd.readthedocs.io/en/stable/user-guide/commands/argocd/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Argo CD CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.13.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [Argo CD CLI ](https://argo-cd.readthedocs.io/en/stable/cli_installation/). The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | AuthToken | `ARGOCD_AUTH_TOKEN` | | Address (optional) | `ARGOCD_SERVER` | *Thanks to [@ssttehrani](https://github.com/ssttehrani) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/145)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate the AWS CDK Toolkit # Use 1Password to securely authenticate the AWS CDK Toolkit The AWS CDK Toolkit shell plugin allows you to use 1Password to securely authenticate the [AWS CDK Toolkit ](https://docs.aws.amazon.com/cdk/v2/guide/cli.html) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the AWS CDK Toolkit with biometrics. You can also set up the [AWS CLI shell plugin](/docs/cli/shell-plugins/aws/). ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.17.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. [Install the AWS CDK Toolkit ](https://docs.aws.amazon.com/cdk/v2/guide/cli.html). 6. Make sure you have an AWS config file at `~/.aws/config` on Mac or Linux, or `C:\Users\USERNAME\.aws\config` on Windows. If you don't have a config file, use [`aws configure` ](https://docs.aws.amazon.com/cli/latest/reference/configure/) to create one. When prompted, skip entering your AWS access key pair to avoid writing your credentials on disk in the `.aws/credetials` file. The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field names | Environment variables | | --- | --- | | Access Key ID | `AWS_ACCESS_KEY_ID` | | Secret Access Key | `AWS_SECRET_ACCESS_KEY` | | Default region (optional) | `AWS_DEFAULT_REGION` | Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate the AWS CLI with biometrics # Use 1Password to securely authenticate the AWS CLI The AWS shell plugin allows you to use 1Password to securely authenticate [the AWS CLI ](https://aws.amazon.com/cli/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the AWS CLI with biometrics. If you use `cdk`, you can also set up the [AWS CDK Toolkit shell plugin](/docs/cli/shell-plugins/aws-cdk-toolkit/). ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the AWS CLI. ](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) After you install the AWS CLI, make sure you have an AWS config file at `~/.aws/config` on Mac or Linux, or `C:\Users\USERNAME\.aws\config` on Windows. If you don't have a config file: 1. Use [`aws configure` ](https://docs.aws.amazon.com/cli/latest/reference/configure/) to create one. 2. When prompted, skip entering your AWS access key pair to avoid writing your credentials on disk in the `.aws/credetials` file. The following shells are supported: - Bash - Zsh - fish ## Before you begin: Create and save an AWS access key If you've already created an AWS access key, [skip to step 1](#step-1-configure-your-default-credentials). If you haven't created an access key yet, you can create one and use the [1Password browser extension](https://support.1password.com/getting-started-browser/) to quickly save it in 1Password: 1. Open and unlock [1Password in your browser](https://support.1password.com/getting-started-browser/). 2. [Follow the steps](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html?icmpid=docs_iam_console#Using_CreateAccessKey) to create an access key for the AWS CLI. 3. On the "Retrieve access keys" page, select **Show** to reveal the secret access key. 4. Select **Save item** when 1Password asks if you want to save an item for the AWS access key. 5. Choose the vault where you want to save the item, edit the item's name and details, then select **Save item**. _[The pop-up screen to save your AWS access key in 1Password.]_ ## Step 1: Configure your default credentials :::tip If you use AWS in multiple environments If you want to use the AWS shell plugin in multiple environments, like production and development, [learn how to set up your plugin for seamless context switching](/docs/cli/shell-plugins/environments/). ::: To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After you save your AWS credentials in 1Password, you can remove all local copies you currently have stored on disk. Plaintext access keys are commonly stored in your AWS [shared credentials file ](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/creds-file.html) (default location: `~/.aws/credentials`). If you remove your credentials from this file, make sure to configure shell plugins for any other tools that use the file to authenticate to AWS, like [Terraform](/docs/cli/shell-plugins/terraform/). ## Optional: Assume multiple roles You can use the AWS shell plugin to assume multiple roles in the same way you'd assume roles with the AWS CLI, by defining role profiles [in your AWS config file. ](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-role-prepare) For example: ```html title="~/.aws/config" [profile prod] role_arn = arn:aws:iam::123456789012:role/prod source_profile = wendyappleseed ``` Then include the `--profile` flag to call an AWS command using a role. For example: ```shell aws sts get-caller-identity --profile prod ``` If you want to always use the same profile, you can set the `AWS_PROFILE` environment variable. In that case, the `--profile` flag would only be needed to override the default set in the environment. For example: ```shell export AWS_PROFILE=prod ``` ## Optional: Set up multi-factor authentication If you use [multi-factor authentication ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html) with AWS, you can configure the AWS shell plugin to provide your one-time password. You can do this in two ways: - [Add the ARN for your multi-factor authentication device to a profile in your AWS config file. ](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-configure-role-mfa) - Add the one-time password code and ARN to the item in 1Password where your AWS credentials are stored. If you choose this option, your multi-factor authentication information will be treated as your `default` profile and used globally with every other profile. Save your one-time password and ARN in 1Password Step 1: Save your QR code 2. Open and unlock the 1Password app. 3. Select the item where your AWS credentials are saved, then select **Edit**. 4. Select **Add More** > **One-Time Password**. 5. [Follow the steps to enable a virtual multi-factor authentication device](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html) for your AWS account. 5. Select **Show secret key** in the AWS wizard, then copy the string of characters into the One-Time Password field on your item. 6. Select **Save**. Your item will now show a one-time password that you can use to finish the AWS multi-factor authentication device set-up flow. Your edited item must include the `one-time password` and `mfa serial` fields: _[The AWS item in 1Password with MFA credentials added.]_ Step 2: Save the ARN for your multi-factor authentication device 1. Find the [ARN for your multi-factor authentication device](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_checking-status.html) and copy it. 3. Open and unlock the 1Password app. 4. Select the item where you saved your AWS credentials then select **Edit**. 5. Select **Add More** > **Text**. 6. Paste the ARN as the value of the field. 7. Title the field `mfa serial`. 8. Select **Save**. 1Password CLI will detect your multi-factor authentication credentials if they're saved in fields titled `one-time password` and `mfa serial`. If your one-time password isn't detected, make sure your fields are titled correctly. 1Password CLI will then set the `AWS_SECRET_ACCESS_KEY`, `AWS_ACCESS_KEY_ID` and `AWS_SESSION_TOKEN` provisional environment variables to specify the temporary multi-factor authentication session values. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field names | Environment variables | | --- | --- | | Access Key ID | `AWS_ACCESS_KEY_ID` | | Secret Access Key | `AWS_SECRET_ACCESS_KEY` | | Default region (optional) | `AWS_DEFAULT_REGION` | Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to securely authenticate Axiom CLI The Axiom CLI shell plugin allows you to use 1Password to securely authenticate [Axiom CLI ](https://axiom.co/docs/reference/cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Axiom CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.x.x or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Connect 1Password CLI with the 1Password app](/docs/cli/app-integration/). 5. [Install Axiom CLI. ](https://axiom.co/docs/reference/cli) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **Fish:** ```shell echo "source ~/.op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Token | `AXIOM_TOKEN` | | Organization | `AXIOM_ORG_ID` | | Deployment | `AXIOM_DEPLOYMENT` | *Thanks to [@rajapri28613](https://github.com/rajapri28613) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/342)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute).* --- ## Use 1Password to securely authenticate Binance CLI The Binance shell plugin allows you to use 1Password to securely authenticate [Binance CLI ](https://github.com/binance/binance-cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Binance CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Connect 1Password CLI with the 1Password app](/docs/cli/app-integration/). 5. [Install Binance CLI. ](https://github.com/binance/binance-cli) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **Fish:** ```shell echo "source ~/.op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | API Key | `BINANCE_API_KEY` | | API Secret | `BINANCE_API_SECRET` | *Thanks to [@bala-ceg](https://github.com/bala-ceg) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/391)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute).* --- ## Use 1Password to authenticate the Cachix CLI with biometrics # Use 1Password to securely authenticate the Cachix CLI The Cachix shell plugin allows you to use 1Password to securely authenticate [the Cachix CLI ](https://docs.cachix.org) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Cachix CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.11.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the Cachix CLI. ](https://github.com/cachix/cachix#installation) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Token | `CACHIX_AUTH_TOKEN` | *Thanks to [@micnncim](https://github.com/micnncim) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/97)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate Cargo CLI with biometrics # Use 1Password to securely authenticate Cargo CLI The Cargo CLI shell plugin allows you to use 1Password to securely authenticate [Cargo CLI ](https://crates.io/crates/cargo-cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Cargo CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.13.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [Cargo CLI. ](https://crates.io/crates/cargo-cli) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Token | `CARGO_REGISTRY_TOKEN` | *Thanks to [@accraw](https://github.com/accraw) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/139)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate the CircleCI CLI with biometrics # Use 1Password to securely authenticate the CircleCI CLI The CircleCI shell plugin allows you to use 1Password to securely authenticate [the CircleCI CLI ](https://circleci-public.github.io/circleci-cli/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the CircleCI CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the CircleCI CLI. ](https://circleci.com/docs/local-cli#installation) The following shells are supported: - Bash - Zsh - fish ## Before you begin: Create and save a CircleCI personal API token If you've already created a CircleCI personal API token, [skip to step 1](#step-1-configure-your-default-credentials). If you haven't created a personal API token yet, you can create one and use the [1Password browser extension](https://support.1password.com/getting-started-browser/) to quickly save it in 1Password: 1. Open and unlock [1Password in your browser](https://support.1password.com/getting-started-browser/). 2. [Follow the steps](https://circleci.com/docs/managing-api-tokens#creating-a-personal-api-token) to create a CircleCI personal API token. 3. Select **Save item** when 1Password asks if you want to save an item for the CircleCI personal API token. 4. Choose the vault where you want to save the item, edit the item's name and details, then select **Save item**. _[The prompt to save your CircleCI personal API token in 1Password.]_ ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Token | `CIRCLECI_CLI_TOKEN` | Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to securely authenticate Civo CLI The Civo CLI shell plugin allows you to use 1Password to securely authenticate [Civo CLI ](https://www.civo.com/docs/overview/civo-cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Civo CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Connect 1Password CLI with the 1Password app](/docs/cli/app-integration/). 5. [Install Civo CLI. ](https://www.civo.com/docs/overview/civo-cli) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **Fish:** ```shell echo "source ~/.op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | API Key | `CIVO_API_KEY` | | API Key ID | `CIVO_API_KEY_NAME` | *Thanks to [@siddhikhapare](https://github.com/siddhikhapare) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/325)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute).* --- ## Use 1Password to authenticate Wrangler with biometrics # Use 1Password to securely authenticate the Cloudflare Workers CLI The Cloudflare Workers shell plugin allows you to use 1Password to securely authenticate [Wrangler ](https://developers.cloudflare.com/workers/wrangler/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Wrangler with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.12.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [Wrangler. ](https://developers.cloudflare.com/workers/wrangler/install-and-update/) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Account ID (Optional) | `CLOUDFLARE_ACCOUNT_ID` | | Token | `CLOUDFLARE_API_TOKEN` | *Thanks to [@shyim](https://github.com/shyim) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/94)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Build your own shell plugins (beta) If you don't see your favorite command-line tool [listed in the 1Password Shell Plugin registry](/docs/cli/shell-plugins/), you can write your own plugin. 1Password CLI allows you to build and test shell plugins locally, so you can add support for authenticating your favorite CLI using a credential you saved in 1Password. If you want to make your plugin available to others, you can [create a pull request in the shell plugins GitHub repository](https://github.com/1Password/shell-plugins). ## Requirements - [Sign up for 1Password](https://1password.com/pricing/password-manager). - Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). - Install [1Password CLI](/docs/cli/get-started/) and turn on the [desktop app integration](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). - Install [Go 1.18 or later](https://go.dev/doc/install). - Install [Git](https://git-scm.com/). - Install [GNU Make](https://www.gnu.org/software/make/). ## Concepts A 1Password Shell Plugin should describe the following: - The **credential** offered by a platform - The CLI or **executable** offered by a platform - How the credential should be **provisioned** for the respective CLI to authenticate - Which commands for the respective CLI **need authentication** - How credentials stored on the local filesystem can be **imported** into 1Password Shell plugins are written in Go and consist of a set of Go structs in a package that together make up the plugin for a certain platform, service, or product. Don't worry if you're not a Go expert – there are [lots of examples](https://github.com/1Password/shell-plugins/tree/main/plugins) you can learn from to build your plugin! ## Step 1: Use the plugin template First, clone or fork the [1Password Shell Plugins repository](https://github.com/1Password/shell-plugins) on GitHub. It contains the current plugin registry, as well as the SDK needed to contribute. To get started with those, use the following Makefile command: ```shell make new-plugin ``` You'll be prompted to enter the following information: - **Plugin name:** Lowercase identifier for the platform, e.g. `aws`, `github`, `digitalocean`, `azure`. This will also be used as the name of the Go package. - **Plaform display name:** The display name of the platform, e.g `AWS`, `GitHub`, `DigitalOcean`, `Azure`. - **Credential name:** The credentials the platform offers, e.g. `Personal Access Token`, `API Key`, `Auth Token`. - **Executable name:** The command to invoke, e.g. `aws`, `gh`, `doctl`, `az`. After filling in the form, you'll see a Go package created in the `plugins` directory, with separate files for the plugin, credential, and executable. For example: ``` plugins/ ├── aws/ │ ├── plugin.go │ ├── access_key.go │ └── aws.go ├── digitalocean/ │ ├── plugin.go │ ├── personal_access_token.go │ └── doctl.go ├── github/ │ ├── plugin.go │ ├── personal_access_token.go │ └── gh.go └── heroku/ ├── plugin.go ├── api_key.go └── heroku.go ``` To save you some time, the generated files will be stubbed out with information that's derived from the Makefile prompts on a best-effort basis. It contains *TODO* comments in the code to steer you in the direction of what to change or validate for correctness. ## Step 2: Edit the plugin definition The `plugin.go` file contains basic information about the plugin and the platform it represents, including which credential types and executables make up the plugin. > **Tip** > } title="Plugin Examples"> - [AWS](https://github.com/1Password/shell-plugins/blob/main/plugins/aws/plugin.go) - [GitHub](https://github.com/1Password/shell-plugins/blob/main/plugins/github/plugin.go) - [Heroku](https://github.com/1Password/shell-plugins/blob/main/plugins/heroku/plugin.go) ## Step 3: Edit the credential definition The credential definition file describes the schema of the credential, how the credential should get provisioned to executables, and how the credential can be imported into 1Password. > **Tip** > } title="Credential Examples"> - [AWS Access Key](https://github.com/1Password/shell-plugins/blob/main/plugins/aws/access_key.go) - [GitHub Personal Access Token](https://github.com/1Password/shell-plugins/blob/main/plugins/github/personal_access_token.go) - [Heroku API Key](https://github.com/1Password/shell-plugins/blob/main/plugins/heroku/api_key.go) ### Credential information and schema The first section of the credential definition is where you can add information about the credential: - The **name** of the credential, as the platform calls it. - The **documentation URL** provided by the platform that describes the credential. *(optional)* - The **management URL** on the platform where the credential can be created and revoked. This is usually a URL to the dashboard, console, or authentication settings of the platform. *(optional)* The next section is where you define the schema of the credential. This is segmented into fields. Many credentials consist of just a single secret field, but you can add more fields to add more details to the 1Password item that are related to authentication, even if the fields are not secret. Examples of additional fields are: the host, username, account ID, and all other things that are needed to authenticate and make sense to include in the 1Password item for the credential type. All fields you declare here will also show up in the end user's 1Password item. Here's what you can specify per **field**: - The **field name**, titlecased. *(required)* - A short **description** of the field. This supports markdown. *(required)* - Whether the field is **optional**. Defaults to false. - Whether the field is **secret**, and should be concealed in the 1Password GUI. Defaults to not secret. Note: The credential schema is expected to contain at least 1 secret field. - What the actual credential **value is composed of**. The length, character set, and whether it contains a fixed prefix. ### Provisioner The credential definition also specifies how the credential is usually provisioned to exectuables, in order for them to use the credential for authentication. Provisioners are in essence hooks that get executed before the executable is run by 1Password CLI, and after the executable exits in case any cleanup is needed. In those hooks, provisioners can do all the setup required for the executable to authenticate, including setting environment variables, creating files, adding command-line arguments, or even generating temporary credentials. After the executable exits, there should be no trace of the credentials on the user's filesystem. The SDK provides a few common provisioners out of the box, so in most cases you don't have to care about the provisioning internals. **Environment variables:** We currently recommend using environment variables as your provisioning method. Environment variables are the most ubiquitous way to provision secrets. They only live in memory, and almost every CLI allows you to authenticate with them. Here's how you can use the environment variable provisioner provided by the SDK: ```go provision.EnvVars(map[string]sdk.FieldName{ "AWS_ACCESS_KEY_ID": fieldname.AccessKeyID, "AWS_SECRET_ACCESS_KEY": fieldname.SecretAccessKey, }) ``` Specify the 1Password field name and the environment variable name it should be placed in. To figure out what environment variable the underlying CLI reads, here are a few tips: - Search the platform's CLI documentation website for a getting started guide, authentication guide, or CLI reference docs. - Look at the CLI's help text or manpage. - If the CLI or the underlying SDK it uses is open source, scan the source code to see if it accepts environment variables for authentication. **Files:** Some CLIs only support reading credentials from files on disk. In that case, you can use the file provisioner provided by the SDK. The file provisioner takes care of creating the file in a temporary directory and deleting it afterwards. For security purposes, the file created by the file provisioner can only be read **once** by the executable. If that limitation does not work for your use case, you can file an [issue on GitHub](https://github.com/1Password/shell-plugins/issues). Here are a few examples on how you can use the file provisioner to provision a temporary JSON file and pass the generated path to the executable: ```go title="Create a file provisioner and pass output path as --config-file" provision.TempFile(configFile, provision.Filename("config.json"), provision.AddArgs("--config-file", "{{ .Path }}"), ) ``` ```go title="Create a file provisioner and set output path as CONFIG_FILE_PATH" provision.TempFile(configFile, provision.Filename("config.json"), provision.SetPathAsEnvVar("CONFIG_FILE_PATH"), ) ``` ```go title="Create a file provisioner and pass output path as Java property" provision.TempFile(configFile, provision.Filename("config.json"), provision.AddArgs(`-Dconfig.path="{{ .Path }}"`), ) ``` ```go title="Code to generate JSON file contents" func configFile(in sdk.ProvisionInput) ([]byte, error) { config := Config{ Token: in.ItemFields[fieldname.Token] } contents, err := json.Marshal(config) if err != nil { return nil, err } return []byte(contents), nil } type Config struct { Token string `json:"token"` } ``` **Other:** If the standard provisioners included in the SDK are not enough to authenticate the executable, you can also write your own provisioner. You can do so by implementing the [`sdk.Provisioner` interface](https://github.com/1Password/shell-plugins/blob/main/sdk/provisioner.go). A good example of a custom provisioner is the [AWS STS provisioner](https://github.com/1Password/shell-plugins/blob/main/plugins/aws/sts_provisioner.go) that generates temporary credentials based on a one-time password code loaded from 1Password. ### Importer The credential definition also lets you specify importers. Importers are responsible for scanning the user's environment and file system for any occurrences of the needed credentials. 1Password CLI will run the importer and prompt the user to import their credentials one by one into 1Password. It's very common for CLIs to write authentication data to disk, most commonly in a hidden config file in your home directory. This is not always documented by the CLI, so here are some tips to figure out if such a config file exists: - Check the platform's documentation for mentions of config files. - See if the CLI offers a `login`, `auth`, `configure`, or `setup` command that covers authentication. If it does, it's pretty likely there's a credential being stored in your home directory after completing such a flow. - If the CLI is open source, check the source code to see if such a file exists. - Look at your own home directory or `~/.config` directory to see if there are files related to the platform. Here's an example command to find local `aws` configuration files: ```shell find ~/.* -maxdepth 3 -path "*aws*" ``` The SDK provides helper functions to load files, parse files, and scan environment variables to make writing an importer for your credential type easier. > **Tip** > } title="Importer Examples"> - [AWS Access Key](https://github.com/1Password/shell-plugins/blob/main/plugins/aws/access_key.go) (`~/.aws/credentials`) - [CircleCI Personal API Token](https://github.com/1Password/shell-plugins/blob/main/plugins/circleci/personal_api_token.go) (`~/.circleci/cli.yml`) - [Heroku API Key](https://github.com/1Password/shell-plugins/blob/main/plugins/heroku/api_key.go) (`~/.netrc`) If you already have a shell plugin configured for a tool, and you want to generate an example configuration tile to test an importer, reference the tool by its full path rather than by its name. This makes sure you invoke the the tool without the plugin. ## Step 4: Edit the executable definition The last thing the plugin is responsible for is to define the CLI or executable that you'd like 1Password to handle authentication for. This is the final piece that glues everything together. The executable definition describes the following: - The **command** that should get executed by the 1Password CLI. - The display **name** of the CLI, as the platform calls it. - The **documentation URL** provided by the platform that describes the executable. *(optional)* - When the executable **needs authentication**. For example, many CLIs don't require authentication when the `--help` or `--version` flags are present. - The **credentials** that the executable uses. > **Tip** > } title="Executable Examples"> - [AWS CLI](https://github.com/1Password/shell-plugins/blob/main/plugins/aws/aws.go) (`aws`) - [GitHub CLI](https://github.com/1Password/shell-plugins/blob/main/plugins/github/gh.go) (`gh`) - [Heroku CLI](https://github.com/1Password/shell-plugins/blob/main/plugins/heroku/heroku.go) (`heroku`) ## Step 5: Build and test your plugin locally To see if you've properly filled out the plugin, credential, and executable defintions, you can run the following Makefile command to validate the definitions: ``` make /validate ``` If that succeeds, it's now time to locally build and test your plugin! You can do so using the following command: ``` make /build ``` The build artifact will be placed in `~/.op/plugins/local`. It should show up in `op` if you run the following command: ```shell op plugin list ``` To see it in action, you can use the `op plugin init` command: ```shell op plugin init ``` ## Submit a PR While you're free to keep on using the plugin locally, we'd encourage you to submit a PR on the [main registry on GitHub](https://github.com/1Password/shell-plugins) so others can use it too! Before doing so, be sure to read the [CONTRIBUTING.md](https://github.com/1Password/shell-plugins/blob/main/CONTRIBUTING.md) file on GitHub. If you feel that the SDK does not serve your use case well, reach out to us by creating an [issue on GitHub](https://github.com/1Password/shell-plugins/issues) or by joining our [Developer Slack workspace](https://developer.1password.com/joinslack) to tell us about your plugin proposal. We can advise you on the most suitable approach for your use case. ## Learn more - [Shell plugins troubleshooting](/docs/cli/shell-plugins/troubleshooting/) - [Join our Developer Slack workspace](https://developer.1password.com/joinslack) --- ## Use 1Password to securely authenticate Crowdin CLI The Crowdin CLI shell plugin allows you to use 1Password to securely authenticate [Crowdin CLI ](https://crowdin.github.io/crowdin-cli/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Crowdin CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Connect 1Password CLI with the 1Password app](/docs/cli/app-integration/). 5. [Install Crowdin CLI. ](https://crowdin.github.io/crowdin-cli/) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **Fish:** ```shell echo "source ~/.op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Token | `CROWDIN_PERSONAL_TOKEN` | | Project ID | `CROWDIN_PROJECT_ID` | | Host Address | `CROWDIN_BASE_URL` | *Thanks to [@JoeKarow](https://github.com/JoeKarow) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/359)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute).* --- ## Use 1Password to authenticate Databricks CLI with biometrics # Use 1Password to securely authenticate Databricks CLI The Databricks shell plugin allows you to use 1Password to securely authenticate [Databricks CLI ](https://docs.databricks.com/dev-tools/cli/index.html) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Databricks CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.13.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [Databricks CLI. ](https://docs.databricks.com/dev-tools/cli/index.html) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Host | `DATABRICKS_HOST` | | Token | `DATABRICKS_TOKEN` | *Thanks to [@bsamseth](https://github.com/bsamseth) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/143)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate Dogshell with biometrics # Use 1Password to securely authenticate Dogshell The Dogshell shell plugin allows you to use 1Password to securely authenticate [Dogshell ](https://docs.datadoghq.com/developers/guide/dogshell-quickly-use-datadog-s-api-from-terminal-shell/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Dogshell with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [Dogshell. ](https://docs.datadoghq.com/developers/guide/dogshell-quickly-use-datadog-s-api-from-terminal-shell/) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field names | Environment variable | | --- | --- | | API Key | `DATADOG_API_KEY` | | App Key | `DATADOG_APP_KEY` | Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate doctl with biometrics # Use 1Password to securely authenticate the DigitalOcean CLI The DigitalOcean shell plugin allows you to use 1Password to securely authenticate [doctl ](https://docs.digitalocean.com/reference/doctl/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate doctl with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [doctl. ](https://docs.digitalocean.com/reference/doctl/how-to/install/) The following shells are supported: - Bash - Zsh - fish ## Before you begin: Create and save a DigitalOcean personal access token If you've already created a DigitalOcean personal access token, [skip to step 1](#step-1-configure-your-default-credentials). If you haven't created a personal access token yet, you can create one and use the [1Password browser extension](https://support.1password.com/getting-started-browser/) to quickly save it in 1Password: 1. Open and unlock [1Password in your browser](https://support.1password.com/getting-started-browser/). 2. [Follow the steps](https://docs.digitalocean.com/reference/api/create-personal-access-token/) to create a DigitalOcean personal access token. 3. Select **Save item** when 1Password asks if you want to save an item for the DigitalOcean personal access token. 4. Choose the vault where you want to save the item, edit the item's name and details, then select **Save item**. _[The prompt to save your DigitalOcean personal access token in 1Password.]_ ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Token | `DIGITALOCEAN_ACCESS_TOKEN` | Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password Shell Plugins to switch between multiple environments # Use shell plugins to switch between multiple environments You can use [1Password Shell Plugins](/docs/cli/shell-plugins/) to seamlessly switch between different sets of credentials for different environments, so you don't have to spend time signing in or out between environments. For example, you can set the Terraform shell plugin to use your development credentials in the working directory for your development environment and your production credentials in the working directory for your production environment. Then when you run a Terraform command in either directory, the Terraform plugin will automatically authenticate with the appropriate credentials. ## Step 1: Organize your directories by environment Before you configure a shell plugin for context switching between environments, group the directories you want to use with the plugin by environment. For example, if you wanted to use the Terraform shell plugin in both development and production environments, you would organize your directories like this: ``` projects/ ├─ development/ │ ├─ dev-project-1 │ ├─ dev-project-2 ├─ production/ │ ├─ prod-project-1 │ ├─ prod-project-2 ``` ## Step 2: Configure default credentials for each environment After you organize your directories by environment, you can set default credentials for your shell plugin to use in each directory and all its subfolders. 1. Change directories to one of the environment-level folders you created. For example: ```shell cd projects/production ``` 2. Sign in to the 1Password account where the credentials you want to use are stored: ```shell op signin ``` 3. Choose a plugin to initialize, or run `op plugin init` to choose from a list of all available plugins. For example, to initialize the Terraform shell plugin: ```shell op plugin init terraform ``` 4. Import or select the appropriate credentials for the environment. 5. Select **Use automatically when in this directory or subdirectories** as the default credential scope. 6. Repeat the process in other environment-level folders with their respective credentials. This will make the credentials you configure in each environment-level folder the default for all subfolders within it, as long as no other directory-specific defaults are set in them. ## Step 3: Use the plugin in multiple environments After you set default credentials in all your environment-level folders, you can use the shell plugin in the working directories for each environment without needing to sign in or out. 1. Enter the working directory for an environment. For example, to change directories into the development environment from the example above: ```shell cd ~/projects/development 2. Run a job in that environment. For example: ```shell terraform apply ``` 3. Switch to a different environment. For example, to change to the production environment: ```shell cd ~/projects/production ``` 4. Run a job in that environment: ```shell terraform apply ``` 5. Exit the environment: ```shell op signout ``` The shell plugin will automatically authenticate with the appropriate credentials for each environment, without requiring any action on your part. ## Learn more - [Get started with 1Password Shell Plugins](/docs/cli/shell-plugins/) - [Build your own shell plugins](/docs/cli/shell-plugins/contribute/) --- ## Use 1Password to authenticate Fastly CLI with biometrics # Use 1Password to securely authenticate Fastly CLI The Fastly shell plugin allows you to use 1Password to securely authenticate [Fastly CLI ](https://developer.fastly.com/reference/cli/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Fastly CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.14.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [Fastly CLI. ](https://developer.fastly.com/learning/tools/cli) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Token | `FASTLY_API_TOKEN` | *Thanks to [@arunsathiya](https://github.com/arunsathiya) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/169)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to securely authenticate Flyctl The Flyctl shell plugin allows you to use 1Password to securely authenticate [Flyctl ](https://fly.io/docs/hands-on/install-flyctl/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Flyctl with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Connect 1Password CLI with the 1Password app](/docs/cli/app-integration/). 5. [Install Flyctl. ](https://fly.io/docs/hands-on/install-flyctl/) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **Fish:** ```shell echo "source ~/.op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Token | `FLY_ACCESS_TOKEN` | *Thanks to [@arunsathiya](https://github.com/arunsathiya) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/141)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute).* --- ## Use 1Password to authenticate FOSSA CLI with biometrics # Use 1Password to securely authenticate FOSSA CLI The FOSSA shell plugin allows you to use 1Password to securely authenticate [FOSSA CLI ](https://github.com/fossas/fossa-cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate FOSSA CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [FOSSA CLI. ](https://github.com/fossas/fossa-cli) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | API Key | `FOSSA_API_KEY` | Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate the Gitea CLI with biometrics # Use 1Password to securely authenticate the Gitea CLI The Gitea shell plugin allows you to use 1Password to securely authenticate [the Gitea CLI ](https://gitea.com/gitea/tea) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Gitea with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.16.1 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. [Install the Gitea CLI ](https://gitea.com/gitea/tea). The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ```shell rm ~/.config/tea/config.yml ``` ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with Gitea by injecting a temporary file with the credentials required by the plugin commands directly from your 1Password account. If you saved your Gitea credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | YAML config field | | --- | --- | | Token | `token` | | HostAddress | `name`, `url` | | User | `user` | Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate the GitHub CLI with biometrics # Use 1Password to securely authenticate the GitHub CLI The GitHub shell plugin allows you to use 1Password to securely authenticate [the GitHub CLI ](https://cli.github.com/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the GitHub CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the GitHub CLI ](https://github.com/cli/cli#installation). The following shells are supported: - Bash - Zsh - fish ## Before you begin: Create and save a GitHub personal access token Before you can use 1Password to authenticate the GitHub CLI, you'll need to [create a GitHub personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). 1Password authenticates the GitHub CLI with your personal access token instead of a username and password. If you've already created a personal access token, [skip to step 1](#step-1-configure-your-default-credentials). If you haven't created a personal access token yet, you can create one and use the [1Password browser extension](https://support.1password.com/getting-started-browser/) to quickly save it in 1Password: 1. Open and unlock [1Password in your browser](https://support.1password.com/getting-started-browser/). 2. [Follow the steps](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) to create a GitHub personal access token. 3. Select **Save item** when 1Password asks if you want to save an item for the GitHub personal access token. 5. Choose the vault where you want to save the item, edit the item's name and details, then select **Save item**. _[The pop-up screen to save your GitHub personal access token in 1Password.]_ ## Step 1: Configure your default credentials :::tip If you use multiple GitHub accounts If you want to use the GitHub shell plugin with more than one GitHub account, like your personal and work accounts, [learn how to set up your plugin to use multiple accounts](/docs/cli/shell-plugins/multiple-accounts/). ::: To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. If you use a single GitHub account, select **Use as global default on my system**. This will set your personal access token as the default in all terminal sessions and directories. If you use multiple GitHub accounts, [learn how to use directory-specific defaults for context switching](/docs/cli/shell-plugins/multiple-accounts/). ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your GitHub credentials in 1Password, you can remove all local copies you previously had stored on disk. ```shell rm ~/.config/gh/hosts.yml ``` ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field names | Environment variables | | --- | --- | | Token | `GH_TOKEN` | | Host (optional) | `GH_HOST` | Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate the GitLab CLI with biometrics # Use 1Password to securely authenticate the GitLab CLI The GitLab shell plugin allows you to use 1Password to securely authenticate [the GitLab CLI ](https://docs.gitlab.com/ee/integration/glab/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the GitLab CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the GitLab CLI. ](https://gitlab.com/gitlab-org/cli/-/blob/main/README.md#installation) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Optional: If you use a self-hosted instance, set the host If you use a self-hosted GitLab instance, you'll need to add your host URL to the GitLab item you configured in the previous step. Save the URL in a custom text field titled `Host` to make it available to the shell plugin. **1Password CLI:** To add the field using 1Password CLI: **Bash, Zsh, sh, fish:** ```shell op item edit \ 'Host[text]=https://gitlab.yourdomain.com' ``` **PowerShell:** ```powershell op item edit ` 'Host[text]=https://gitlab.yourdomain.com' ``` **1Password desktop app:** To add the field using the 1Password desktop app: 1. Open and unlock the [1Password app](https://1password.com/downloads/). 2. Navigate to the item you configured in the previous step and select **Edit**. 3. Select **Add More** > **Text** to add a custom text field. 4. Select the default field name, "text", and rename it to `Host`. 5. Enter your GitLab host as the field value. For example, `https://gitlab.yourdomain.com` 6. Select **Save**. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field names | Environment variables | | --- | --- | | Token | `GITLAB_TOKEN` | | Host (optional; required for self-hosted instances) | `GITLAB_HOST` | | API Host (optional) | `GITLAB_API_HOST` | Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate the Vault CLI with biometrics # Use 1Password to securely authenticate the HashiCorp Vault CLI The HashiCorp Vault shell plugin allows you to use 1Password to securely authenticate [the Vault CLI ](https://developer.hashicorp.com/vault/docs/commands) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Vault CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the Vault CLI. ](https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-install) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field names | Environment variables | | --- | --- | | Token | `VAULT_TOKEN` | | Address (optional) | `VAULT_ADDR` | | Namespace (optional) | `VAULT_NAMESPACE` | Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate the Heroku CLI with biometrics # Use 1Password to securely authenticate the Heroku CLI The Heroku shell plugin allows you to use 1Password to securely authenticate [the Heroku CLI ](https://devcenter.heroku.com/articles/heroku-cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Heroku CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the Heroku CLI. ](https://devcenter.heroku.com/articles/heroku-cli#install-the-heroku-cli) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | API Key | `HEROKU_API_KEY` | Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate hcloud with biometrics # Use 1Password to securely authenticate the Hetzner Cloud CLI The Hetzner Cloud shell plugin allows you to use 1Password to securely authenticate [hcloud ](https://github.com/hetznercloud/cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate hcloud with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.12.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [hcloud. ](https://github.com/hetznercloud/cli#installation) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field names | Environment variable | | --- | --- | | Token | `HCLOUD_TOKEN` | *Thanks to [@shyim](https://github.com/shyim) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/87)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate brew with biometrics # Use 1Password to securely authenticate brew The Homebrew shell plugin allows you to use 1Password to securely authenticate [the Homebrew package manager ](https://brew.sh/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate brew with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.11.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [brew. ](https://brew.sh/) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Token | `HOMEBREW_GITHUB_API_TOKEN` | *Thanks to [@markdorison](https://github.com/markdorison) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/110)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to securely authenticate HuggingFace CLI The HuggingFace CLI shell plugin allows you to use 1Password to securely authenticate [HuggingFace CLI ](https://huggingface.co/docs/huggingface_hub/quick-start) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate HuggingFace CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Connect 1Password CLI with the 1Password app](/docs/cli/app-integration/). 5. [Install HuggingFace CLI. ](https://huggingface.co/docs/huggingface_hub/quick-start) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **Fish:** ```shell echo "source ~/.op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | User Access Token | `HUGGING_FACE_HUB_TOKEN` | | Endpoint (optional) | `HF_ENDPOINT` | | API URL (optional) | `HF_INFERENCE_ENDPOINT` | *Thanks to [@bala-ceg](https://github.com/bala-ceg) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/393)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute).* --- ## Use 1Password to securely authenticate InfluxDB The InfluxDB shell plugin allows you to use 1Password to securely authenticate [InfluxDB ](https://docs.influxdata.com/influxdb/cloud/reference/cli/influx/config/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate InfluxDB with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Connect 1Password CLI with the 1Password app](/docs/cli/app-integration/). 5. [Install InfluxDB. ](https://docs.influxdata.com/influxdb/cloud/reference/cli/influx/config/) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **Fish:** ```shell echo "source ~/.op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Host | `INFLUX_HOST` | | Organization | `INFLUX_ORG` | | Access Token | `INFLUX_TOKEN` | *Thanks to [@bala-ceg](https://github.com/bala-ceg) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/392)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute).* --- ## Use 1Password to securely authenticate Kaggle CLI The Kaggle CLI shell plugin allows you to use 1Password to securely authenticate [Kaggle CLI ](https://github.com/Kaggle/kaggle-api) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Kaggle CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Connect 1Password CLI with the 1Password app](/docs/cli/app-integration/). 5. [Install Kaggle CLI. ](https://github.com/Kaggle/kaggle-api) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **Fish:** ```shell echo "source ~/.op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Token | `KAGGLE_KEY` | | Username | `KAGGLE_USERNAME` | *Thanks to [@rajapri28613](https://github.com/rajapri28613) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/341)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute).* --- ## Use 1Password to authenticate the Lacework CLI with biometrics # Use 1Password to securely authenticate the Lacework CLI The Lacework shell plugin allows you to use 1Password to securely authenticate [the Lacework CLI ](https://docs.lacework.com/cli/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Lacework CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.10.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the Lacework CLI. ](https://docs.lacework.com/cli/) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Account | `LW_ACCOUNT` | | API Key ID | `LW_API_KEY` | | API Secret | `LW_API_SECRET` | *Thanks to [@colinbarr](https://github.com/colinbarr) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/95)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate the Laravel Forge CLI with biometrics # Use 1Password to securely authenticate the Laravel Forge CLI The Laravel Forge shell plugin allows you to use 1Password to securely authenticate [the Laravel Forge CLI ](https://forge.laravel.com/docs/1.0/cli.html) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Laravel Forge CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.17.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the Laravel Forge CLI ](https://forge.laravel.com/docs/1.0/cli.html#installation). The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Token | `FORGE_API_TOKEN` | *Thanks to [@andresayej](https://github.com/andresayej) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/244)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate the Laravel Vapor CLI with biometrics # Use 1Password to securely authenticate the Laravel Vapor CLI The Laravel Vapor shell plugin allows you to use 1Password to securely authenticate [the Laravel Vapor CLI ](https://docs.vapor.build/1.0/introduction.html) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Laravel Vapor CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.17.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the Laravel Vapor CLI ](https://docs.vapor.build/1.0/introduction.html#installing-the-vapor-cli). The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Token | `VAPOR_API_TOKEN` | *Thanks to [@andresayej](https://github.com/andresayej) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/245)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate the Linode CLI with biometrics # Use 1Password to securely authenticate the Linode CLI The Linode shell plugin allows you to use 1Password to securely authenticate [the Linode CLI ](https://www.linode.com/docs/products/tools/cli/get-started/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Linode CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.10.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the Linode CLI. ](https://www.linode.com/docs/products/tools/cli/get-started/) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Token | `LINODE_CLI_TOKEN` | *Thanks to [@alexclst](https://github.com/alexclst) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/86)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to securely authenticate LocalStack The LocalStack shell plugin allows you to use 1Password to securely authenticate [LocalStack ](https://docs.localstack.cloud/getting-started/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate LocalStack with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Connect 1Password CLI with the 1Password app](/docs/cli/app-integration/). 5. [Install LocalStack. ](https://docs.localstack.cloud/getting-started/) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **Fish:** ```shell echo "source ~/.op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | API Key | `LOCALSTACK_API_KEY` | --- ## Use 1Password to securely authenticate MongoDB Atlas The MongoDB Atlas shell plugin allows you to use 1Password to securely authenticate [the Atlas CLI ](https://www.mongodb.com/tools/atlas-cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Atlas CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Connect 1Password CLI with the 1Password app](/docs/cli/app-integration/). 5. [Install the Atlas CLI ](https://www.mongodb.com/try/download/atlascli). The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **Fish:** ```shell echo "source ~/.op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Public key | `MONGODB_ATLAS_PUBLIC_API_KEY` | | Private key | `MONGODB_ATLAS_PRIVATE_API_KEY` | *Thanks to [@joqim](https://github.com/joqim) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/198)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute).* --- ## Use 1Password Shell Plugins to authenticate with multiple accounts # Use shell plugins to authenticate with multiple accounts You can configure [1Password Shell Plugins](/docs/cli/shell-plugins/) to authenticate with different accounts in different directories, so you don't have to spend time signing in or out between projects. For example, you can set the GitHub shell plugin to authenticate with your work credentials in the directories for your work repositories and your personal credentials in the directories for your personal repositories. ## Step 1: Organize your directories by account Before you configure your shell plugins to use multiple accounts, group the project directories on your computer by the accounts they use. For example, if you have a personal and a work GitHub account, you might organize your personal and work GitHub repository folders like this: ``` github/ ├─ personal/ │ ├─ personal-repo-1 │ ├─ personal-repo-2 │ ├─ personal-repo-3 ├─ work/ │ ├─ work-repo-1 │ ├─ work-repo-2 ``` ## Step 2: Configure default credentials for each environment After you organize your projects under account-level directories, you can set default credentials for your shell plugin to use in each directory and all its subfolders. 1. Change directories to one of the account-level folders you created. For example: ```shell cd projects/work ``` 2. Sign in to the 1Password account where the credentials you want to use are stored: ```shell op signin ``` 3. Choose a plugin to initialize, or run `op plugin init` to choose from a list of all available plugins. For example, to initialize the GitHub plugin: ```shell op plugin init gh ``` 4. Import or select the appropriate credentials to use with the account. 5. Select **Use automatically when in this directory or subdirectories** as the default credential scope. 6. Repeat the process in other account-level folders with their respective credentials. This will make the credentials you configure in each account-level folder the default for all subfolders within it, as long as no other directory-specific defaults are set in them. After you set defaults in all your account-level folders, use the shell plugin as you normally would across all your projects. When you use the plugin in a folder within the personal or work directories, the plugin will automatically authenticate with the appropriate credentials. ## Learn more - [Get started with 1Password Shell Plugins](/docs/cli/shell-plugins/) - [Build your own shell plugins](/docs/cli/shell-plugins/contribute/) --- ## Use 1Password to authenticate the MySQL CLI with biometrics # Use 1Password to securely authenticate the MySQL CLI The MySQL shell plugin allows you to use 1Password to securely authenticate [the MySQL CLI ](https://dev.mysql.com/doc/refman/en/mysql.html) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the MySQL CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the MySQL CLI. ](https://dev.mysql.com/doc/refman/en/installing.html) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference If you saved your MySQL credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If your credentials are stored in a different field, you'll be prompted to select the field manually. Field names are case-insensitive. Field name tokens can be separated by whitespaces, underscores, dashes, or nothing. | 1Password field name | Parameter | | --- | --- | | Host (optional) | `host` | | Port (optional)| `port` | | User (optional) | `user` | | Password | `password` | | Database (optional) | `database` | Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate ngrok with biometrics # Use 1Password to securely authenticate ngrok The ngrok shell plugin allows you to use 1Password to securely authenticate [the ngrok CLI ](https://ngrok.com/docs/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate ngrok with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.14.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the ngrok CLI ](https://ngrok.com/docs/getting-started). The following shells are supported: - Bash - Zsh - Fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ### Optional: Add an API key The ngrok shell plugin sets up authentication for the following ngrok commands by default: `http`, `service`, `start`, `tcp`, `tls`, and `tunnel`. To configure authentication for the `ngrok api` command, [add a custom field](https://support.1password.com/custom-fields#add-a-custom-field) to your ngrok item titled `API Key` and save [your ngrok API key](https://dashboard.ngrok.com/api/keys) there. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your ngrok credentials in 1Password, you can remove all local copies you previously had stored on disk. To find your ngrok configuration file location, run: ```shell ngrok config check ``` To remove your credentials, run `rm` with the filepath for your configuration file. For example: **Mac:** ```shell rm "~/Library/Application Support/ngrok/ngrok.yml" ``` **Linux:** ```shell rm ~/.config/ngrok/ngrok.yml ``` ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference If you're using ngrok 3.2.1 or later, 1Password authenticates with ngrok by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you're using an earlier version of ngrok, 1Password authenticates by injecting a temporary file with the appropriate credentials. If you saved your ngrok credentials in 1Password manually rather than using `op plugin init` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | YAML config field | Environment variable | | --- | --- | --- | | Auth Token | `authtoken` | `NGROK_AUTHTOKEN` | | API Key | `api_key` | `NGROK_API_KEY` | *Thanks to [@arunsathiya](https://github.com/arunsathiya) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/165)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password Shell Plugins with NixOS or home-manager # Configure shell plugins using Nix If you're using Nix to manage your shell configuration, you can configure 1Password Shell Plugins natively within your Nix configuration. 1. Add the 1Password Shell Plugins flake to your flake inputs: ```nix [{ "color": "bitsblue", "lineNo": 6, "substr": "_1password-shell-plugins.url = \\"github:1Password/shell-plugins\\";"}] { description = "My NixOS system flake"; inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; # import the 1Password Shell Plugins Flake _1password-shell-plugins.url = "github:1Password/shell-plugins"; # the rest of your flake inputs here }; outputs = inputs@{ nixpkgs, ... }: { # the rest of your flake here } } ``` 2. Somewhere in your flake output configuration, import and use the appropriate module: **NixOS without home-manager:** ```nix [{"color": "bitsblue", "lineNo": 3, "substr": "inputs._1password-shell-plugins.nixosModules.default"}] { # import the NixOS module imports = [ inputs._1password-shell-plugins.nixosModules.default ]; programs._1password-shell-plugins = { # enable 1Password shell plugins for bash, zsh, and fish shell enable = true; # the specified packages as well as 1Password CLI will be # automatically installed and configured to use shell plugins plugins = with pkgs; [ gh awscli2 cachix ]; }; # this can also be `programs.bash` or `programs.fish` programs.zsh = { enable = true; # the rest of your shell configuration here }; } ``` **Nix with home-manager:** ```nix [{"color": "bitsblue", "lineNo": 3, "substr": "inputs._1password-shell-plugins.hmModules.default"}] { # import the home-manager module imports = [ inputs._1password-shell-plugins.hmModules.default ]; programs._1password-shell-plugins = { # enable 1Password shell plugins for bash, zsh, and fish shell enable = true; # the specified packages as well as 1Password CLI will be # automatically installed and configured to use shell plugins plugins = with pkgs; [ gh awscli2 cachix ]; }; # this can also be `programs.bash` or `programs.fish` programs.zsh = { enable = true; # the rest of your shell configuration here }; } ``` 3. Apply the updated configuration: **NixOS (including home-manager as a NixOS module):** ~/path/to/flake/directory/ should be the path to the directory containing your `flake.nix` file, and my-computer should be the name of the flake output to use as the system configuration. ```shell [{"color": "bitsblue", "lineNo": 1, "substr": "~/path/to/flake/directory/"}, {"color": "green", "lineNo": 1, "substr": "my-computer"}] sudo nixos-rebuild switch --flake "~/path/to/flake/directory/.#my-computer" ``` **Nix with standalone home-manager:** ~/path/to/flake/directory/ should be the path to the directory containing your `flake.nix` file, and my-computer should be the name of the flake output to use as the system configuration. ```shell [{"color": "bitsblue", "lineNo": 1, "substr": "~/path/to/flake/directory/"}, {"color": "green", "lineNo": 1, "substr": "my-computer"}] home-manager switch --flake "~/path/to/flake/directory/.#my-computer" ``` --- ## Use 1Password to securely authenticate Oh Dear CLI The Oh Dear CLI shell plugin allows you to use 1Password to securely authenticate [Oh Dear CLI ](https://github.com/ohdearapp/ohdear-cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Oh Dear CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.19.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. [Install Oh Dear CLI ](https://github.com/ohdearapp/ohdear-cli). The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **Fish:** ```shell echo "source ~/.op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Token | `OHDEAR_API_TOKEN` | *Thanks to [@owenvoke](https://github.com/owenvoke) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/269)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate the Okta CLI with biometrics # Use 1Password to securely authenticate the Okta CLI The Okta shell plugin allows you to use 1Password to securely authenticate [the Okta CLI ](https://cli.okta.com/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Okta CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the Okta CLI. ](https://cli.okta.com/manual#installation) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field names | Environment variables | | --- | --- | | Token | `OKTA_CLIENT_TOKEN` | | Org URL | `OKTA_CLIENT_ORGURL` | Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to securely authenticate OpenAI Evals The OpenAI Evals shell plugins allow you to use 1Password to securely authenticate [`oaieval` and `oaievalset` ](https://github.com/openai/evals/blob/main/docs/run-evals.md) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials for each CLI and source the `plugins.sh` file, then you'll be prompted to authenticate OpenAI Evals with biometrics. :::tip You can also use 1Password Shell Plugins to authenticate [OpenAI](/docs/cli/shell-plugins/openai). ::: ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.19.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Connect 1Password CLI with the 1Password app](/docs/cli/app-integration/). 5. [Install OpenAI Evals. ](https://github.com/openai/evals/blob/main/docs/run-evals.md) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your oaieval credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Configure your oaievalset credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 3: Source the plugins.sh file **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **Fish:** ```shell echo "source ~/.op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 4: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 5: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | API Key | `OPENAI_API_KEY` | *Thanks to [@arunsathiya](https://github.com/arunsathiya) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/208)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate the OpenAI CLI with biometrics # Use 1Password to securely authenticate the OpenAI CLI The OpenAI shell plugin allows you to use 1Password to securely authenticate [the OpenAI CLI ](https://pypi.org/project/openai/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the OpenAI CLI with biometrics. :::tip You can also use 1Password Shell Plugins to authenticate [OpenAI Evals](/docs/cli/shell-plugins/openai-evals). ::: ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.13.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the OpenAI CLI. ](https://pypi.org/project/openai/) The following shells are supported: - Bash - Zsh - fish ## Before you begin: Create and save an OpenAI API key If you've already created an OpenAI API key, [skip to step 1](#step-1-configure-your-default-credentials). If you haven't created an API key yet, you can create one and use the [1Password browser extension](https://support.1password.com/getting-started-browser/) to quickly save it in 1Password: 1. Open and unlock [1Password in your browser](https://support.1password.com/getting-started-browser/). 2. [Follow the steps](https://platform.openai.com/account/api-keys) to create an OpenAI API key. 3. Select **Save item** when 1Password asks if you want to save an item for the OpenAI API key. 4. Choose the vault where you want to save the item, edit the item's name and details, then select **Save item**. _[The prompt to save your OpenAI API key in 1Password.]_ ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | API Key | `OPENAI_API_KEY` | *Thanks to [@jodyheavener](https://github.com/jodyheavener) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/152)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to securely authenticate Pipedream CLI The Pipedream CLI shell plugin allows you to use 1Password to securely authenticate [Pipedream CLI ](https://pipedream.com/docs/cli/install/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Pipedream CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Connect 1Password CLI with the 1Password app](/docs/cli/app-integration/). 5. [Install Pipedream CLI. ](https://pipedream.com/docs/cli/install/) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **Fish:** ```shell echo "source ~/.op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with Pipedream by injecting a temporary config file with the credentials required by the plugin commands directly from your 1Password account. If you saved your Pipedream credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Config file field | | --- | --- | | API Key | api_key | | Org ID | org_id | *Thanks to [@rajapri28613](https://github.com/rajapri28613) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/338)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute).* --- ## Use 1Password to authenticate psql with biometrics # Use 1Password to securely authenticate the PostgreSQL CLI The PostgreSQL shell plugin allows you to use 1Password to securely authenticate [psql ](https://www.postgresguide.com/utilities/psql/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate psql with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [psql. ](https://www.postgresql.org/docs/current/app-psql.html) The following shells are supported: - Bash - Zsh - fish ## Additional executables You can also use the PostgreSQL shell plugin with: - [`pg_dump` ](https://www.postgresql.org/docs/current/app-pgdump.html) - [`pg_restore` ](https://www.postgresql.org/docs/current/app-pgrestore.html) - [`pgcli` ](https://www.pgcli.com/) Run `op plugin init ` with the executable you want to configure, then follow the steps to select your credentials. ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field names | Environment variables | | --- | --- | | Server | `PGHOST` | | Port (optional) | `PGPORT` | | Username | `PGUSER` | | Password (optional) | `PGPASSWORD` | | Database (optional) | `PGDATABASE` | Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate the Pulumi CLI with biometrics # Use 1Password to securely authenticate the Pulumi CLI The Pulumi CLI shell plugin allows you to use 1Password to securely authenticate [the Pulumi CLI ](https://www.pulumi.com/docs/reference/cli/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Pulumi CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.17.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the Pulumi CLI. ](https://www.pulumi.com/docs/get-started/install/) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Token | `PULUMI_ACCESS_TOKEN` | | Host (optional) | `PULUMI_BACKEND_URL` | *Thanks to [@ringods](https://github.com/ringods) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/199)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate the ReadMe CLI with biometrics # Use 1Password to securely authenticate the ReadMe CLI The ReadMe shell plugin allows you to use 1Password to securely authenticate [the ReadMe CLI ](https://docs.readme.com/main/docs/rdme) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the ReadMe CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.12.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the ReadMe CLI. ](https://github.com/readmeio/rdme#setup) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field names | Environment variable | | --- | --- | | API Key | `RDME_API_KEY` | | Username (Optional) | `RDME_EMAIL` | | Website (Optional) | `RDME_PROJECT` | *Thanks to [@kanadgupta](https://github.com/kanadgupta) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/106)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## About 1Password Shell Plugins security ## Authorization model To get your consent when a 1Password CLI command or 1Password Shell Plugin is invoked, 1Password will present you with an approval dialog: _[A CLI being authenticated using 1Password CLI biometric unlock.]_ This dialog will show which application is requesting permission to use which 1Password account. After you approve the request, a *session* will be established between 1Password and the terminal window or tab the plugin was invoked from. Any consecutive invocations of 1Password CLI within that terminal window can use your 1Password account without additional authorization until 1Password locks. This includes invocations of the same plugin, a different plugin and any other 1Password CLI commands. As always when working with secrets, it's worth being mindful of the processes, scripts, and plugins you run that can access those secrets. A session is ended in any of the following scenarios: - When 1Password is locked - After 10 minutes of inactivity - After 12 hours - When `op signout` is run in the authorized terminal session - When `op signout --all` is run in any terminal session ## Extendability & community contributions 1Password Shell Plugins is [extendable](/docs/cli/shell-plugins/contribute/). Contributed plugins are curated and reviewed by 1Password before they are included and shipped in 1Password CLI. 1Password has only reviewed contributed plugins if they are included in 1Password CLI. We recommend you only run plugins included in 1Password CLI and plugins you've written yourself. In practice, this means you should not download binaries and place them in `~/.op/plugins/local`. ## Learn more - [Biometric security](/docs/cli/app-integration/) --- ## Use 1Password to authenticate the Sentry CLI with biometrics # Use 1Password to securely authenticate the Sentry CLI The Sentry shell plugin allows you to use 1Password to securely authenticate [the Sentry CLI ](https://docs.sentry.io/product/cli/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Sentry CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the Sentry CLI. ](https://docs.sentry.io/product/cli/installation/) The following shells are supported: - Bash - Zsh - fish :::tip Get $240 in Sentry credits when you [create a new Sentry account](https://sentry.io/signup/) using the promo code **1Password**. ::: ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field names | Environment variables| | --- | --- | | Token | `SENTRY_AUTH_TOKEN` | | Organization (optional) | `SENTRY_ORG` | | Project (optional) | `SENTRY_PROJECT` | | URL (optional) | `SENTRY_URL` | Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate SnowSQL with biometrics # Use 1Password to securely authenticate the Snowflake CLI The Snowflake shell plugin allows you to use 1Password to securely authenticate [SnowSQL ](https://docs.snowflake.com/en/user-guide/snowsql.html) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the SnowSQL with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.14.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [SnowSQL. ](https://docs.snowflake.com/en/user-guide/snowsql-install-config) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field names | Environment variable | | --- | --- | | Account | `SNOWSQL_ACCOUNT` | | Username | `SNOWSQL_USER`| | Password | `SNOWSQL_PWD` | *Thanks to [@williamhpark](https://github.com/williamhpark) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/161)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate the Snyk CLI with biometrics # Use 1Password to securely authenticate the Snyk CLI The Snyk shell plugin allows you to use 1Password to securely authenticate [the Snyk CLI ](https://docs.snyk.io/snyk-cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Snyk CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the Snyk CLI. ](https://docs.snyk.io/snyk-cli/install-the-snyk-cli) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Token | `SNYK_TOKEN` | Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate the Sourcegraph CLI with biometrics # Use 1Password to securely authenticate the Sourcegraph CLI The Sourcegraph shell plugin allows you to use 1Password to securely authenticate [the Sourcegraph CLI ](https://docs.sourcegraph.com/cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Sourcegraph CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.14.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the Sourcegraph CLI. ](https://docs.sourcegraph.com/cli/quickstart) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field names | Environment variable | | --- | --- | | Endpoint | `SRC_ENDPOINT` | | Token | `SRC_ACCESS_TOKEN`| *Thanks to [@arunsathiya](https://github.com/arunsathiya) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/146)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate the Stripe CLI with biometrics # Use 1Password to securely authenticate the Stripe CLI The Stripe shell plugin allows you to use 1Password to securely authenticate [the Stripe CLI ](https://stripe.com/docs/cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Stripe CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the Stripe CLI. ](https://stripe.com/docs/stripe-cli) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | API Key | `STRIPE_API_KEY` | Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to securely authenticate Terraform # Use 1Password to securely authenticate Terraform (Beta) The Terraform shell plugin allows you to use 1Password to securely authenticate [Terraform CLI ](https://developer.hashicorp.com/terraform/cli) to supported providers with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. You can configure the Terraform plugin to authenticate with biometrics to any provider in the [1Password Shell Plugin ecosystem](/docs/cli/shell-plugins#get-started), like AWS, ngrok, and Databricks. :::tip The Terraform shell plugin is currently in beta. It can only be used with the latest [beta build](/docs/cli/reference#beta-builds) of 1Password CLI. ::: ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [the latest beta build of 1Password CLI](/docs/cli/reference#beta-builds) (`2.19.0-beta.01` or later). 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/app-integration#step-1-turn-on-the-app-integration). 5. Install [Terraform CLI ](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli). The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials :::tip If you have multiple 1Password accounts, run `op signin` to select the account you want to use before configuring the plugin. When you use the plugin, 1Password CLI will automatically switch to that account. ::: To get started with the Terraform shell plugin, run: ```shell op plugin init terraform ``` You'll be prompted to select the credential types you want to use with Terraform — you can choose as many as you want. Select the credential type for [a supported provider](/docs/cli/shell-plugins#get-started), then you can either [import the credential](#import-a-new-item) into your 1Password account or [select an existing 1Password item](#select-an-existing-item) where the credential is saved. When you've configured all the credentials you want to use with Terraform, select **Stop choosing credentials**. Step 1.1: Import or select an item #### Import a new item If you haven't saved a credential in 1Password yet, select **Import into 1Password**. Enter a name for the new 1Password item and select the vault where you want to save it. If 1Password detects the credential in your local development environment, you'll be prompted to import it automatically. #### Select an existing item If you've already saved a credential in 1Password, select **Search in 1Password**. Select the item from the list of suggested items. If you don't see the item you want, select **Expand search** to browse all items in your account. Step 1.2: Set default credential scope After you finish selecting your credentials, you'll be prompted to configure when to use them. - **Prompt me for each new terminal session** will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the defaults will be removed. - **Use automatically when in this directory or subdirectories** will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. - **Use as global default on my system** will set the credentials as the defaults in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you use Terraform CLI with one of the providers you configured credentials for, you'll be prompted to authenticate with biometrics or system authentication. _[The terraform plan command being authenticated to AWS with Touch ID.]_ ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk, like in your [provider configurations ](https://developer.hashicorp.com/terraform/language/providers/configuration). ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current Terraform configuration: ```shell op plugin inspect terraform ``` 1Password CLI will return a list of the credentials you've configured to use with Terraform and their default scope, as well as a list of aliases configured for Terraform CLI. _[1Password CLI inspecting a Terraform shell plugin with AWS and ngrok credentials configured as global defaults.]_ Clear your credentials To reset the credentials used with Terraform CLI: ```shell op plugin clear terraform ``` You can clear one configuration at a time, in this order of precedence: 1. Terminal session default 2. Directory default, from the current directory to `$HOME` 3. Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear terraform` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear terraform --all`. ## Reference 1Password authenticates to Terraform providers by provisioning the credentials required by the plugin commands directly from your 1Password account. If you saved your provider credentials manually rather than using `op plugin` to import a new item, you might be prompted to rename your item's fields to match the item structure required by the credential schema. --- ## Test shell plugins You can test [1Password Shell Plugins](/docs/cli/shell-plugins/) without making any changes to your current workflows. To do this, you'll configure a shell plugin with default credentials that only last for the duration of your current terminal session, then source the shell plugin aliases script in your current terminal session instead of adding it to your shell profile. When you close your terminal window, your temporary shell plugin configuration will be cleared. ## Step 1: Temporarily configure a shell plugin 1. Sign in to the 1Password account where the credentials you want to use with the shell plugin are stored: ```shell op signin ``` 2. Choose a plugin to test, or run `op plugin init` to choose from a list of all available plugins. For example, to test the AWS shell plugin: ```shell op plugin init aws ``` 3. Import or select the credentials you want to test with the plugin. 4. When you're prompted to choose when the credentials will be used to authenticate, select **Prompt me for each new terminal session**. This will configure your credentials as a temporary default for the duration of your current terminal session. 5. Instead of adding the command to source the `plugins.sh` file to your shell profile, source the `plugins.sh` file in your current terminal session. This will create an alias for the CLI executable that lasts for the duration of your current terminal session. For example: ```shell source ~/.config/op/plugins.sh ``` The location of the `plugins.sh` file will vary depending on your [configuration directory](/docs/cli/config-directories/). ## Step 2: Test the shell plugin You can test the shell plugin for the duration of your current terminal session. 1. Sign out of 1Password CLI to make sure you'll be prompted to authenticate: ```shell op signout ``` 2. Run a command with the CLI that requires authentication. For example, if you configured a shell plugin for AWS: ```shell aws s3 ls ``` When you're done testing, close the terminal window to clear your default credentials and remove the alias for the CLI executable. To continue using a shell plugin, follow the installation guide for the [plugin of your choice](/docs/cli/shell-plugins/). --- ## Use 1Password to securely authenticate Todoist CLI The Todoist CLI shell plugin allows you to use 1Password to securely authenticate [Todoist CLI ](https://github.com/sachaos/todoist) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Todoist CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Connect 1Password CLI with the 1Password app](/docs/cli/app-integration/). 5. [Install Todoist CLI. ](https://github.com/sachaos/todoist) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **Fish:** ```shell echo "source ~/.op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with Todoist by injecting a temporary config file with the credentials required by the plugin commands directly from your 1Password account. If you saved your Todoist credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Config file field | | --- | --- | | Token | token | *Thanks to [@rajapri28613](https://github.com/rajapri28613) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/340)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute).* --- ## Use 1Password to authenticate the Treasure Data CLI with biometrics # Use 1Password to securely authenticate the Treasure Data CLI The Treasure Data shell plugin allows you to use 1Password to securely authenticate the [Treasure Data Toolbelt ](https://www.treasuredata.com/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Treasure Data with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.16.1 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the Treasure Data Toolbelt ](https://toolbelt.treasuredata.com/). The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | API Key | `TD_API_KEY` | Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## 1Password Shell Plugins troubleshooting ## Using shell plugins ### If you're using a non-interactive shell 1Password Shell Plugins are built to be used with interactive shells. An interactive shell is required for the shell plugin to prompt for authentication. ### If your script doesn't inherit shell plugin aliases Scripts might not inherit your shell plugin aliases if they're run in a subshell where the `plugins.sh` file isn't sourced. When this happens, the CLI command in the script will output an error instead of running correctly. For example, the following script runs a `doctl` command in a subshell, and as a result wouldn't inherit the `doctl` shell plugin alias: ```html title="yourscript.sh" #!/usr/bin/env bash doctl account get ``` To make the script run correctly, you can wrap the `doctl` command in [`op plugin run`](/docs/cli/reference/management-commands/plugin#plugin-run). For example: ```html title="yourscript.sh" #!/usr/bin/env bash op plugin run doctl account get ``` ### If autocompletion stops working If autocompletion stops working in Zsh after you configure a shell plugin, run the following command to configure completion for aliases: ```shell setopt completealiases ``` ## Contributing shell plugins ### If your locally-built plugin stops working If your locally-built plugin stops working, you might need to update your 1Password CLI version or rebuild your plugin with the latest shell plugins SDK. #### Update your 1Password CLI installation If you're using an outdated version of the CLI, you'll see this error message: ```shell 1Password CLI is outdated, please run: op update to update 1Password CLI to the latest version and to be able to use this Shell Plugin. ``` To update your 1Password CLI installation to the latest version: ```shell op update ``` Or [update 1Password CLI with a package manager](/docs/cli/reference/update#update-with-a-package-manager). #### Rebuild your plugins with the latest shell plugins SDK If the shell plugins SDK is outdated, you'll see this error message: ```shell 1Password Shell Plugin is out of date. Remove the plugin at '/Users//.op/plugins/local/aws' or rebuild it with the latest Shell Plugin SDK to use it. ``` To update to the latest shell plugins SDK, you'll need to merge the `main` branch of the [shell plugins repository](https://github.com/1Password/shell-plugins/tree/main/) into the branch for your plugin. To do this: 1. Navigate to the directory where you cloned the shell plugins repo: ```shell cd ``` 2. If you've made any local changes to your plugin branch, commit or stash them: ```shell git commit -am "" ``` 3. Check out the `main` branch: ```shell git checkout main ``` 4. Pull the `main` branch: ```shell git pull main ``` 5. Check out your plugin branch: ```shell git checkout ``` 6. Merge `main` into your branch: ``` git merge main ``` Then fix any merge conflicts and make any needed changes to the plugin code to conform to the latest version of the SDK. When you're ready to rebuild your plugin: ```shell make /build ``` :::info Join our Developer Slack If you're still having trouble, join our [Developer Slack workspace](https://developer.1password.com/joinslack) and we'll help you figure out a solution. ::: ## Learn more - [Uninstall shell plugins](/docs/cli/shell-plugins/uninstall/) - [Test shell plugins](/docs/cli/shell-plugins/test/) - [Use shell plugins to switch between multiple environments](/docs/cli/shell-plugins/environments/) - [Use shell plugins with multiple accounts](/docs/cli/shell-plugins/multiple-accounts/) --- ## Use 1Password to authenticate the Tugboat CLI with biometrics # Use 1Password to securely authenticate the Tugboat CLI The Tugboat shell plugin allows you to use 1Password to securely authenticate [the Tugboat CLI ](https://docs.tugboatqa.com/tugboat-cli/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Tugboat CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.10.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the Tugboat CLI. ](https://docs.tugboatqa.com/tugboat-cli/install-the-cli/) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Token | `TUGBOAT_API_TOKEN` | *Thanks to [@markdorison](https://github.com/markdorison) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/85)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to authenticate the Twilio CLI with biometrics # Use 1Password to securely authenticate the Twilio CLI The Twilio shell plugin allows you to use 1Password to securely authenticate [the Twilio CLI ](https://twilio.com/docs/cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate the Twilio CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.9.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [the Twilio CLI. ](https://www.twilio.com/docs/twilio-cli/quickstart) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field names | Environment variables | | --- | --- | | Account SID | `TWILIO_ACCOUNT_SID` | | API Key | `TWILIO_API_KEY` | | API Secret | `TWILIO_API_SECRET` | | Region (optional) | `TWILIO_REGION` | Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Uninstall shell plugins [1Password Shell Plugins](/docs/cli/shell-plugins/) are built so you can stop using them at any time. - If you want to [reset a shell plugin configuration](#clear-your-default-credentials-for-a-plugin), you can clear your default credentials. - If you want to [temporarily stop using a shell plugin](#temporarily-stop-using-a-shell-plugin), you can run `unalias ` or remove the alias for its executable from your `plugins.sh` file. - If you want to [temporarily stop using all shell plugins](#temporarily-stop-using-all-shell-plugins), you can remove the command to source the `plugins.sh` file from your shell profile. - And if you want to [completely uninstall shell plugins](#completely-stop-using-shell-plugins), you can do that too. ## Clear your default credentials for a plugin If you want to remove your default credentials for a shell plugin: ```shell op plugin clear ``` Credentials will be removed in this order: 1. Terminal session default 2. Directory default, from the current directory to `$HOME` 3. Global default To remove all the credentials you've configured for a shell plugin at the same time: ```shell op plugin clear --all ``` ## Temporarily stop using a shell plugin If you want to stop using a shell plugin for the current terminal session, run: ``` unalias ``` If you want to temporarily stop using a plugin for a longer period of time, you can remove its alias from your `plugins.sh` file. Then 1Password CLI will no longer handle authentication when you use the third-party CLI. 1. Open your [`plugins.sh` file](#if-you-cant-find-your-pluginssh-file) file. 2. Remove the alias for the plugin you want to stop using. For example, `alias aws="op plugin run -- aws"`. 3. Save the file. 4. Open a new terminal window or source your shell profile for the change to go into effect. You can add the alias back to the file at any time to continue using the shell plugin with your current setup. ## Temporarily stop using all shell plugins If you want to temporarily stop using shell plugins without losing your configurations, you can remove the command to source the `plugins.sh` file from your shell profile. 1. Open your shell profile. 2. Remove the line that looks like this. Your [`plugins.sh` file path](#if-you-cant-find-your-pluginssh-file) may vary. ```shell source ~/.config/op/plugins.sh ``` 3. Open a new terminal session or source your shell profile for the change to go into effect. 1Password will no longer prompt you to authenticate for any third-party CLI. ## Completely stop using shell plugins To completely stop using shell plugins and remove all information about your configurations: 1. [Clear the default credentials](#clear-your-default-credentials-for-a-plugin) for each of your plugins. 2. [Remove the command to source the `plugins.sh` file](#temporarily-stop-using-all-shell-plugins) from your shell profile. 3. Delete the [`plugins.sh` file](#if-you-cant-find-your-pluginssh-file) and the `plugins` folder within your `op` directory. 4. If you configured any directory-specific defaults, remove the `.op` folder from those directories. ## Get help ### If you can't find your plugins.sh file The file path for your `plugins.sh` file may vary depending on your [configuration directory](/docs/cli/config-directories/). Common locations include: - `~/.op/plugins.sh` - `~/.config/op/plugins.sh` - `~/op/plugins.sh` --- ## Use 1Password to securely authenticate Upstash CLI The Upstash CLI shell plugin allows you to use 1Password to securely authenticate [Upstash CLI ](https://github.com/upstash/cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Upstash CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Connect 1Password CLI with the 1Password app](/docs/cli/app-integration/). 5. [Install Upstash CLI. ](https://github.com/upstash/cli) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **Fish:** ```shell echo "source ~/.op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | API Key | `UPSTASH_API_KEY` | | Email | `UPSTASH_EMAIL` | *Thanks to [@siddhikhapare](https://github.com/siddhikhapare) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/316)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute).* --- ## Use 1Password to securely authenticate Vercel CLI The Vercel CLI shell plugin allows you to use 1Password to securely authenticate [Vercel CLI ](https://vercel.com/docs/cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Vercel CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.19.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. [Install Vercel CLI ](https://vercel.com/docs/cli). The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **Fish:** ```shell echo "source ~/.op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with Vercel by injecting injecting the token as a command line argument. If you saved your Vercel CLI credentials in 1Password manually rather than using `op plugin init` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Command line argument | | --- | --- | | Token | `--token` | ` *Thanks to [@j178](https://github.com/j178) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/273)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to securely authenticate Vertica CLI The Vertica CLI shell plugin allows you to use 1Password to securely authenticate [Vertica CLI ](https://www.vertica.com/docs/9.2.x/HTML/Content/Authoring/ConnectingToVertica/vsql/Install/InstallingTheVsqlClient.htm) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Vertica CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Connect 1Password CLI with the 1Password app](/docs/cli/app-integration/). 5. [Install Vertica CLI. ](https://www.vertica.com/docs/9.2.x/HTML/Content/Authoring/ConnectingToVertica/vsql/Install/InstallingTheVsqlClient.htm) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **Fish:** ```shell echo "source ~/.op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Username | `VSQL_USER` | | Password | `VSQL_PASSWORD` | | Host (optional) | `VSQL_HOST` | | Port (optional) | `VSQL_PORT` | | Database | `VSQL_DATABASE` | *Thanks to [@parthiv11](https://github.com/parthiv11) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/327)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute).* --- ## Use 1Password to authenticate Vultr CLI with biometrics # Use 1Password to securely authenticate Vultr CLI The Vultr CLI shell plugin allows you to use 1Password to securely authenticate [Vultr CLI ](https://github.com/vultr/vultr-cli) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Vultr CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.14.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [Vultr CLI. ](https://github.com/vultr/vultr-cli#installation) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field names | Environment variable | | --- | --- | | API Key | `VULTR_API_KEY` | *Thanks to [@arunsathiya](https://github.com/arunsathiya) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/159)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## Use 1Password to securely authenticate YugabyteDB SQL Shell The YugabyteDB SQL Shell shell plugin allows you to use 1Password to securely authenticate [YugabyteDB SQL Shell ](https://docs.yugabyte.com/preview/admin/ysqlsh/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate YugabyteDB SQL Shell with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Connect 1Password CLI with the 1Password app](/docs/cli/app-integration/). 5. [Install YugabyteDB SQL Shell. ](https://docs.yugabyte.com/preview/admin/ysqlsh/) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **Fish:** ```shell echo "source ~/.op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Host | `PGHOST` | | Port | `PGPORT` | | Username | `PGUSER` | | Password | `PGPASSWORD` | *Thanks to [@parthiv11](https://github.com/parthiv11) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/322)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute).* --- ## Use 1Password to securely authenticate Zapier CLI The Zapier CLI shell plugin allows you to use 1Password to securely authenticate [Zapier CLI ](https://platform.zapier.com/cli_docs/docs) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate Zapier CLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password 8 for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.22.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Connect 1Password CLI with the 1Password app](/docs/cli/app-integration/). 5. [Install Zapier CLI. ](https://platform.zapier.com/cli_docs/docs) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **Fish:** ```shell echo "source ~/.op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Key | `ZAPIER_DEPLOY_KEY` | *Thanks to [@rajapri28613](https://github.com/rajapri28613) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/337)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute).* --- ## Use 1Password to authenticate the Zendesk CLI with biometrics # Use 1Password to securely authenticate the Zendesk CLI The Zendesk CLI shell plugin allows you to use 1Password to securely authenticate [ZCLI ](https://developer.zendesk.com/documentation/apps/getting-started/using-zcli/) with your fingerprint, Apple Watch, or system authentication, rather than storing your credentials in plaintext. Follow the instructions to configure your default credentials and source the `plugins.sh` file, then you'll be prompted to authenticate ZCLI with biometrics. ## Requirements 1. [Sign up for 1Password.](https://1password.com/pricing/password-manager) 2. Install and sign in to 1Password for [Mac](https://1password.com/downloads/mac) or [Linux](https://1password.com/downloads/linux). 3. Install [1Password CLI](https://app-updates.agilebits.com/product_history/CLI2) 2.17.0 or later. If you've already installed 1Password CLI, learn how to update your installation. 4. [Integrate 1Password CLI with the 1Password app](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration). 5. Install [ZCLI. ](https://developer.zendesk.com/documentation/apps/getting-started/using-zcli#installing-and-updating-zcli) The following shells are supported: - Bash - Zsh - fish ## Step 1: Configure your default credentials To get started with the shell plugin: Sign in to the 1Password account you want to use with the plugin: ```shell op signin ``` If you only want to configure the plugin in a specific directory, change to that directory Run the command to set up the plugin:```shell op plugin init $ ``` You'll be prompted to import your credentials into 1Password or select an existing 1Password item where your credentials are saved, then configure when the credentials should be used. Step 1.1: Import or select an item Import a new item If you haven't saved your credentials in 1Password yet, select Import into 1Password. Enter your credentials, choose a name for the new 1Password item, and select the vault where you want to save it. If 1Password detects your credentials in your local development environment, you'll be prompted to import them automatically. Select an existing item If you've already saved your credentials in 1Password, select Search in 1Password. You'll see a list of related items and the vaults where they're saved. If you don't see your credentials, select Expand search to browse all items in your account. Step 1.2: Set default credential scope After you select or import your credentials, you'll be prompted to configure when to use the item to authenticate . "Prompt me for each new terminal session" will only configure the credentials for the duration of the current terminal session. Once you exit the terminal, the default will be removed. "Use automatically when in this directory or subdirectories" will make the credentials the default in the current directory and all of its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one. "Use as global default on my system" will set the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one. ## Step 2: Source the plugins.sh file To make the plugin available, source your `plugins.sh` file. For example: ```shell source ~/.config/op/plugins.sh ``` The file path for your `op` folder may vary depending on your configuration directory. `op plugin init` will output a source command with the correct file path. If this is your first time installing a shell plugin, you'll also need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example: **Bash:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.bashrc && source ~/.bashrc ``` **Zsh:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc ``` **fish:** ```shell echo "source ~/.config/op/plugins.sh" >> ~/.config/fish/config.fish && source ~/.config/fish/config.fish ``` ## Step 3: Use the CLI The next time you enter a command with , you'll be prompted to authenticate with biometrics or system authentication. ## Step 4: Remove imported credentials from disk After saving your credentials in 1Password, you can remove all local copies you previously had stored on disk. ## Next steps 1Password Shell Plugins support more than 60 third-party CLIs. To see a list of supported CLIs: ```shell op plugin list ``` To choose another plugin to get started with: ```shell op plugin init ``` To use shell plugins for seamless context switching, learn how to configure a plugin in multiple environments or with multiple accounts. ## Get help Inspect your configuration To inspect your current configuration: ```shell op plugin inspect $ ``` 1Password CLI will return a list of the credentials you've configured to use with and their default scopes, as well as a list of aliases configured for . Clear your credentials To reset the credentials used with : ```shell op plugin clear $ ``` You can clear one configuration at a time, in this order of precedence: Terminal session default Directory default, from the current directory to `$HOME` Global default For example, if you're in the directory `$HOME/projects/awesomeProject` and you have a terminal session default, directory defaults for `$HOME` and `$HOME/projects/awesomeProject`, and a global default credential configured, you would need to run `op plugin clear ` four times to clear all of your defaults. To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run `op plugin clear --all`. ## Reference 1Password authenticates with by injecting environment variables with the credentials required by the plugin commands directly from your 1Password account. If you saved your credentials in 1Password manually rather than using `op plugin` to import a new item, make sure that your field names match the table below. If the item doesn't contain a field with the required name, you'll be prompted to rename one of the existing fields. | 1Password field name | Environment variable | | --- | --- | | Subdomain | `ZENDESK_SUBDOMAIN` | | Email | `ZENDESK_EMAIL` | | Token | `ZENDESK_API_TOKEN` | *Thanks to [@williamhpark](https://github.com/williamhpark) for [contributing this plugin](https://github.com/1Password/shell-plugins/pull/207)! Learn how to [build your own shell plugins](/docs/cli/shell-plugins/contribute/).* Learn more Use shell plugins to switch between multiple environments Use shell plugins with multiple accounts Build your own shell plugins --- ## 1Password Shell Plugins # Use 1Password Shell Plugins to securely authenticate any CLI With 1Password Shell Plugins, you can configure 1Password to securely authenticate third-party CLIs with your fingerprint, Apple Watch, or system authentication. Your CLI credentials are stored in your 1Password account, so you never have to manually enter your credentials or store them in plaintext. You can [test shell plugins](/docs/cli/shell-plugins/test/) or choose a shell plugin from the [list below](#get-started) to get started. Shell plugins are compatible with the following shells: - Bash - Zsh - fish ## Get started [_[]_ Akamai](/docs/cli/shell-plugins/akamai/) [_[]_ Argo CD](/docs/cli/shell-plugins/argo-cd/) [_[]_ Axiom](/docs/cli/shell-plugins/axiom) [_[]_ AWS](/docs/cli/shell-plugins/aws/) [_[]_ AWS CDK Toolkit](/docs/cli/shell-plugins/aws-cdk-toolkit/) [_[]_ Binance](/docs/cli/shell-plugins/binance) [_[]_ Cachix](/docs/cli/shell-plugins/cachix/) [_[]_ Cargo](/docs/cli/shell-plugins/cargo/) [_[]_ CircleCI](/docs/cli/shell-plugins/circleci/) [_[]_ Civo](/docs/cli/shell-plugins/civo) [_[]_ Cloudflare Workers](/docs/cli/shell-plugins/cloudflare-workers/) [_[]_ Crowdin](/docs/cli/shell-plugins/crowdin) [_[]_ Databricks](/docs/cli/shell-plugins/databricks/) [_[]_ DigitalOcean](/docs/cli/shell-plugins/digitalocean/) [_[]_ Dogshell](/docs/cli/shell-plugins/datadog/) [_[]_ Fastly](/docs/cli/shell-plugins/fastly/) [_[]_ Flyctl](/docs/cli/shell-plugins/flyctl) [_[]_ FOSSA](/docs/cli/shell-plugins/fossa/) [_[]_ Gitea](/docs/cli/shell-plugins/gitea/) [_[]_ GitHub](/docs/cli/shell-plugins/github/) [_[]_ GitLab](/docs/cli/shell-plugins/gitlab/) [_[]_ HashiCorp Vault](/docs/cli/shell-plugins/hashicorp-vault/) [_[]_ Heroku](/docs/cli/shell-plugins/heroku/) [_[]_ Hetzner Cloud](/docs/cli/shell-plugins/hetzner-cloud/) [_[]_ Homebrew](/docs/cli/shell-plugins/homebrew/) [_[]_ HuggingFace](/docs/cli/shell-plugins/huggingface) [_[]_ InfluxDB](/docs/cli/shell-plugins/influxdb) [_[]_ Kaggle](/docs/cli/shell-plugins/kaggle) [_[]_ Lacework](/docs/cli/shell-plugins/lacework/) [_[]_ Laravel Forge](/docs/cli/shell-plugins/laravel-forge/) [_[]_ Laravel Vapor](/docs/cli/shell-plugins/laravel-vapor/) [_[]_ Linode](/docs/cli/shell-plugins/linode/) [_[]_ LocalStack](/docs/cli/shell-plugins/localstack/) [_[]_ MongoDB Atlas](/docs/cli/shell-plugins/mongodb-atlas) [_[]_ MySQL](/docs/cli/shell-plugins/mysql/) [_[]_ ngrok](/docs/cli/shell-plugins/ngrok/) [_[]_ Oh Dear](/docs/cli/shell-plugins/oh-dear/) [_[]_ Okta](/docs/cli/shell-plugins/okta/) [_[]_ OpenAI](/docs/cli/shell-plugins/openai/) [_[]_ OpenAI Evals](/docs/cli/shell-plugins/openai-evals/) [_[]_ Pipedream](/docs/cli/shell-plugins/pipedream) [_[]_ PostgreSQL](/docs/cli/shell-plugins/postgresql/) [_[]_ Pulumi](/docs/cli/shell-plugins/pulumi/) [_[]_ ReadMe](/docs/cli/shell-plugins/readme/) [_[]_ Sentry](/docs/cli/shell-plugins/sentry/) [_[]_ Snowflake](/docs/cli/shell-plugins/snowflake/) [_[]_ Snyk](/docs/cli/shell-plugins/snyk/) [_[]_ Sourcegraph](/docs/cli/shell-plugins/sourcegraph/) [_[]_ Stripe](/docs/cli/shell-plugins/stripe/) [_[]_ Terraform](/docs/cli/shell-plugins/terraform/) [_[]_ Todoist](/docs/cli/shell-plugins/todoist) [_[]_ Treasure Data](/docs/cli/shell-plugins/treasure-data/) [_[]_ Tugboat](/docs/cli/shell-plugins/tugboat/) [_[]_ Twilio](/docs/cli/shell-plugins/twilio/) [_[]_ Upstash](/docs/cli/shell-plugins/upstash) [_[]_ Vercel](/docs/cli/shell-plugins/vercel/) [_[]_ Vertica](/docs/cli/shell-plugins/vertica) [_[]_ Vultr](/docs/cli/shell-plugins/vultr/) [_[]_ YugabyteDB](/docs/cli/shell-plugins/yugabytedb/) [_[]_ Zapier](/docs/cli/shell-plugins/zapier) [_[]_ Zendesk](/docs/cli/shell-plugins/zendesk/) ## Your favorite tool not listed? Find out how to [build your own plugin](/docs/cli/shell-plugins/contribute/). --- ## Sign in to your 1Password account manually If you don't want to [use the 1Password app to sign in to 1Password CLI](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration), you can manually add and sign in to your accounts in the terminal. :::danger Known security risks If you sign in to 1Password CLI manually, any process running under the current user can, on some platforms, potentially access your 1Password account. We recommend you [use the 1Password app to sign in to 1Password CLI](/docs/cli/app-integration/) because it offers more robust security guarantees. ::: When you sign in manually in the terminal, 1Password CLI stores your session key encrypted on disk and the random wrapper key used in the environment of the current shell. Sessions expire after 30 minutes of inactivity, after which you’ll need to sign in again and save a new token. If you want to immediately terminate your authenticated session, you can run `op signout`. ## Sign in manually ### Step 1: Add an account To manually add a 1Password account to 1Password CLI, use [`op account add`](/docs/cli/reference/management-commands/account/): ```shell op account add ``` 1Password CLI will prompt you to enter your [sign-in address](https://support.1password.com/sign-in-troubleshooting#if-youre-asked-for-a-sign-in-address), email address, [Secret Key](https://support.1password.com/secret-key/), and 1Password account password. :::tip For non-interactive shells in local environments, sign in with the [1Password desktop app integration](/docs/cli/app-integration/) instead. For non-interactive shells in remote environments, authenticate with a [service account](/docs/service-accounts/) or a [Connect server](/docs/connect/). ::: #### Set a custom account shorthand 1Password CLI uses account shorthands to refer to each of the accounts you add. The default shorthand is your [sign-in address](https://support.1password.com/sign-in-troubleshooting#if-youre-asked-for-a-sign-in-address) subdomain (for example, `my` for `my.1password.com`). To set a custom shorthand, include the `--shorthand` flag when you add an account. For example, to add an account with the shorthand `personal`: ```shell op account add --shorthand personal ``` ### Step 2: Sign in If you added your accounts to 1Password CLI manually, you'll need to use the [manual sign-in command](/docs/cli/reference/commands/signin/) to sign in. This command also works with the [app integration](/docs/cli/app-integration) turned on, so you can use it in scripts to provide compatibility for all users regardless of their sign-in method. **Bash, Zsh, sh, fish:** ```shell eval "$(op signin)" ``` **PowerShell:** ```powershell Invoke-Expression "$(op signin)" ``` After you sign in, 1Password CLI creates a session token and sets the `OP_SESSION` environment variable to it. Include the `--raw` flag to get a token you can export manually. Session tokens expire after 30 minutes of inactivity, after which you’ll need to sign in again and save a new token. To sign out, use the command [`op signout`](/docs/cli/reference/commands/signout/). ### Optional: Switch between accounts with the `--account` flag If you've added multiple accounts and are using an interactive terminal, 1Password CLI will prompt you to select the account you want to sign in to. Use the arrow keys to select an account, then press the Return key to sign in. In most shells, you can bypass the prompt to select an account using the `--account` flag with your [account shorthand, sign-in address, or ID](#appendix-find-an-account-shorthand-or-id). This option isn't available in PowerShell. For example: **Bash, Zsh, sh, fish:** ```shell eval "$(op signin --account personal)" ``` To always sign in to the same account, set the `OP_ACCOUNT` environment variable to your [account shorthand, sign-in address, or ID](#appendix-find-an-account-shorthand-or-id). **Bash, Zsh, sh:** ```shell export OP_ACCOUNT=my.1password.com ``` **fish:** ```shell set -x OP_ACCOUNT my.1password.com ``` **PowerShell:** ```powershell $Env:OP_ACCOUNT = "my.1password.com" ``` You can sign in to multiple accounts at the same time, then use the `--account` flag to specify which account should execute each command. If you don't specify an account, 1Password CLI will default to the account you most recently signed in to. For example, to sign in to accounts with the shorthands `personal` and `agilebits`: **Bash, Zsh, sh, fish:** ```shell eval "$(op signin --account personal)" && eval "$(op signin --account agilebits)" ``` **PowerShell:** ```powershell Invoke-Expression "$(op signin --account personal)"; Invoke-Expression "$(op signin --account agilebits)" ``` To run the command `op vault list` in the account with the shorthand `personal`: ```shell op vault list --account personal ``` Then to run the same command in the `agilebits` account: ```shell op vault list --account agilebits ``` You can also [specify a custom shorthand](#set-a-custom-account-shorthand) when you add an account. ## Troubleshooting If you've already [turned on the 1Password app integration](/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration), you'll need to turn it off before you can add an account on the command line. ## Learn more - [Integrate 1Password CLI with the 1Password desktop app](/docs/cli/app-integration/) - [About the security of the 1Password desktop app integration](/docs/cli/app-integration-security/) ## Appendix: Find an account shorthand or ID 1Password CLI uses account shorthands to refer to each of the accounts you've added. To see all the accounts you've added, their shorthands, and account details, run `op account list`. ```shell op account list #code-result SHORTHAND URL EMAIL USER UUID my https://my.1password.com wendy.c.appleseed@gmail.com A10S... agilebits https://agilebits-inc.1password.com wendy_appleseed@agilebits.com ONJ9... ``` You can use the shorthand, sign-in address, or user ID to refer to a specific account in your commands. --- ## Unlock 1Password CLI with Microsoft :::info This feature is only available as part of the [Unlock with Microsoft beta](https://support.1password.com/cs/sso-azure/). ::: If your 1Password administrator has [configured Unlock with SSO](https://support.1password.com/cs/sso-configure-azure/), you can sign in to 1Password CLI with Microsoft. During the beta period, Unlock with SSO will be available only for Microsoft using the OpenID Connect (OIDC) protocol. Additional platforms, identity providers, and protocols will be available in the future. If the 1Password account you sign in to with Microsoft doesn't allow biometric unlock, you'll be prompted to allow 1Password CLI access to the 1Password app when you sign in. ## Requirements Before you start, you'll need to: 1. [Join your team](https://support.1password.com/cs/sso-get-started-azure#join-your-team), or [switch to unlock with Microsoft](https://support.1password.com/cs/sso-get-started-azure#switch-to-unlock-with-microsoft). 2. Install the nightly release of 1Password for [Mac](https://support.1password.com/betas/?mac), [Windows](https://support.1password.com/betas/?windows), or [Linux](https://support.1password.com/betas/?linux). 3. Sign in to 1Password for [Mac](https://support.1password.com/cs/sso-sign-in-azure#in-the-apps/), [Windows](https://support.1password.com/cs/sso-sign-in-azure#in-the-apps/), or [Linux](https://support.1password.com/cs/sso-sign-in-azure#in-the-apps/) using Microsoft. 4. Install [the latest Password CLI beta build](/docs/cli/reference#beta-builds). ## Step 1: Connect 1Password CLI with the 1Password app To turn on the app integration and set up 1Password CLI to authenticate with Microsoft: **Mac:** 1. Open and unlock the [1Password app](https://1password.com/downloads/). 2. Select your account or collection at the top of the sidebar. 3. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**. 4. Select **Integrate with 1Password CLI**. 5. If you want to authenticate 1Password CLI with your fingerprint, turn on **[Touch ID](https://support.1password.com/touch-id-mac/)** in the app. _[The 1Password Developer settings pane with the Integrate with 1Password CLI option selected.]_ **Windows:** 1. Open and unlock the [1Password app](https://1password.com/downloads/). 2. Select your account or collection at the top of the sidebar. 3. Turn on **[Windows Hello](https://support.1password.com/windows-hello/)** in the app. 4. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**. 5. Select **Integrate with 1Password CLI**. _[The 1Password Developer settings pane with the Integrate with 1Password CLI option selected.]_ **Linux:** 1. Open and unlock the [1Password app](https://1password.com/downloads/). 2. Select your account or collection at the top of the sidebar. 3. Navigate to **Settings** > **[Security](onepassword://settings/security)**. 4. Turn on **[Unlock using system authentication](https://support.1password.com/system-authentication-linux/)**. 5. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**. 6. Select **Integrate with 1Password CLI**. _[The 1Password Developer settings pane with the Integrate with 1Password CLI option selected.]_ ## Step 2: Sign in with Microsoft Once the 1Password app integration is turned on, open the terminal and type [`op signin`](/docs/cli/get-started#step-3-enter-any-command-to-sign-in). Use the arrow keys to select your Microsoft-enabled account from the list of all accounts added to your 1Password app. 1Password CLI will prompt you to authenticate. ```shell op signin ``` ```shell {2} Select account [Use arrows to move, type to filter] > ACME Corp (acme.1password.com) AgileBits (agilebits.1password.com) Add another account ``` After you sign in for the first time, 1Password CLI will automatically sign in to your most recently used account. If you want to [sign in to a different account](/docs/cli/use-multiple-accounts/), you can use the `--account` flag or an environment variable. ## Get help If the 1Password account you sign in to with Microsoft doesn't allow biometric unlock, you'll be prompted to allow 1Password CLI access to the 1Password app when you sign in. ## Learn more - [About Unlock with Microsoft](https://support.1password.com/cs/sso-azure/) - [Configure Unlock 1Password with Microsoft](https://support.1password.com/cs/sso-configure-azure/) - [Get started with Unlock 1Password with Microsoft](https://support.1password.com/sso-get-started/) - [Sign in to 1Password with Microsoft](https://support.1password.com/cs/sso-sign-in-azure/) - [Link new apps and browsers to unlock with Microsoft](https://support.1password.com/sso-linked-apps-browsers/) - [If you're having trouble unlocking 1Password with SSO](https://support.1password.com/sso-troubleshooting/) --- ## Unlock 1Password CLI with SSO :::info This feature is only available as part of [1Password Unlock with SSO](https://support.1password.com/sso/). ::: If your 1Password administrator has [set up 1Password Unlock with SSO](https://support.1password.com/sso/), you can sign in to 1Password CLI with your identity provider. If the 1Password account you sign in to with SSO doesn't allow biometric unlock, you'll be prompted to allow 1Password CLI access to the 1Password app when you sign in. ## Requirements Before you start, you'll need to: 1. [Join your team](https://support.1password.com/sso-get-started#join-your-team), or [switch to unlock with SSO](https://support.1password.com/sso-get-started#switch-to-unlock-with-sso). 2. Install the latest version of 1Password for [Mac](https://1password.com/downloads/mac), [Windows](https://1password.com/downloads/windows), or [Linux](https://1password.com/downloads/linux). 3. Sign in to 1Password for [Mac](https://support.1password.com/sso-sign-in#in-the-apps/), [Windows](https://support.1password.com/sso-sign-in#in-the-apps/), or [Linux](https://support.1password.com/sso-sign-in#in-the-apps/) using SSO. 4. Install [the latest Password CLI build](/docs/cli/get-started/). ## Step 1: Connect 1Password CLI with the 1Password app To turn on the app integration and set up 1Password CLI to authenticate with your identity provider: **Mac:** 1. Open and unlock the [1Password app](https://1password.com/downloads/). 2. Select your account or collection at the top of the sidebar. 3. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**. 4. Select **Integrate with 1Password CLI**. 5. If you want to authenticate 1Password CLI with your fingerprint, turn on **[Touch ID](https://support.1password.com/touch-id-mac/)** in the app. _[The 1Password Developer settings pane with the Integrate with 1Password CLI option selected.]_ **Windows:** 1. Open and unlock the [1Password app](https://1password.com/downloads/). 2. Select your account or collection at the top of the sidebar. 3. Turn on **[Windows Hello](https://support.1password.com/windows-hello/)** in the app. 4. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**. 5. Select **Integrate with 1Password CLI**. _[The 1Password Developer settings pane with the Integrate with 1Password CLI option selected.]_ **Linux:** 1. Open and unlock the [1Password app](https://1password.com/downloads/). 2. Select your account or collection at the top of the sidebar. 3. Navigate to **Settings** > **[Security](onepassword://settings/security)**. 4. Turn on **[Unlock using system authentication](https://support.1password.com/system-authentication-linux/)**. 5. Navigate to **Settings** > **[Developer](onepassword://settings/developers)**. 6. Select **Integrate with 1Password CLI**. _[The 1Password Developer settings pane with the Integrate with 1Password CLI option selected.]_ ## Step 2: Sign in with SSO Once the 1Password app integration is turned on, open the terminal and type [`op signin`](/docs/cli/get-started#step-3-enter-any-command-to-sign-in). Use the arrow keys to select your SSO-enabled account from the list of all accounts added to your 1Password app. 1Password CLI will prompt you to authenticate. ```shell op signin ``` ```shell {2} Select account [Use arrows to move, type to filter] > ACME Corp (acme.1password.com) AgileBits (agilebits.1password.com) Add another account ``` After you sign in for the first time, 1Password CLI will automatically sign in to your most recently used account. If you want to [sign in to a different account](/docs/cli/use-multiple-accounts/), you can use the `--account` flag or an environment variable. ## Get help If the 1Password account you sign in to with SSO doesn't allow biometric unlock, you'll be prompted to allow 1Password CLI access to the 1Password app when you sign in. ## Learn more - [Set up 1Password Unlock with SSO](https://support.1password.com/sso/) - [Get started with 1Password Unlock with SSO](https://support.1password.com/sso-get-started/) - [Sign in to 1Password with SSO](https://support.1password.com/sso-sign-in/) - [Link new apps and browsers to unlock with SSO](https://support.1password.com/sso-linked-apps-browsers/) - [If you're having trouble unlocking 1Password with SSO](https://support.1password.com/sso-troubleshooting/) --- ## Manage SSH keys ## Requirements Before you can use 1Password CLI to manage your SSH keys, you'll need to: - [Sign up for 1Password](https://1password.com/pricing/password-manager). - [Install 1Password CLI](/docs/cli/get-started#step-1-install-1password-cli) (`2.20.0` or later). ## Generate an SSH key You can use [`op item create`](/docs/cli/reference/management-commands/item#item-create) with the `ssh` item category to generate a new SSH key. To import an existing SSH key, [use the 1Password desktop app](/docs/ssh/manage-keys#import-an-ssh-key). ```shell op item create --category ssh --title "My SSH Key" ``` 1Password CLI generates an SSH key and saves it as a new item in your built-in Personal, Private, or Employee vault, then prints the key to stdout with the private key redacted. The item includes the key type, private key, public key, and its fingerprint. By default, 1Password CLI creates an Ed25519 key. To create an RSA key instead, use the `--ssh-generate-key` flag to specify `RSA`. Include the number of bits to specify a custom size: 2048, 3072 or 4096 (default). For example, to generate a 2048-bit RSA key: ```shell op item create --category ssh --title "RSA SSH Key" --ssh-generate-key RSA,2048 ``` ## Get a private key To get an SSH key's private key, use [`op read`](/docs/cli/reference/commands/read/) with a [secret reference](/docs/cli/secret-reference-syntax/) for the item's `private key` field. Include the `ssh-format` query parameter with `openssh` to get the private key in the OpenSSH format. ```shell op read "op://Private/ssh keys/ssh key/private key?ssh-format=openssh" #code-result -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABD3rRrf8J ruD0CxZTYfpbTYAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIJ5B/GnxX6t9jMwQ G7QE7r5daJLkMKTZhNZhWfvzK2y+AAAAkLgQAivYu/+12/YrZhK5keIAZf4ZgsZsZ2JI2q qbx23PqgO93oGy1iCxXe3kngQL4cM6lwOZPsZPKCinkN6KxEr6RnXqFRHJbMpOiGeZhTuD rjeo77HqFdxDqDeckB77XCKL0Ew28H5JlM/WO31XR3Z4VBAgTe+BQLjrFV8WU5UX38hpBJ PMJyRsK72ZUDDaGQ== -----END OPENSSH PRIVATE KEY----- ``` ## Learn more - [Supported SSH key types](/docs/ssh/manage-keys#supported-ssh-key-types) - [Use 1Password for SSH & Git](/docs/ssh/) - [Manage your SSH keys in the 1Password app](/docs/ssh/manage-keys/) - [Sign your Git commits with SSH](/docs/ssh/git-commit-signing/) --- ## Uninstall 1Password CLI :::warning[caution] Make sure you have access to your Secret Key and account password before removing 1Password account information from your device. ::: ## Step 1: Remove your 1Password account information Your 1Password CLI configuration file contains account details for accounts you've signed in to on the command line using your account password and Secret Key. It does not contain information for accounts you've signed in to using the 1Password desktop app integration. Your config file can be found in one of the following locations: `~/.op/config`, `~/.config/op/config`, or `~/.config/.op/config`. To remove all account information from your config file: ```shell op account forget --all ``` ## Step 2: Uninstall 1Password CLI **Mac:** **homebrew:** To uninstall 1Password CLI with homebrew: ```shell brew uninstall 1password-cli ``` **Manual:** To manually uninstall 1Password CLI, run: ```shell rm /usr/local/bin/op ``` **Windows:** **Scoop:** To uninstall 1Password CLI with Scoop: ```powershell scoop uninstall 1password-cli ``` **winget:** To uninstall 1Password CLI with winget: ```powershell winget uninstall 1password-cli ``` **Manual:** To uninstall 1Password CLI on a Windows PC: 1. Open Powershell **as an administrator**. 2. Run the following command: ```shell Remove-Item -Recurse -Force "C:\Program Files\1Password CLI" ``` **Linux:** To uninstall 1Password CLI on Linux, run: ```shell rm /usr/local/bin/op ``` The 1Password CLI directory and all of its contents will be deleted. --- ## Upgrade to 1Password CLI 2 *Learn how to [upgrade to 1Password CLI 2](#step-1-choose-an-upgrade-strategy) from an earlier version, and [update your scripts](#step-2-update-your-scripts) to the new command syntax.* :::warning[1Password CLI 1 is deprecated] 1Password CLI 1 is deprecated as of **October 1, 2024**. Upgrade to 1Password CLI 2 to avoid disruptions with scripts or integrations that use version 1. ::: ### About 1Password CLI 2 We released version 2 of the 1Password CLI in March 2022. Since then, more than 96% of users have adopted the latest version. 1Password CLI 2 includes a number of changes to the schema to make the tool easier to use as well as new features to help you provision secrets. #### New schema 1Password CLI 2 introduces a noun-verb command structure that groups commands by topic rather than by operation. You can find all available topics with `op --help`, and see the commands avaialble for each topic with `op --help`. Topics include: - [vault](/docs/cli/reference/management-commands/vault/) - [item](/docs/cli/reference/management-commands/item/) - [document](/docs/cli/reference/management-commands/document/) - [user](/docs/cli/reference/management-commands/user/) - [group](/docs/cli/reference/management-commands/group/) - [account](/docs/cli/reference/management-commands/account/) - [connect](/docs/cli/reference/management-commands/connect/) - [events-api](/docs/cli/reference/management-commands/events-api/) Other schema changes include: - The default output is now a human-friendly, tabular schema.Learn how to change the default output to JSON. - The JSON output schema now contains more useful information. - Improved stdin processing allows you to chain more commands together. - The new schema uses flags instead of positional arguments. #### Secrets provisioning To help you provision secrets locally, 1Password CLI 2 allows you to load secrets directly from 1Password in environment variables and configuration files. With secrets provisioning, you can replace your plaintext secrets with references to the secrets stored in 1Password and load them at runtime in your scripts, applications, and other workflows. #### Integrate 1Password CLI with the 1Password desktop app You can sign in to 1Password CLI 2 with the accounts you've added to the 1Password desktop app, then authenticate your accounts on the command line with biometrics. #### Shell plugins To simplify and secure your workflow, 1Password CLI 2 introduces shell plugins that allow you to securely authenticate third-party command-line tools using biometrics. #### Package manager installation 1Password CLI 2 supports easier installation with package managers including Apt, Yum, Alpine, and tar. You can [find all changes in the changelog](https://releases.1password.com/developers/cli/). To share feedback with us, [visit the support community forum](https://1password.community/categories/cli-beta). ## Step 1: Choose an upgrade strategy There are multiple ways to upgrade to 1Password CLI 2. You can upgrade immediately or gradually, depending on your workflow and toolchain. ### Upgrade immediately The quickest way to upgrade to 1Password CLI 2 is to overwrite your existing installation. This is a good option if you have a small team who can upgrade their local installations simultaneously. 1. Use `which op` (or `(Get-Command op).Path` on Windows) to get the directory of the current installation. 2. [Download 1Password CLI 2](https://app-updates.agilebits.com/product_history/CLI2) and move `op` to the same directory, overwriting the existing copy. 3. To verify the installation, check the version number: ```shell op --version ``` 4. [Update your scripts to use the 1Password CLI 2 syntax.](#step-2-update-your-scripts) Make sure everyone on your team upgrades to 1Password CLI 2. After you update your scripts, they won't work with earlier versions of 1Password CLI. ### Upgrade gradually If you're not ready to upgrade immediately, you can use Docker to upgrade individual projects or use both versions of 1Password CLI side-by-side. We will continue to support version 1 for one year after version 2 is released. #### Use Docker to upgrade individual projects If you want to upgrade project by project, you can Dockerize your workflow so that each team member uses the version of 1Password CLI in a Docker image for a specific project. This is a good option for large teams, because it doesn't require each team member to update a local installation. 1. [Use the 1Password CLI Docker image](https://hub.docker.com/r/1password/op) or use your own image and [add the CLI](/docs/cli/get-started/). Your Dockerfile should look like this: ``` FROM 1password/op:2 COPY ./your-script.sh /your-script.sh CMD ["/your-script.sh"] ``` 2. After upgrading to 1Password CLI 2, [update your scripts](#step-2-update-your-scripts) to use the new command syntax. This approach also sets you up to move your scripts to headless environments such as CI/CD pipelines. #### Use both versions of 1Password CLI If your scripts depend on the local installation on each team member's machine, and you still want to migrate gradually, this is your best option. Each team member should do the following: 1. Rename the earlier version of 1Password CLI `op1`. 2. Find and replace all occurences of `op` with `op1`. 3. Install [1Password CLI 2](https://app-updates.agilebits.com/product_history/CLI2) inside your `$PATH`. :::warning[caution] For macOS 1Password CLI 2 has to be moved *exactly* to `/usr/local/bin/op`. For Linux, it is recommended to be moved to `/usr/local/bin/op`. ::: 4. [Update your scripts](#step-2-update-your-scripts) one-by-one to use the new `op`. You can continue to use your current scripts with the earlier version of 1Password CLI installed as `op1`. 5. When you've updated all your scripts and are ready to upgrade, uninstall the earlier version of 1Password CLI. 6. Find and replace all occurrences of `op1` in your scripts to `op`. ## Step 2: Update your scripts If you've been using an earlier version of 1Password CLI in scripts, you'll need to update your scripts to the new syntax. After you install 1Password CLI 2, use the following table to update your scripts. It shows all the updated commands and associated changes to arguments or flags. | Old command | CLI 2 command | Notes | | ------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [create vault](/docs/cli/v1/reference#create-vault) | [vault create](/docs/cli/reference/management-commands/vault#vault-create) | | | [get vault](/docs/cli/v1/reference#get-vault) | [vault get](/docs/cli/reference/management-commands/vault#vault-get) | | | [edit vault](/docs/cli/v1/reference#edit-vault) | [vault edit](/docs/cli/reference/management-commands/vault#vault-edit) | `--travel-mode=on/off` flag introduced | | [delete vault](/docs/cli/v1/reference#delete-vault) | [vault delete](/docs/cli/reference/management-commands/vault#vault-delete) | allows piped input when the `-` argument is provided | | [list vaults](/docs/cli/v1/reference#list-vaults) | [vault list](/docs/cli/reference/management-commands/vault#vault-list) | by default, lists vaults you have read access toto see all the vaults you can manage, include `--permission manage` | | [list users -\-vault](/docs/cli/v1/reference#list-users) | [vault user list](/docs/cli/reference/management-commands/vault#vault-user-list) | | [add group](/docs/cli/v1/reference#add-group) | [vault group grant](/docs/cli/reference/management-commands/vault#vault-group-grant) | `--permission` flag must be used to specify the permissions to grantgranting allow_viewing, allow_editing and allow_managing is equivalent to granting all permissions`group` and `vault` arguments changed to `--group` and `--vault` flags | | [remove group](/docs/cli/v1/reference#remove-group) | [vault group revoke](/docs/cli/reference/management-commands/vault#vault-group-revoke) | `--permission` flag must be used to specify the permissions to revokerevoking allow_viewing, allow_editing, and allow_managing is equivalent to revoking all permissions`group` and `vault` arguments changed to `--group` and `--vault` flags | | [add user](/docs/cli/v1/reference#add-user) <user> <vault> | [vault user grant](/docs/cli/reference/management-commands/vault#vault-user-grant) | `--permission` flag must be used to specify the permissions to grantgranting allow_viewing, allow_editing and allow_managing is equivalent to granting all permissions`user` and `vault` arguments changed to `--user` and `--vault` flags | | [remove user](/docs/cli/v1/reference#remove-user) <user> <vault> | [vault user revoke](/docs/cli/reference/management-commands/vault#vault-user-revoke) | `--permission` flag must be used to specify the permissions to revokerevoking allow_viewing, allow_editing and allow_managing is equivalent to revoking all permissions`user` and `vault` arguments changed to `--user` and `--vault` flags | | [signin](/docs/cli/v1/reference#signin) <url> | [account add](/docs/cli/reference/management-commands/account#account-add) | for new accounts/urlsthe password can be piped in if email, address, and secret key are provided via flag | | [signin](/docs/cli/v1/reference#signin) -\-list | [account list](/docs/cli/reference/management-commands/account#account-list) | account list will format its output based on output format selection (JSON vs human readable) | | [forget account](/docs/cli/v1/reference#forget) | [account forget](/docs/cli/reference/management-commands/account#account-forget) | new `-—all` flag for forgetting all accounts | | [get account](/docs/cli/v1/reference#get-account) | [account get](/docs/cli/reference/management-commands/account#account-get) | | | [confirm user](/docs/cli/v1/reference#confirm) | [user confirm](/docs/cli/reference/management-commands/user#user-confirm) | allows piped input when the `-` argument is provided | | [create user](/docs/cli/v1/reference#create-user) | [user provision](/docs/cli/reference/management-commands/user#user-provision) | `email` and `name` arguments changed to `--email` and `--name` flags | | [delete user](/docs/cli/v1/reference#delete-user) | [user delete](/docs/cli/reference/management-commands/user#user-delete) | allows piped input when the `-` argument is provided | | [edit user](/docs/cli/v1/reference#edit-user) | [user edit](/docs/cli/reference/management-commands/user#user-edit) | allows piped input when the `-` argument is provided | | [reactivate user](/docs/cli/v1/reference#reactivate) | [user reactivate](/docs/cli/reference/management-commands/user#user-reactivate) | allows piped input when the `-` argument is provided | | [suspend user](/docs/cli/v1/reference#suspend) | [user suspend](/docs/cli/reference/management-commands/user#user-suspend) | `--deauthorize-devices-after` flag accepts any duration unit, not just seconds | | [list users](/docs/cli/v1/reference#list-users) | [user list](/docs/cli/reference/management-commands/user#user-list) | | | [get user](/docs/cli/v1/reference#get-user) | [user get](/docs/cli/reference/management-commands/user#user-get) | added `-—me` flag to get the currently authenticated user `—publickey` changed to `—public-key` | | [create connect server](/docs/cli/v1/reference#create-connect-server) | [connect server create](/docs/cli/reference/management-commands/connect#connect-server-create) | add `—-server` flag instead of using an argument for specifying the related server | | [delete connect server](/docs/cli/v1/reference#delete-connect-server) | [connect server delete](/docs/cli/reference/management-commands/connect#connect-server-delete) | allows piped input when the `-` argument is provided | | [edit connect server](/docs/cli/v1/reference#edit-connect-server) | [connect server edit](/docs/cli/reference/management-commands/connect#connect-server-edit) | | | [list connect servers](/docs/cli/v1/reference#list-connect-servers) | [connect server list](/docs/cli/reference/management-commands/connect#connect-server-list) | | | - | [connect server get](/docs/cli/reference/management-commands/connect#connect-server-get) | | | [create connect token](/docs/cli/v1/reference#create-connect-token) | [connect token create](/docs/cli/reference/management-commands/connect#connect-token-create) | | | [delete connect token](/docs/cli/v1/reference#delete-connect-token) | [connect token delete](/docs/cli/reference/management-commands/connect#connect-token-delete) | | | [edit connect token](/docs/cli/v1/reference#edit-connect-token) | [connect token edit](/docs/cli/reference/management-commands/connect#connect-token-edit) | argument name changed from `jti` to `token` | | [list connect tokens](/docs/cli/v1/reference#list-connect-tokens) | [connect token list](/docs/cli/reference/management-commands/connect#connect-token-list) | ConnectVault.ACL is now displayed in lowercase_with_underscores | | [add connect server](/docs/cli/v1/reference#add-connect-server) | [connect vault grant](/docs/cli/reference/management-commands/connect#connect-vault-grant) | `server` and `vault` arguments changed to `--server` and `--vault` flags | | [remove connect server](/docs/cli/v1/reference#remove-connect-server) | [connect vault revoke](/docs/cli/reference/management-commands/connect#connect-vault-revoke) | `server` and `vault` arguments changed to `--server` and `--vault` flags | | [manage connect add group](/docs/cli/v1/reference#manage-connect-add) | [connect group grant](/docs/cli/reference/management-commands/connect#connect-group-grant) | `server` and `group` arguments changed to `--server` and `--group` flags | | [manage connect remove group](/docs/cli/v1/reference#manage-connect-remove) | [connect group revoke](/docs/cli/reference/management-commands/connect#connect-group-revoke) | `server` and `group` arguments changed to `--server` and `--group` flags | [create item](/docs/cli/v1/reference#create-item) | [item create](/docs/cli/reference/management-commands/item#item-create) | `--template` flag to specify item template file replaces encode item as an argument`category` argument changed to `--category` flagTemplate JSON format has changed. [Learn more about the new format.](#appendix-json) | | [delete item](/docs/cli/v1/reference#delete-item) | [item delete](/docs/cli/reference/management-commands/item#item-delete) | allows piped input when the `-` argument is provided | | [edit item](/docs/cli/v1/reference#edit-item) | [item edit](/docs/cli/reference/management-commands/item#item-edit) | new `--tags`, `--title`, `--url` flags | | [get item](/docs/cli/v1/reference#get-item) | [item get](/docs/cli/reference/management-commands/item#item-get) | | | [list items](/docs/cli/v1/reference#list-items) | [item list](/docs/cli/reference/management-commands/item#item-list) | | | [list templates](/docs/cli/v1/reference#list-templates) | [item template list](/docs/cli/reference/management-commands/item#item-template-list) | | | [get template](/docs/cli/v1/reference#get-template) | [item template get](/docs/cli/reference/management-commands/item#item-template-get) | | | [create group](/docs/cli/v1/reference#create-group) | [group create](/docs/cli/reference/management-commands/group#group-create) | | | [delete group](/docs/cli/v1/reference#delete-group) | [group delete](/docs/cli/reference/management-commands/group#group-delete) | allows piped input when the `-` argument is provided | | [edit group](/docs/cli/v1/reference#edit-group) | [group edit](/docs/cli/reference/management-commands/group#group-edit) | allows piped input when the `-` argument is provided | | [list groups](/docs/cli/v1/reference#list-groups) | [group list](/docs/cli/reference/management-commands/group#group-list) | | | [get group](/docs/cli/v1/reference#get-group) | [group get](/docs/cli/reference/management-commands/group#group-get) | | | [add user](/docs/cli/v1/reference#add-user) <user> <group> | [group user grant](/docs/cli/reference/management-commands/group#group-user-grant) | `user` and `group` arguments changed to `--user` and `--group` flags | | [remove user](/docs/cli/v1/reference#remove-user) <user> <group> | [group user revoke](/docs/cli/reference/management-commands/group#group-user-revoke) | `user` and `group` args changed to `--user` and `--group` flags | | [op list users --group <group>](/docs/cli/v1/reference#list-users) | [group user list](/docs/cli/reference/management-commands/group#group-user-list) | op list users `--group GROUP` still works | | [delete trash](/docs/cli/v1/reference#delete-trash) | - | deprecated | | [create document](/docs/cli/v1/reference#create-document) | [document create](/docs/cli/reference/management-commands/document#document-create) | `--filename` flag changed to `--file-name` flag | | [edit document](/docs/cli/v1/reference#edit-document) | [document edit](/docs/cli/reference/management-commands/document#document-edit) | `--filename` flag changed to `--file-name` flag | | [list documents](/docs/cli/v1/reference#list-documents) | [document list](/docs/cli/reference/management-commands/document#document-list) | | | [get document](/docs/cli/v1/reference#get-document) | [document get](/docs/cli/reference/management-commands/document#document-get) | | | [delete document](/docs/cli/v1/reference#delete-document) | [document delete](/docs/cli/reference/management-commands/document#document-delete) | | | [create integration events-api](/docs/cli/v1/reference#create-integration-events-api) | [events-api create](/docs/cli/reference/management-commands/events-api#events-api-create) | | | [list events](/docs/cli/v1/reference#list-events) | - | Use [1Password Events API](/docs/events-api/) instead. | | [encode](/docs/cli/v1/reference#encode) | - | deprecated, use `create item --template=file.json` instead | | [get totp](/docs/cli/v1/reference#get-totp) | [item get --otp](/docs/cli/reference/management-commands/item#item-get) | | ## Appendix: Change default output to JSON {#json-default} The default output format for 1Password CLI 2 is a human-readable, tabular schema. You can change the default to machine-readable JSON in two ways: - For a single command, include the `--format json` flag with your command. For example, `op item get --format json`. - To always default to JSON, set the `$OP_FORMAT` environment variable to `json`. ## Appendix: Item JSON template {#appendix-json} You can expect to see several formatting improvements and field name changes in 1Password CLI 2 [item JSON templates](/docs/cli/item-template-json/). **Old template** ```json { "fields": [ { "designation": "username", "name": "username", "type": "T", "value": "" }, { "designation": "password", "name": "password", "type": "P", "value": "" } ], "notesPlain": "", "passwordHistory": [], "sections": [] } ``` **New template** ```json { "title": "", "category": "LOGIN", "fields": [ { "id": "username", "type": "STRING", "purpose": "USERNAME", "label": "username", "value": "" }, { "id": "password", "type": "CONCEALED", "purpose": "PASSWORD", "label": "password", "value": "" }, { "id": "notesPlain", "type": "STRING", "purpose": "NOTES", "label": "notesPlain", "value": "" } ] } ``` This is how 1Password CLI 1 template fields correspond to 1Password CLI 2: **Item** | 1Password CLI 1 | 1Password CLI 2 | Notes | | --------------- | --------------- | ----------------------------------- | | `uuid` | | | | `templateUuid` | `category` | | | `details` | - | replaced by `sections` and `fields` | **Section** | 1Password CLI 1 | 1Password CLI 2 | Notes | | --------------- | --------------- | ---------------- | | `name` | `id` | | | `title` | `label` | | | `fields` | - | moved separately | **Field** | 1Password CLI 1 | 1Password CLI 2 | | --------------- | --------------- | | `n` | `id` | | `k` | `type` | | `t` | `label` | | `v` | `value` | | - | `section` | ## Get help If you need help upgrading to 1Password CLI 2, [contact 1Password Support](mailto:integrations@1password.com) or join our [Developer Slack workspace](https://developer.1password.com/joinslack) and ask a question in the `#cli` channel. ## Learn more - [Get started with 1Password CLI 2](/docs/cli/get-started/) - [1Password CLI 2 release notes](https://releases.1password.com/developers/cli/) --- ## 1Password CLI use cases # Use cases 1Password CLI allows you to securely provision secrets in development environments, use scripts to manage items and provision team members at scale, and authenticate with biometrics in the terminal. ## Eliminate plaintext secrets in code{#secrets} _[An item open in the 1Password app with the option to copy a secret reference selected.]_ With 1Password CLI, you can store secrets securely in your 1Password vaults then use [secret references](/docs/cli/secret-references/) to load them into [environment variables](/docs/cli/secrets-environment-variables/), [configuration files](/docs/cli/secrets-config-files/), and [scripts](/docs/cli/secrets-scripts/) without putting any plaintext secrets in code. Secret references are dynamic – if you update your credentials in 1Password, the changes will be reflected in your scripts without needing to update the script directly. You can also [use variables within secret references](/docs/cli/secret-reference-syntax#externally-set-variables) to pass different sets of secrets for different environments using the same file. For example, you can use a secret reference in place of your plaintext GitHub Personal Access Token in a `github.env` file: _[An environment file using a plaintext secret and the same file using a secret reference.]_ Then use [`op run`](/docs/cli/reference/commands/run/) to pass the file with the token provisioned from 1Password to your application or script when you need it. The script will run with the token provisioned, without the token ever appearing in plaintext. Learn more - [Get started with secret references](/docs/cli/secret-references/) - [Load secrets into the environment](/docs/cli/secrets-environment-variables/) - [Load secrets into config files](/docs/cli/secrets-config-files/) - [Load secrets into scripts](/docs/cli/secrets-scripts/) ## Automate administrative tasks{#automate} _[1password.com open to show the people who have access to a vault alongside a terminal window displaying the same information.]_ With 1Password CLI, IT administrators can set up scripts to automate common tasks, like [provisioning users](/docs/cli/provision-users/), [managing permissions](/docs/cli/grant-revoke-vault-permissions/), [managing items](/docs/cli/reference/management-commands/item/), and generating custom reports. For example, this script will loop through each vault the person who runs the script has access to and provide: - the vault name - the number of items in the vault - the last time the vault's contents were updated - the users and groups that have access to the vault along with their permissions ```bash title="vault_details.sh" #!/usr/bin/env bash for vault in $(op vault list --format=json | jq --raw-output '.[] .id') do echo "" echo "Vault Details" op vault get $vault --format=json | jq -r '.|{name, items, updated_at}' sleep 1 echo "" echo "Users" op vault user list $vault sleep 1 echo "" echo "Groups" op vault group list $vault sleep 1 echo "" echo "End of Vault Details" sleep 2 clear echo "" echo "" done ``` Learn more See our [repository of example 1Password CLI scripts](https://github.com/1Password/solutions) for inspiration for your own projects. You'll find scripts that can help you: - [Provision new users from a CSV](https://github.com/1Password/solutions/tree/main/1password/scripted-provisioning/) - [Audit or manage existing users](https://github.com/1Password/solutions/tree/main/1password/user-management/) - [Manage your vaults and groups](https://github.com/1Password/solutions/tree/main/1password/account-management/) - [Create, update, and share items](https://github.com/1Password/solutions/tree/main/1password/item-management/) To learn more about how to accomplish these tasks with 1Password CLI, see the following guides: - [Create items](/docs/cli/item-create/) - [Add and remove team members](/docs/cli/provision-users/) - [Grant and revoke vault permissions](/docs/cli/grant-revoke-vault-permissions/) ## Sign in to any CLI with your fingerprint{#shell-plugins} With our [shell plugin ecosystem](/docs/cli/shell-plugins/), you can use 1Password to securely authenticate all your command-line tools. Store your CLI access credentials in your 1Password vaults then sign in to your CLIs with your fingerprint instead of entering your credentials manually or storing them in an unencrypted format on your computer. Shell plugins unlock the ability to securely share credentials between team members. Store a token in a shared 1Password vault, and all people with access to the vault will be able to sign in with them. And you can use shell plugins across [multiple environments](/docs/cli/shell-plugins/environments/), so you don't have to spend time signing in and out between projects. For example, the [ngrok shell plugin](/docs/cli/shell-plugins/ngrok/) can securely tunnel the local app to the internet for a web development project running on your computer. The ngrok authtoken is not stored anywhere on the computer. When the ngrok CLI is run, the shell plugin provisions the authtoken as an environment variable for the ngrok binary to consume, and when the process exits, the environment variable is cleared. Learn more Get started with one of our most popular shell plugins: [_[]_ GitHub](/docs/cli/shell-plugins/github/) [_[]_ AWS](/docs/cli/shell-plugins/aws/) [_[]_ Homebrew](/docs/cli/shell-plugins/homebrew/) [_[]_ GitLab](/docs/cli/shell-plugins/gitlab/) [_[]_ OpenAI](/docs/cli/shell-plugins/openai/) [_[]_ postgresql](/docs/cli/shell-plugins/postgresql/) [_[]_ Terraform](/docs/cli/shell-plugins/terraform/) [_[]_ DigitalOcean](/docs/cli/shell-plugins/digitalocean/) [_[]_ Heroku](/docs/cli/shell-plugins/heroku/) [_[]_ ngrok](/docs/cli/shell-plugins/ngrok/) [_[]_ CircleCI](/docs/cli/shell-plugins/circleci/) [_[]_ Vault](/docs/cli/shell-plugins/hashicorp-vault/) Or choose a plugin from [our library of more than 40 command-line tools](/docs/cli/shell-plugins/) to get started with. If the tool you want to use isn't supported yet, you can [build your own plugin](/docs/cli/shell-plugins/contribute/). You can also: - [Test shell plugins](/docs/cli/shell-plugins/test/) - [Use shell plugins to switch between environments](/docs/cli/shell-plugins/environments/) - [Use shell plugins with multiple accounts](/docs/cli/shell-plugins/multiple-accounts/) --- ## Use 1Password CLI with multiple accounts # Use multiple 1Password accounts with 1Password CLI When you [use the 1Password desktop app integration to sign in to 1Password CLI](/docs/cli/app-integration/), you can access any 1Password account you've added to the app on the command line. By default, all 1Password CLI commands are executed with the account you most recently signed in to, unless an account is specified with the [`--account` flag](#specify-an-account-per-command-with-the---account-flag). ## Choose an account to sign in to with `op signin` To choose an account to sign in to, run [`op signin`](/docs/cli/reference/commands/signin/) and select the account you want to sign in to from the list of accounts added to your 1Password app. ```shell {2} op signin #code-result Select account [Use arrows to move, type to filter] > ACME Corp (acme.1password.com) AgileBits (agilebits.1password.com) Add another account ``` If you don't see the account you want to use, you may need to [add it to the 1Password app](https://support.1password.com/add-account/). ## Specify an account per command with the `--account` flag You can execute a command with a specific account by including the `--account` flag along with the account's [sign-in address (with or without https://) or ID](#find-an-account-sign-in-address-or-id). For example, to get a list of all vaults in an account with the sign-in address `my.1password.com`: ```shell op vault ls --account my.1password.com ``` You can use the `--account` flag to specify different accounts in scripts. For example: ```shell PASSWORD_1="$(op read --account agilebits-inc.1password.com op://my-vault/some-item/password)" PASSWORD_2="$(op read --account acme.1password.com op://other-vault/other-item/password)" ``` ## Set an account with the `OP_ACCOUNT` environment variable If you only want to sign in to a specific account, set the `OP_ACCOUNT` environment variable to the account's [sign-in address or ID](#find-an-account-sign-in-address-or-id). You can also use this to specify an account in scripts. **Bash, Zsh, sh:** ```shell export OP_ACCOUNT=my.1password.com ``` **fish:** ```shell set -x OP_ACCOUNT my.1password.com ``` **PowerShell:** ```powershell $Env:OP_ACCOUNT = "my.1password.com" ``` ## Find an account sign-in address or ID To find details about all the accounts you've added to the 1Password app, run `op account list`. ```shell op account list #code-result $ op account list URL EMAIL USER ID my.1password.com wendy.c.appleseed@gmail.com JDFU... agilebits-inc.1password.com wendy_appleseed@agilebits.com ASDU... ``` You can use the sign-in address listed under `URL` or the unique identifier listed under `USER ID` to refer to the account. ## Learn more - [Use the 1Password desktop app to sign in to 1Password CLI](/docs/cli/app-integration/) --- ## User states When you fetch information about users with [`op user list`](/docs/cli/reference/management-commands/user#user-list) or [`op user get`](/docs/cli/reference/management-commands/user#user-get), 1Password CLI returns each person's current account state. | User state | Description | | ------------------ | ------------------------------------------------------------ | | `ACTIVE` | The user is active. | | `RECOVERY_STARTED` | [Account recovery](/docs/cli/recover-users) has been started for the user. | | `RECOVERY_ACCEPTED` | The user has created their new account password and is waiting to be [confirmed again by an administrator](https://support.1password.com/recovery#complete-recovery). | | `SUSPENDED` | The user is suspended. | | `TRANSFER_STARTED` | The user has been provisioned, but hasn't set up their account. | | `TRANSFER_SUSPENDED` | The user was provisioned and didn't set up their account before they were deprovisioned. | --- ## Get started with 1Password CLI 1 :::warning[Upgrade to 1Password CLI 2] 1Password CLI 1 is deprecated as of **October 1, 2024**. Scripts and integrations that use version 1 will no longer work as expected. [Upgrade to 1Password CLI 2](/docs/cli/upgrade/) to maintain uninterrupted access and compatibility with the latest features. ::: The first time you sign in to a 1Password account with 1Password CLI, you'll need your [sign-in address](https://support.1password.com/sign-in-troubleshooting#if-youre-asked-for-a-sign-in-address), [Secret Key](https://support.1password.com/secret-key/), email address, and account password. Your sign-in address is the URL you use to sign in to your account on 1Password.com (`my.1password.com` in this example). The subdomain for your sign-in address (`my` in this example) will be the shorthand 1Password CLI uses to refer to your account. To specify a custom shorthand, use `--shorthand ` on your first sign-in. To sign in to an account for the first time: 1. Use `op signin` with your sign-in address and email address: ```shell op signin my.1password.com wendy_appleseed@example.com ``` 2. Enter your [Secret Key](https://support.1password.com/secret-key/), then enter your account password. 3. Use the `eval` (Mac, Linux) or `Invoke-Expression` (Windows) command returned by the tool to save your session token to an environment variable automatically. Or run the `export` command to set it manually. On Mac and Linux: ```shell eval $(op signin my) ``` On Windows: ```shell Invoke-Expression $(op signin my) ``` The `eval` and `Invoke-Expression` commands use your account shorthand as an argument to specify which account to sign in to. In the example above, the shorthand `my` refers to `my.1password.com`. Now that you have a session token, you can start using 1Password CLI. Session tokens expire after 30 minutes of inactivity, after which you'll need to sign in again and save a new token. After the first time you sign in to an account, you can use a shorter command to sign in again: ```shell op signin ``` If you've added multiple accounts to 1Password CLI, you can choose which account to sign in to by specifying the shorthand. For example: ```shell op signin my ``` If no shorthand is provided, 1Password CLI will default to the most recently used account. To see all of the accounts you've previously authenticated and their shorthands: ```shell op signin --list ``` ## Learn more You can use 1Password CLI to work with users, vaults, and items. For example, here's how to upload a document to your Private vault: ```shell op create document readme.txt --vault Private ``` To see a list of all the items in your Shared vault: ```shell op list items --vault Shared ``` The output will show the [UUIDs](https://en.wikipedia.org/wiki/Universally_unique_identifier) of the items. To get the details of an item: ```shell op get item WestJet ``` You can use names or UUIDs in commands that take any user, vault, or item as an argument. Use UUIDs because they'll never change, so you can be sure you're always referring to the same object. It's also faster and more efficient. ```shell op get item nqikpd2bdjae3lmizdajy2rf6e ``` You can get details of just the fields you want. For one field, 1Password CLI returns a simple string: ```shell op get item nqikpd2bdjae3lmizdajy2rf6e --fields password 5ra3jOwnUsXVjx5GL@FX2d7iZClrrQDc ``` For multiple fields, specify them in a comma-separated list. 1Password CLI returns a JSON object: ```shell op get item nqikpd2bdjae3lmizdajy2rf6e --fields username,password {"username": "wendy_appleseed", "password": "5ra3jOwnUsXVjx5GL@FX2d7iZClrrQDc"} ``` ## Parse and manipulate JSON output with jq Every `op` command outputs in one of two formats: a simple string, like a [UUID](https://en.wikipedia.org/wiki/Universally_unique_identifier), or JSON. To parse and manipulate JSON output, we recommend the [command-line tool jq](https://stedolan.github.io/jq). To use jq to parse a Login item called "WestJet" and retrieve the password: ```shell op get item WestJet | jq '.details.fields[] | select(.designation=="password").value' ``` To use jq to manipulate a Login item template, set the username value to "wendy", and save the item in your Private vault: On Mac and Linux: ```shell umask 077 # Prevent others from reading your template file ``` ```shell op get template login | \ jq '(.fields[] | select(.designation == "username")).value = "wendy"' > login.json op create item login --template login.json --title "My New Item" rm login.json ``` On Windows: ```shell cd "$HOME" # Prevent others from reading your template file ``` ```shell op get template login | \ jq '(.fields[] | select(.designation == "username")).value = "wendy"' > login.json op create item login --template login.json --title "My New Item" rm login.json ``` [Learn more about jq.](https://stedolan.github.io/jq/tutorial/) ## Get help To check for updates to 1Password CLI: ```shell op update ``` If a newer version is available, 1Password CLI can download it for you. You can see a list of all commands with `op --help`, or learn about a specific commands with `op --help`. --- ## 1Password CLI 1 reference :::warning[Upgrade to 1Password CLI 2] 1Password CLI 1 is deprecated as of **October 1, 2024**. Scripts and integrations that use version 1 will no longer work as expected. [Upgrade to 1Password CLI 2](/docs/cli/upgrade/) to maintain uninterrupted access and compatibility with the latest features. ::: Sign in to an account to get started. Run `op signin --help` to learn more. ### How to specify objects You can specify all objects by name or UUID. You can also specify some objects by other attributes: - **Items**: item link - **Login or Password items**: domain name - **Users**: email address When you specify an item by name or domain, there may be more than one item that matches. To be more specific, use the `--vault` option to only look in one vault at a time, or use a unique ID (UUID) instead. Looking up an item (such as a Connect server or vault) by ID is more efficient than using the name. ### Cache item and vault information 1Password CLI can use its daemon process to cache items, vault information, and the keys to access information in an account. To use the cache, use the `--cache` option with a command. When working with items, the cache is most effective after it has a list of the items in a vault. The daemon stores encrypted information in memory using the same encryption methods as on 1Password.com. It can read the information to pass to 1Password CLI but can’t decrypt it. 1Password CLI starts the daemon automatically and it terminates itself after 24 hours of inactivity. ### Use alternative character encoding By default, 1Password CLI processes input and output with UTF-8 encoding. You can use an alternative character encoding with the `--encoding` option. Supported alternative character encoding types: - `gbk` - `shift-jis` ### Commands - [add](#add): Grant access to groups or vaults - [completion](#completion): Generate shell completion information - [confirm](#confirm): Confirm a user - [create](#create): Create an object - [delete](#delete): Remove an object - [edit](#edit): Edit an object - [encode](#encode): Encode the JSON needed to create an item - [forget](#forget): Remove a 1Password account from this device - [get](#get): Get details about an object - [list](#list): List objects and events - [manage](#manage): Manage group access to 1Password integrations - [reactivate](#reactivate): Reactivate a suspended user - [remove](#remove): Revoke access to groups or vaults - [signin](#signin): Sign in to a 1Password account - [signout](#signout): Sign out of a 1Password account - [suspend](#suspend): Suspend a user - [update](#update): Check for and download updates ### Usage ```shell op [command] [options] ``` ### Global options ``` --account shorthand use the account with this shorthand --cache store and use cached information --config directory use this configuration directory -h, --help get help with a command --session token authenticate with this session token ``` ### Get help For help with any command, use the `--help` option: ```shell op [subcommand] --help ``` - - - - - - - - - - - - - - - - - - ## *add* ### Subcommands {#add-subcommands} - [add connect](#add-connect): Grant access to vaults to 1Password Secrets Automation - [add group](#add-group): Grant a group access to a vault - [add user](#add-user): Grant a user access to a vault or group ### Related commands {#add-related-commands} - [edit](#edit): Edit an object - [remove](#remove): Revoke access to groups or vaults ## *add connect* ### Subcommands {#add-connect-subcommands} - [add connect server](#add-connect-server): Grant a Connect server access to a vault ## *add connect server* Grant a Connect server access to a vault. ```shell op add connect server [flags] ``` ### Related commands {#add-connect-server-related-commands} - [create connect token](#create-connect-token): Issue a token for a 1Password Connect server ## *add group* Grant a group access to a vault. ```shell op add group [flags] ``` ## *add user* Grant a user access to a vault or group. ```shell op add user [ | ] [flags] ``` ### Options for add user ``` --role role set the user's role in a group (member or manager) (default "member") ``` ## *completion* Generate shell completion information for 1Password CLI. ```shell op completion [flags] ``` ### How completion works If you use Bash or Zsh, you can add shell completion for 1Password CLI. With completions loaded, after you start typing an `op` command, press Tab to see available commands and options. #### Load shell completion information for Bash To always load the completion information for Bash, add this to your `.bashrc` file: ```shell source <(op completion bash) ``` To use shell completion in Bash, you’ll need the `bash-completion` package. #### Load shell completion information for Zsh To always load the completion information for Zsh, add this to your `.zshrc` file: ```shell eval "$(op completion zsh)"; compdef _op op ``` ## *confirm* Confirm users. ```shell op confirm [ | --all] ``` ### Options for confirm ``` --all confirm all unconfirmed users ``` ### Related commands {#confirm-related-commands} - [create user](#create-user): Create a user ## *create* ### Subcommands {#create-subcommands} - [create connect](#create-connect): Create 1Password Connect servers and tokens - [create document](#create-document): Create a document - [create group](#create-group): Create a group - [create integration](#create-integration): Create an integration - [create item](#create-item): Create an item - [create user](#create-user): Create a user - [create vault](#create-vault): Create a vault ## *create connect* ### Subcommands {#create-connect-subcommands} - [create connect server](#create-connect-server): Set up a 1Password Connect server - [create connect token](#create-connect-token): Issue a token for a 1Password Connect server ## *create connect server* Add a 1Password Connect server to your account and generate a credentials file for it. ```shell op create connect server [flags] ``` ### Options for create connect server ``` --vaults vaults grant the Connect server access to these vaults ``` ### How create connect server works The `1password-credentials.json` file is saved in the current directory. ### Related commands {#create-connect-server-related-commands} - [create connect token](#create-connect-token): Issue a token for a 1Password Connect server - [manage connect add](#manage-connect-add): Grant access to manage Secrets Automation - [manage connect remove](#manage-connect-remove): Revoke access to manage Secrets Automation ## *create connect token* Issue a new token for an Connect server. ```shell op create connect token [flags] ``` ### Options for create connect token ``` --expires-in duration set how the long token is valid for --vault vault grant access to this vault ``` ### How create connect token works Returns a token. You can only grant a token access to a vault that the server has access to and only the permissions the server has for it. By default, the `--vault` option grants the same permissions as the server. You can further limit the permissions a token has to read-only or write-only by adding a comma and `r` or `w` after the vault specification. For example: ```shell op create connect token "Dev" "Dev k8s token" --vault Kubernetes,r op create connect token "Prod" "Prod: Customer details" --vault Customers,w ``` ### Related commands {#create-connect-token-related-commands} - [manage connect add](#manage-connect-add): Grant access to manage Secrets Automation - [manage connect remove](#manage-connect-remove): Revoke access to manage Secrets Automation ## *create document* Create a document. ```shell op create document [flags] ``` ### Options for create document ``` --filename name set the file's name --tags tags add one or more tags (comma-separated) to the item --title title set the item's title --vault vault save the document in this vault ``` ### How create document works When you create a document, a JSON object containing its UUID is returned. The document is saved to the Private or Personal vault unless you specify another with the `--vault` option. #### Create a file from standard input To create the file contents from standard input (`stdin`), enter a hyphen (`-`) instead of a path. You can use the `--filename` option to change the name of the file. ### Examples for create document Create a document from standard input: ```shell cat auth.log.* | op create document - --title "Authlogs 2020-06" --file-name "auth.log.2020.06" ``` ## *create group* Create a group. ```shell op create group [flags] ``` ### Options for create group ``` --description description set the group's description ``` ### How create group works When you create a group, a JSON object containing its UUID is returned. ## *create integration* ### Subcommands {#create-integration-subcommands} - [create integration events-api](#create-integration-events-api): Create an Events API integration ## *create integration events-api* Create an Events API integration token. Print the Events API integration token when successful. ```shell op create integration events-api [flags] ``` ### Options for create integration events-api ``` --expires-in duration set how the long the integration token is valid for --features features set the comma-sepparated list of features the integration token can be used for. Options: `signinattempts`, `itemusages` ``` ## create item Create an item. ```shell op create item { --template | [...] | } [flags] ``` ### Options for create item ``` --generate-password[=recipe] give the item a randomly generated password --tags tags add one or more tags (comma-separated) to the item --template string specify the filepath to read an item template from --title title set the item's title --url URL set the URL associated with the item --vault vault save the item in this vault ``` ### How create item works Create an item using assignment statements or with a 1Password JSON object template. When you create an item, a JSON object containing its UUID is returned. The item is saved to the Private or Personal vault unless you specify another with the `--vault` option. #### Create an item with assignment statements Use an assignment statement to set a field's value: ``` [
.]= ``` You can omit spaces when you specify the section or field name. You can also refer to the field by its JSON short name (`name` or `n`). ``` phonetollfree=012066188656 ``` The section is optional unless multiple sections have a field with the same name. ``` testingserver.address=db.local.1password.com developmentserver.address=db.dev.1password.com ``` You can't make a new custom section using an assignment statement. :::important Note If you can't trust other users or processes on your system, use `op create item --template=file.json` instead. ::: #### Generate a password Use the `--generate-password` option to generate and set a random password for a Login or Password item. By default, it will create a 32-character password made up of letters, numbers, and symbols. You can customize the password with a password recipe. Specify the password length and which character types to use in a comma-separated list. Ingredients are: - `letters` for uppercase and lowercase letters - `digits` for numbers - `symbols` for special characters (`!@.-_*`) - `1`-`64` for password length #### Create an item with a template If you want to create an item with custom sections or fields, use a JSON object template. Download and edit a template for the category of item you want to create. Run `op help get template` for a list of template categories. To create an item using a template: 1. Get a template for the category of item you want to create, and save it to a file: ```shell op get template "Login" > login.json ``` 2. Edit the template to add your information. 3. Create the item from the template file: ```shell op create item --template=login.json Login ``` 4. When you’re finished, remove the template file. You can use a tool like [jq](https://stedolan.github.io/jq/) to reformat JSON to make it easier to read. If you were using `op encode` previously when creating items, upgrade to the more secure `create item --template=file.json`. It skips the need to encode the file. If you use both a template and assignment statements in the same command, the assignment statements overwrite the template's values. ### Related commands {#create-item-related-commands} - [encode](#encode): Encode the JSON needed to create an item - [get template](#get-template): Get an item template - [list templates](#list-templates): Get a list of templates ## *create user* Create a new user. ```shell op create user [flags] ``` ### Options for create user ``` --language language set the user's account language (default "en") ``` ### Related commands {#create-user-related-commands} - [confirm](#confirm): Confirm a user ## *create vault* Create a new vault. ```shell op create vault [flags] ``` ### Options for create vault ```shell --allow-admins-to-manage true|false set whether admins can manage vault access --description description set the vault's description --icon string set the vault icon ``` ### How create vault works Valid icon keywords are: - airplane - application - art-supplies - bankers-box - brown-briefcase - brown-gate - buildings - cabin - castle - circle-of-dots - coffee - color-wheel - curtained-window - document - doughnut - fence - galaxy - gears - globe - green-backpack - green-gem - handshake - heart-with-monitor - house - id-card - jet - large-ship - luggage - plant - porthole - puzzle - rainbow - record - round-door - sandals - scales - screwdriver - shop - tall-window - treasure-chest - vault-door - vehicle - wallet - wrench ## *delete* ### Subcommands {#delete-subcommands} - [delete connect](#delete-connect): Remove 1Password Connect servers and tokens - [delete document](#delete-document): Delete or archive a Document - [delete group](#delete-group): Remove a group - [delete item](#delete-item): Delete or archive an item - [delete trash](#delete-trash): Delete trash - [delete user](#delete-user): Completely remove a user - [delete vault](#delete-vault): Remove a vault ## *delete connect* ### Subcommands {#delete-connect-subcommands} - [delete connect server](#delete-connect-server): Remove a 1Password Connect server - [delete connect token](#delete-connect-token): Revoke a token for a Connect server ## *delete connect server* Remove a 1Password Connect server. ```shell op delete connect server [flags] ``` ### How delete connect server works The credentials file and all the tokens for the server will no longer be valid. ## *delete connect token* Revoke a token for a Connect server. ```shell op delete connect token [flags] ``` ### Options for delete connect token ``` --server string only look for tokens for this 1Password Connect server ``` ### Related commands {#delete-connect-token-related-commands} - [create connect token](#create-connect-token): Issue a token for a 1Password Connect server ## *delete document* Permanently delete a document. Use the `--archive` option to move it to the Archive instead. ```shell op delete document [flags] ``` ### Options for delete document ``` --archive move the document to the Archive --vault vault look for the document in this vault ``` ### How delete document works #### Specify items on standard input The command treats each line of information on standard input (`stdin`) as an object specifier. Run `op help` to learn more about how to specify objects. The input can also be a list or array of JSON objects. The command will get an item for any object that has a UUID key. This is useful for passing information from one `op` command to another. ### Examples for delete document Permanently delete a document: ```shell op delete document "2019 Contracts" ``` Move a document to the Archive: ```shell op delete document "2019 Contracts" --archive ``` ## *delete group* Remove a group. ```shell op delete group [flags] ``` ## *delete item* Permanently delete an item. Use the `--archive` option to move it to the Archive instead. ```shell op delete item [flags] ``` ### Options for delete item ```shell --archive move the item to the Archive --vault vault look for the item in this vault ``` ### How delete item works #### Specify items on standard input The command treats each line of information on standard input (`stdin`) as an object specifier. Run `op help` to learn more about how to specify objects. The input can also be a list or array of JSON objects. The command will get an item for any object that has a UUID key. This is useful for passing information from one `op` command to another. ### Examples for delete item Permanently delete an item: ```shell op delete item "Defunct Login" ``` Move an item to the Archive: ```shell op delete item "Defunct Login" --archive ``` ## *delete trash* You can permanently delete an item with `op delete ` or to move it to the Archive, use `op delete item --archive `. ## *delete user* Remove a user and all their data from the account. ```shell op delete user [flags] ``` ## *delete vault* Remove a vault. ```shell op delete vault [flags] ``` ## *edit* ### Subcommands {#edit-subcommands} - [edit connect](#edit-connect): Edit 1Password Connect servers and tokens - [edit document](#edit-document): Edit a document - [edit group](#edit-group): Edit a group's name or description - [edit item](#edit-item): Edit an item's details - [edit user](#edit-user): Edit a user's name or Travel Mode status - [edit vault](#edit-vault): Edit a vault's metadata ### Related commands {#edit-related-commands} - [add](#add): Grant access to groups or vaults ## *edit connect* ### Subcommands {#edit-connect-subcommands} - [edit connect server](#edit-connect-server): Rename a Connect server - [edit connect token](#edit-connect-token): Rename a Connect token ## *edit connect server* Rename a Connect server. ```shell op edit connect server [flags] ``` ### Options for edit connect server ``` --name name change the server's name ``` ### Related commands {#edit-connect-server-related-commands} - [list connect servers](#list-connect-servers): Get a list of 1Password Connect servers ## *edit connect token* Rename a Connect token. ```shell op edit connect token [flags] ``` ### Options for edit connect token ``` --name name change the tokens's name --server string only look for tokens for this 1Password Connect server ``` ### Related commands {#edit-connect-token-related-commands} - [list connect tokens](#list-connect-tokens): Get a list of tokens ## *edit document* Update a document. ```shell op edit document [flags] ``` ### Options for edit document ``` --filename name set the file's name --tags tags add one or more tags (comma-separated) to the item --title title set the item's title --vault vault look up document in this vault ``` ### How edit document works Replace the file contents of a Document item with the provided file or with the information on standard input (`stdin`). #### Update a file from standard input To update the file contents from standard input (`stdin`), enter a hyphen (`-`) instead of a path. You can use the `--filename` option to change the name of the file. ## *edit group* Change a group's name or description. ```shell op edit group [flags] ``` ### Options for edit group ``` --description description change the group's description --name name change the group's name ``` ## *edit item* Edit an item's details. ```shell op edit item [ ...] [flags] ``` ### Options for edit item ``` --generate-password[=recipe] give the item a randomly generated password --vault vault look for the item in this vault ``` ### How edit item works Use an assignment statement to change a field's value: ``` [
.]= ``` You can omit spaces when you specify the section or field name. You can also refer to the field by its JSON short name (`name` or `n`). ``` issuingcountry=Canada ``` The section is optional unless multiple sections have a field with the same name. ``` testingserver.address=db.local.1password.com developmentserver.address=db.dev.1password.com ``` You can't make a new custom section using an assignment statement. :::warning[caution] When providing secrets on the command line, always be wary of any other processes that might be monitoring what you’re doing. ::: #### Generate a password Use the `--generate-password` option to generate and set a random password for a Login or Password item. By default, it will create a 32-character password made up of letters, numbers, and symbols. You can customize the password with a password recipe. Specify the password length and which character types to use in a comma-separated list. Ingredients are: - `letters` for uppercase and lowercase letters - `digits` for numbers - `symbols` for special characters (`!@.-_*`) - `1`-`64` for password length ## *edit user* Change a user's name or Travel Mode status. ```shell op edit user [flags] ``` ### Options for edit user ``` --name name set the user's name --travelmode on|off turn Travel Mode on or off for the user ``` ## *edit vault* Edit the name, icon, and description of a vault. ```shell op edit vault [flags] ``` ### Options for edit vault ``` --description description change the vault's description --icon icon change the vault's icon --name name change the vault's name ``` ### How edit vault works Valid icon keywords are: - airplane - application - art-supplies - bankers-box - brown-briefcase - brown-gate - buildings - cabin - castle - circle-of-dots - coffee - color-wheel - curtained-window - document - doughnut - fence - galaxy - gears - globe - green-backpack - green-gem - handshake - heart-with-monitor - house - id-card - jet - large-ship - luggage - plant - porthole - puzzle - rainbow - record - round-door - sandals - scales - screwdriver - shop - tall-window - treasure-chest - vault-door - vehicle - wallet - wrench ### Related commands {#edit-vault-related-commands} - [list vaults](#list-vaults): Get a list of vaults - [get vault](#get-vault): Get details about a vault ## *encode* :::warning[caution] This command has been deprecated. Use the more secure --template flag with `create item` instead. It skips the need to encode the file. ::: ```shell op encode [flags] ``` ### How encode works Encode the JSON needed to create an item with `base64url` encoding. Accepts input from standard input (`stdin`). ### Examples for encode Encode a basic item template: ```shell op get template login | op encode ``` Save the encoded contents of a file to another file: ```shell cat my-new-login.json | op encode > my-new-login.encoded-json ``` ### Related commands {#encode-related-commands} - [get template](#get-template): Get an item template - [create item](#create-item): Create an item - [edit item](#edit-item): Edit an item's details ## *forget* Remove the details for a 1Password account from this device. ```shell op forget [flags] ``` ## *get* ### Subcommands {#get-subcommands} - [get account](#get-account): Get details about your account - [get document](#get-document): Download a document - [get group](#get-group): Get details about a group - [get item](#get-item): Get item details - [get template](#get-template): Get an item template - [get totp](#get-totp): Get the one-time password for an item - [get user](#get-user): Get details about a user - [get vault](#get-vault): Get details about a vault ## *get account* Get details about your account. ```shell op get account [flags] ``` ## *get document* Download a document and print the contents to standard output (`stdout`). ```shell op get document [flags] ``` ### Options for get document ``` --include-archive include items in the Archive --output path save the document to the file path instead of `stdout` --vault vault look for the document in this vault ``` ### How get document works #### Save to a file Use the `--output` option to have `op` save the document. This may be useful in some shells to preserve the file's original encoding. The `--output` option won't overwrite an existing file. The destination path must be an empty file or not exist. ### Examples for get document Save a document to a file called `secret-plans.text`: ```shell op get document "Top Secret Plan B" --output secret-plans.text ``` ## *get group* Get details about a group. ```shell op get group [flags] ``` ### How get group works #### Use standard input to specify objects If you enter a hyphen (`-`) instead of a single object for this command, 1Password CLI will read object specifiers from standard input (`stdin`). Separate each specifier with a new line. For more information about how to specify objects, run `op help`. You can also pass the command a list or array of JSON objects. 1Password CLI will get an item for any object that has a UUID key, ignoring line breaks. This is useful for passing information from one `op` command to another. ### Examples for get group Get details for all groups: ```shell op list groups | op get group - ``` Get details for the groups who have access to a vault: ```shell op list groups --vault "Production keys" | op get group - ``` ## *get item* Return details about an item. ```shell op get item [flags] ``` ### Options for get item ``` --fields fields only return data from these fields --format format return data in this format (CSV or JSON) (use with --fields) --include-archive include items in the Archive --share-link get a shareable link for the item --vault vault look for the item in this vault ``` ### How get item works By default, `get item` returns a complete 1Password JSON object. #### Customize returned data To only get details from specific fields, use the `--fields` option. Specify fields in a comma-separated list. You can omit spaces when you specify the section or field name. You can also refer to the field by its JSON short name (`name` or `n`). When you specify one field, its data is returned as a simple string. If you specify more than one field, the data is returned in a simple key-value pair JSON object. If a field doesn't exist, an empty value is returned. Use the `--format` option to change the output format to JSON or CSV. #### Specify items on standard input The command treats each line of information on standard input (`stdin`) as an object specifier. Run `op help` to learn more about how to specify objects. The input can also be a list or array of JSON objects. The command will get an item for any object that has a UUID key. This is useful for passing information from one `op` command to another. #### Items in the Archive Items in the Archive are ignored by default. To get details for an item in the Archive, specify the item by UUID or use the `--include-archive` option. ### Examples for get item Get details for all items with a specified tag: ```shell op list items --tags documentation | op get item - ``` Get a CSV list of the website, username, and password for all logins in a vault: ```shell op list items --categories Login --vault Staging | op get item - --fields website,username,password --format CSV ``` ## *get template* Return a template for an item type. ```shell op get template [flags] ``` ### How get template works You can create a new item with a template. Run `op create item --help` for more information. Categories are: - API Credential - Bank Account - Credit Card - Database - Document - Driver License - Email Account - Identity - Login - Medical Record - Membership - Outdoor License - Passport - Password - Reward Program - Secure Note - Server - Social Security Number - Software License - Wireless Router ### Related commands {#get-template-related-commands} - [encode](#encode): Encode the JSON needed to create an item - [create item](#create-item): Create an item ## *get totp* Get an item's current time-based one-time password. ```shell op get totp [flags] ``` ### Options for get totp ``` --vault vault look for the item in this vault ``` ### How get totp works #### Items in the Archive Items in the Archive are ignored by default. To get the TOTP for an item in the Archive, specify the item by UUID. ## *get user* Get details about a user. ```shell op get user [flags] ``` ### Options for get user ``` --fingerprint get the user's public key fingerprint --publickey get the user's public key ``` ### How get user works #### Use standard input to specify objects If you enter a hyphen (`-`) instead of a single object for this command, 1Password CLI will read object specifiers from standard input (`stdin`). Separate each specifier with a new line. For more information about how to specify objects, run `op help`. You can also pass the command a list or array of JSON objects. 1Password CLI will get an item for any object that has a UUID key, ignoring line breaks. This is useful for passing information from one `op` command to another. ### Examples for get user Get details for all users: ```shell op list users | op get user - ``` Get the public key for all users in a group: ```shell op list users --group "Frontend Developers" | op get user - --publickey ``` Get details for all users who have access to a vault: ```shell op list users --vault Staging | op get user - ``` ## *get vault* Get details about a vault. ```shell op get vault [flags] ``` ### How get vault works #### Use standard input to specify objects If you enter a hyphen (`-`) instead of a single object for this command, 1Password CLI will read object specifiers from standard input (`stdin`). Separate each specifier with a new line. For more information about how to specify objects, run `op help`. You can also pass the command a list or array of JSON objects. 1Password CLI will get an item for any object that has a UUID key, ignoring line breaks. This is useful for passing information from one `op` command to another. ### Examples for get vault Get details for all vaults: ```shell op list vaults | op get vault - ``` Get details for the vaults that a group has access to: ```shell op list vaults --group security | op get vault - ``` ### Related commands {#get-vault-related-commands} - [list vaults](#list-vaults): Get a list of vaults - [edit vault](#edit-vault): Edit a vault's metadata ## *list* ### Subcommands {#list-subcommands} - [list connect](#list-connect): List 1Password Connect servers and tokens - [list documents](#list-documents): Get a list of documents - [list events](#list-events): Get a list of events from the Activity Log - [list groups](#list-groups): Get a list of groups - [list items](#list-items): Get a list of items - [list templates](#list-templates): Get a list of templates - [list users](#list-users): Get the list of users - [list vaults](#list-vaults): Get a list of vaults ## *list connect* ### Subcommands {#list-connect-subcommands} - [list connect servers](#list-connect-servers): Get a list of 1Password Connect servers - [list connect tokens](#list-connect-tokens): Get a list of tokens ## *list connect servers* List 1Password Connect servers. ```shell op list connect servers [flags] ``` ### Related commands {#list-connect-servers-related-commands} - [create connect token](#create-connect-token): Issue a token for a 1Password Connect server - [edit connect server](#edit-connect-server): Rename a Connect server ## *list connect tokens* List tokens for Connect servers. ```shell op list connect tokens [flags] ``` ### Options for list connect tokens ``` --server server only list tokens for this Connect server ``` ### How list connect tokens works Returns active (`A`) and revoked (`R`) tokens. The `integrationUuid` is the UUID for the Connect server the token belongs to. ### Related commands {#list-connect-tokens-related-commands} - [edit connect token](#edit-connect-token): Rename a Connect token ## *list documents* List documents. ```shell op list documents [flags] ``` ### Options for list documents ``` --include-archive include items in the Archive --vault vault only list documents in this vault ``` ### How list documents works Returns a list of all documents the account has read access to by default. Excludes items in the Archive by default. ## *list events* List events from the Activity Log. ```shell op list events [flags] ``` ### Options for list events ``` --eventid eid start listing from event with ID eid --older list events from before the specified event ``` ### How list events works Returns the 100 most recent events by default. The Activity Log is only available for 1Password Business accounts. ### Examples for list events List events after a specific log entry: ```shell op list events --eventid 319458129 ``` List events before a specific log entry: ```shell op list events --older --eventid 319179570 ``` ## *list groups* List groups. ```shell op list groups [flags] ``` ### Options for list groups ```shell --user user list groups that a user belongs to --vault vault list groups that have direct access to a vault ``` ### How list groups works Returns all groups in an account by default. ### Examples for list groups Get details for all groups: ```shell op list groups | op get group - ``` Get details for the groups who have access to a vault: ```shell op list groups --vault Staging | op get group - ``` Get details for the groups that a person belongs to: ```shell op list groups --user wendy_appleseed@1password.com | op get group - ``` ## *list items* List items. ```shell op list items [flags] ``` ### Options for list items ``` --categories categories only list items in these categories (comma-separated) --include-archive include items in the Archive --tags tags only list items with these tags (comma-separated) --vault vault only list items in this vault ``` ### How list items works Returns a list of all items the account has read access to by default. Excludes items in the Archive by default. Categories are: - API Credential - Bank Account - Credit Card - Database - Document - Driver License - Email Account - Identity - Login - Medical Record - Membership - Outdoor License - Passport - Password - Reward Program - Secure Note - Server - Social Security Number - Software License - Wireless Router ### Examples for list items Get details for all items with a specified tag: ```shell op list items --tags documentation | op get item - ``` Get a CSV list of the `website`, `username`, and `password` for all logins in a vault: ```shell op list items --categories Login --vault Staging | op get item - --fields website,username,password --format CSV ``` ## *list templates* List available item type templates. ```shell op list templates [flags] ``` ### How list templates works Use `op get template` to get a template to use to create a new item. ### Related commands {#list-templates-related-commands} - [create item](#create-item): Create an item - [get template](#get-template): Get an item template ## *list users* List users. ```shell op list users [flags] ``` ### Options for list users ``` --group group list users who belong to a group --vault vault list users who have direct access to vault ``` ### How list users works Returns all users in an account by default. When you use the `--group` option, the output includes the user's role in the group. ### Examples for list users Get details for all users: ```shell op list users | op get user - ``` Get the public key for all users in a group: ```shell op list users --group "Frontend Developers" | op get user - --publickey ``` Get details for all users who have access to a vault: ```shell op list users --vault Staging | op get user - ``` ## *list vaults* List vaults. ```shell op list vaults [flags] ``` ### Options for list vaults ``` --group group list vaults a group has access to --user user list vaults a user has access to ``` ### How list vaults works Returns all vaults the account has access to by default. ### Examples for list vaults Get details for all vaults: ```shell op list vaults | op get vault - ``` Get details for vaults that a group has access to: ```shell op list vaults --group Security | op get vault - ``` Get details for vaults that a user has access to: ```shell op list vaults --user wendy_appleseed@1password.com | op get vault - ``` ### Related commands {#list-vaults-related-commands} - [get vault](#get-vault): Get details about a vault - [edit vault](#edit-vault): Edit a vault's metadata ## *manage* ### Subcommands {#manage-subcommands} - [manage connect](#manage-connect): Manage group access to 1Password Secrets Automation ## *manage connect* ### Subcommands {#manage-connect-subcommands} - [manage connect add](#manage-connect-add): Grant access to manage Secrets Automation - [manage connect remove](#manage-connect-remove): Revoke access to manage Secrets Automation ## *manage connect add* Grant a group access to manage Secrets Automation. ```shell op manage connect add [flags] ``` ### How manage connect add works If you don't specify a server, it adds the group to the list of Secrets Automation managers. ## *manage connect remove* Revoke access from a group to manage Secrets Automation. ```shell op manage connect remove [flags] ``` ## *reactivate* Reactivate a suspended user. ```shell op reactivate [flags] ``` ### Related commands {#reactivate-related-commands} - [suspend](#suspend): Suspend a user ## *remove* ### Subcommands {#remove-subcommands} - [remove connect](#remove-connect): Remove access to vaults from 1Password Connect servers - [remove group](#remove-group): Revoke a group's access to a vault - [remove user](#remove-user): Revoke a user's access to a vault or group ### Related commands {#remove-related-commands} - [add](#add): Grant access to groups or vaults ## *remove connect* ### Subcommands {#remove-connect-subcommands} - [remove connect server](#remove-connect-server): Revoke a Connect server's access to a vault ## *remove connect server* Revoke access to a vault from a Connect server. ```shell op remove connect server [flags] ``` ## *remove group* Revoke a group's access to a vault. ```shell op remove group [flags] ``` ## *remove user* Revoke a user's access to a vault or group. ```shell op remove user [ | ] [flags] ``` ## *signin* Sign in to a 1Password account and return a session token. ```shell op signin [ [ []]] [flags] ``` ### Options for signin ``` -l, --list list accounts set up on this device -r, --raw only return the session token --shorthand name set the short account name ``` ### How signin works #### Sign in to an account To sign in to an account the first time, use your sign-in address and email address: ```shell op signin example.1password.com wendy_appleseed@1password.com ``` After you sign in the first time, you can sign in again using only the shorthand for the account: ```shell op signin example ``` #### Use session tokens 1Password CLI uses a session token to authenticate commands with 1Password.com. Sessions expire after 30 minutes of inactivity. You can save the session token in an environment variable for 1Password CLI to use automatically or provide a token with each command using the `--session` option. To use the environment variable, run the `export` command that 1Password CLI provides after you sign in. When you run a command, 1Password CLI uses it automatically. To provide a session token each time you run a command, sign in using the `--raw` option to get a token. Then use the `--session` option with each command. #### Reuse a session token You can use the `--session` option with the `signin` command to reuse an active token or to test whether a session has expired. This may be useful when writing scripts that use 1Password CLI. If the session is active, 1Password CLI will use it and return the same token. If the session is expired, you’ll have to sign in again. #### Work with multiple accounts You can sign in to more than one account at a time. If you store the session token in an environment variable, 1Password CLI will use the account you most recently signed in to by default. Use the `--account` option to specify a different account. By default, the shorthand is your account’s subdomain. You can change it the first time you sign in by using the `--shorthand` option, or in the configuration file. Hyphens (`-`) are converted to underscores (`_`) for system compatibility. ### Examples for signin Sign in and set the environment variable in one step: ```shell eval $(op signin example) ``` ### Related commands {#signin-related-commands} - [signout](#signout): Sign out of a 1Password account ## *signout* Sign out of a 1Password account. ```shell op signout [flags] ``` ### Options for signout ``` --forget remove the details for a 1Password account from this device ``` ### How signout works Signs out of the most recently used account by default. ### Related commands {#signout-related-commands} - [signin](#signin): Sign in to a 1Password account ## *suspend* Suspend a user. ```shell op suspend [flags] ``` ### Options for suspend ``` --deauthorize-devices seconds[=0] deauthorize the user's devices after a time in seconds ``` ### Related commands {#suspend-related-commands} - [reactivate](#reactivate): Reactivate a suspended user ## *update* Check for updates to `op`. Downloads an updated version, if available. ```shell op update [flags] ``` ### Options for update ``` --directory path download the update to this path ``` --- ## Use 1Password CLI 1 :::warning[Upgrade to 1Password CLI 2] 1Password CLI 1 is deprecated as of **October 1, 2024**. Scripts and integrations that use version 1 will no longer work as expected. [Upgrade to 1Password CLI 2](/docs/cli/upgrade/) to maintain uninterrupted access and compatibility with the latest features. ::: ## Sign in or out To sign in to an account and get a session token: ```shell op signin [--raw] ``` After you sign in the first time, you can sign in again using only the shorthand for your account: ```shell op signin [--raw] ``` By default, the shorthand is your account's subdomain. You can change it the first time you sign in by using the `--shorthand` option. Hyphens (-) in a subdomain will be changed to an underscore (_). See also [*Appendix: Session management*](#appendix-session-management). ### Sign out Sessions automatically expire after 30 minutes of inactivity. You can sign out manually using the `signout` command: ```shell op signout ``` See also [*Appendix: Session management*](#appendix-session-management). ## List objects To list objects in a 1Password account: ```shell op list (users | groups | vaults | items | documents | templates) [--vault | --group ] ``` To list users or groups with access to a vault: ```shell op list (users | groups) --vault ``` To list users in a group: ```shell op list users --group ``` To list items in a vault: ```shell op list items --vault ``` To include items or documents in the Archive: ```shell op list (items | documents) [--vault ] --include-archive ``` ## List Activity Log events :::note 1Password Business The Activity Log is only available for 1Password Business accounts. ::: To list events from the [Activity Log](https://support.1password.com/activity-log): ```shell op list events [--eventid ] [--older] ``` The 100 most recent events will be listed. ### List events after a specific log entry You can provide an event ID (`eid`) as a starting point for listing entries by using the `--eventid` option. A maximum of 100 events will be returned, starting after, but not including, the provided event. ```shell op list events --eventid 319458129 ``` ### List events before a specific log entry The `--older` option can be used with the `--eventid` option to list entries that occurred before the provided event ID. ```shell op list events --older --eventid 319179570 ``` A maximum of 100 events will be returned, starting with the event before, not including, the provided event. ## Manage objects ### Get details To get details about an object: ```shell op get (account | group | vault | item | totp) [] [--vault ] [--include-archive] ``` The `--include-archive` option will allow for items in the Archive to be returned. To get the UUID of an object, look it up by name, email address, or domain. See also [*Appendix: Specifying objects*](#appendix-specifying-objects). ### Get details of an item By default, `op get item` gets details of all fields. You can get details of just the fields you want instead. For one field, 1Password CLI returns a simple string: ```shell op get item nqikpd2bdjae3lmizdajy2rf6e --fields password 5ra3jOwnUsXVjx5GL@FX2d7iZClrrQDc ``` For multiple fields, specify them in a comma-separated list. 1Password CLI returns a JSON object: ```shell op get item nqikpd2bdjae3lmizdajy2rf6e --fields username,password {"username": "wendy_appleseed", "password": "5ra3jOwnUsXVjx5GL@FX2d7iZClrrQDc"} ``` You can change the output to CSV or to always use JSON with the `--format` option. ### Create or edit an item To create an item: ```shell op create item [ ...] ``` :::important Note If you can't trust other users or processes on your system, use `op create item --template=file.json` instead. ::: To edit an item: ```shell op edit item [ ...] ``` Assignment statements follow this syntax: ``` [
.]= ``` You can omit spaces when you specify the section or field name. You can also refer to a field by its JSON short name (`name` or `n`). ``` issuingcountry=Canada ``` The section is optional unless multiple sections have a field with the same name. ``` testingserver.address=db.local.1password.com developmentserver.address=db.dev.1password.com ``` You can't make a new custom section using an assignment statement. You can generate a password for the item with the `--generate-password` option. By default, it will create a 32-character password made up of letters, numbers, and symbols. See also [*Appendix: Categories*](#appendix-categories) for a list of categories. See also [*Appendix: Specifying objects*](#appendix-specifying-objects). When you create an item, its UUID is returned. ### Delete an item To delete an item: ```shell op delete item [--vault ] ``` Use the `--archive` option to move it to the Archive instead. See also [*Appendix: Specifying objects*](#appendix-specifying-objects). ### Create or remove a vault To create a vault: ```shell op create vault [--allow-admins-to-manage ] [--description ] ``` When you create a vault, its UUID is returned. Use the `--allow-admins-to-manage` option to specify whether administrators can manage access to the vault or not. If not provided, the default policy for the account applies. To remove a vault: ```shell op delete vault ``` See also [*Appendix: Specifying objects*](#appendix-specifying-objects). ### Work with documents To create a document: ```shell op create document [--title ] [--vault <vault>] [--tags <tags>] ``` When you create a document, its UUID is returned. To download a document and save it to a file: ```shell op get document <document> [--vault <vault>] [--output <file_path>] ``` The document's contents are sent to standard output (`stdout`) by default. Use the `--output` option to save the document to a file directly. It won't overwrite an existing file unless it's empty. To delete a document: ```shell op delete document <document> [--vault <vault>] ``` Use the `--archive` option to move it to the Archive instead. See also [*Appendix: Specifying objects*](#appendix-specifying-objects). ## Manage users and groups ### Invite and confirm users To create and invite a new user: ```shell op create user <email_address> <name> ``` Users are invited by email and then must be confirmed using their email address or UUID: ```shell op confirm [<user> | --all] ``` The `--all` option confirms all users pending confirmation. ### Get user details To get details about a user: ```shell op get user <user> [--publickey | --fingerprint] ``` If the `--publickey` or `--fingerprint` options are used, only the user’s public key or public key fingerprint is returned. ### Edit users and groups To edit a user's name: ```shell op edit user <user> [--name <name>] ``` To turn Travel Mode on or off for a user: ```shell op edit user <user> --travelmode <on | off> ``` To edit the name or description of a group: ```shell op edit group <group> [--name <name>] [--description <description>] ``` ### Suspend or reactivate a user To suspend or reactivate a user: ```shell op (suspend | reactivate) <user> ``` See also [*Appendix: Specifying objects*](#appendix-specifying-objects). ### Remove a user To completely remove a user: ```shell op delete user <user> ``` See also [*Appendix: Specifying objects*](#appendix-specifying-objects). ### Manage individual access To grant a user access to a vault or group: ```shell op add user <user> [<vault> | <group>] ``` To revoke a user's access to a vault or group: ```shell op remove user <user> [<vault> | <group>] ``` See also [*Appendix: Specifying objects*](#appendix-specifying-objects). ### Manage group access To grant a group access to a vault: ```shell op add group <vault> ``` To revoke a group's access to a vault: ```shell op remove group <vault> ``` See also [*Appendix: Specifying objects*](#appendix-specifying-objects). ### Create or remove a group To create a group: ```shell op create group <name> ``` When you create a group, its UUID is returned. To remove a group: ```shell op delete group <group> ``` See also [*Appendix: Specifying objects*](#appendix-specifying-objects). ## Appendix: Checking for updates To check for updates to 1Password CLI: ```shell op update ``` If a newer version is available, 1Password CLI can download it for you. To change the download folder, use the `--directory` option. ## Appendix: Specifying objects Every object can be specified by UUID or name. Users and items can also be specified by email address and domain, respectively. | Object | UUID | Name | Emailaddress | Domain | |----------|------|------|--------------------|--------| | Group | ✅ | ✅ | — | — | | User | ✅ | ✅ | ✅ | — | | Vault | ✅ | ✅ | — | — | | Item | ✅ | ✅ | — | ✅ | | Document | ✅ | ✅ | — | — | When specifying by UUID, the item or its details will be returned, even if the item is in the Archive. You don’t need to specify `--include-archive`. ## Appendix: Categories - API Credential - Bank Account - Credit Card - Database - Document - Driver License - Email Account - Identity - Login - Membership - Outdoor License - Passport - Password - Reward Program - Secure Note - Server - Social Security Number - Software License - Wireless Router ## Appendix: Session management `op signin` will prompt you for your 1Password account password and output a command that can save your session token to an environment variable: ```shell op signin <shorthand> export OP_SESSION_<shorthand>="EXAMPLEeSHByBqEXAMPLEfdMVLLdEXAMPLEUrNMuRXQ" ``` To set the environment variable, run the `export` command manually, or use `eval` (Mac, Linux) or `Invoke-Expression` (Windows) to set it automatically. On Mac and Linux: ```shell eval $(op signin <shorthand>) ``` On Windows: ```shell Invoke-Expression $(op signin <shorthand>) ``` You can sign in to multiple accounts at the same time. ### Use with multiple accounts Commands that you run will use the account you signed in to most recently. To run a command using a specific account, use `--account <shorthand>`: ```shell op list items --account <shorthand> ``` To authenticate with a session token, sign in with the `--raw` option to get the token. Then use `--session <session_token>` with any command: ```shell op signin <shorthand> --raw ``` ```shell op list items --session <session_token> ``` ### Remove account details from your computer You can remove account details from your computer at any time. To sign out of an account and remove its details from your computer: ```shell op signout --forget ``` If you're already signed out, you can specify an account by its shorthand: ```shell op forget <shorthand> ``` ## Learn more - [1Password CLI 1: Reference](reference) --- ## About vault permissions When using scripts to [grant or revoke vault permissions](/docs/cli/grant-revoke-vault-permissions/), you must include any dependent permissions in the command. The vault permissions available to you depend on your 1Password account type. **1Password Business:** 1Password Business includes the following permissions: - **view_items**: view items in a vault. - **create_items**: create items in a vault. - **edit_items**: edit items in a vault. - **archive_items**: archive items in a vault. - **delete_items**: delete items in a vault. - **view_and_copy_passwords**: view concealed passwords and copy them to the clipboard. - **view_item_history**: view and restore previous versions of items in the vault. - **import_items**: move or copy items into the vault. - **export_items**: save items in the vault to an unencrypted file that other apps can read. - **copy_and_share_items**: copy items between vaults, or share them outside of 1Password. - **print_items**: print the contents of items in the vault - **manage_vault**: allows a team member to grant and revoke access to the vault, change permissions for others, and delete the vault. Owners will always have permission to manage vaults. 1Password Business also includes the broader permissions available in 1Password Teams: - **allow_viewing**: view items in a vault, view concealed passwords and copy them to the clipboard. - Includes the granular permissions: `view_items`, `view_and_copy_passwords`, `view_item_history`. - **allow_editing**: create, edit, move, print, copy, archive, and delete items in the vault. - Includes the granular permissions: `create_items`, `edit_items`, `archive_items`, `delete_items`, `import_items`, `export_items`, `copy_and_share_items`, `print_items`. - **allow_managing**: grant and revoke access to the vault, change permissions for others, and delete the vault. Owners will always have permission to manage vaults. - Includes the granular permission: `manage_vault`. The vault permission `move_items` is automatically added when the permissions below are all added: ``` view_items, edit_items, archive_items, view_and_copy_passwords, view_item_history, copy_and_share_items ``` In order to move an item, a user must have access to both the vault where an item is located and the destination vault. **Permission dependencies** In 1Password Business, all vault permissions have a hierarchical relationship in which narrower permissions require broader permissions to be granted alongside them. Permission dependencies are cumulative, so if a narrower permission is several levels down, it requires all of the broader permissions above it. For example, to grant the narrower permission `delete_items` you must also grant the permissions `edit_items`, `view_and_copy_passwords`, and `view_items`. Similarly, to revoke a broader permission like `view_items`, any narrower dependent permissions that have already been granted must be revoked alongside it. _[Vault permissions presented as a taxonomic tree]_ | permission | requirements | | ------------------------- | ------------------------------------------------------ | | `create_items` | `view_items` | | `view_and_copy_passwords` | `view_items` | | `edit_items` | `view_and_copy_passwords` , `view_items` | | `archive_items` | `edit_items`, `view_and_copy_passwords`, `view_items` | | `delete_items` | `edit_items`, `view_and_copy_passwords`, `view_items` | | `view_item_history` | `view_and_copy_passwords`, `view_items` | | `import_items` | `create_items`, `view_items` | | `export_items` | `view_item_history`, `view_and_copy_passwords`, `view_items` | | `copy_and_share_items` | `view_item_history`, `view_and_copy_passwords`, `view_items` | | `print_items` | `view_item_history`, `view_and_copy_passwords`, `view_items` | **1Password Teams:** 1Password Teams includes three permissions: - **allow_viewing**: view items in a vault, view concealed passwords and copy them to the clipboard. - Includes the granular permissions: `view_items`, `view_and_copy_passwords`, `view_item_history`. - **allow_editing**: create, edit, move, print, copy, archive, and delete items in the vault. - Includes the granular permissions: `create_items`, `edit_items`, `archive_items`, `delete_items`, `import_items`, `export_items`, `copy_and_share_items`, `print_items`. - **allow_managing**: grant and revoke access to the vault, change permissions for others, and delete the vault. Owners will always have permission to manage vaults. - Includes the granular permission: `manage_vault`. **Permission dependencies** | permission | requirements | | ---------------- | --------------- | | `allow_editing` | `allow_viewing` | | `allow_managing` | | To grant the permission `allow_editing`, you must also grant the broader permission `allow_viewing`. Similarly, to revoke `allow_viewing`, you must also revoke `allow_editing`. **1Password Families:** 1Password Families includes three permissions: - **allow_viewing**: view items in a vault, view concealed passwords and copy them to the clipboard. - Includes the granular permissions: `view_items`, `view_and_copy_passwords`, `view_item_history`. - **allow_editing**: create, edit, move, print, copy, archive, and delete items in the vault. - Includes the granular permissions: `create_items`, `edit_items`, `archive_items`, `delete_items`, `import_items`, `export_items`, `copy_and_share_items`, `print_items`. - **allow_managing**: grant and revoke access to the vault, change permissions for others, and delete the vault. Owners will always have permission to manage vaults. - Includes the granular permission: `manage_vault`. **Permission dependencies** | permission | requirements | | ---------------- | --------------- | | `allow_editing` | `allow_viewing` | | `allow_managing` | | To grant the permission `allow_editing`, you must also grant the broader permission `allow_viewing`. Similarly, to revoke `allow_viewing`, you must also revoke `allow_editing`. ## Learn more - [Grant and revoke vault permissions](/docs/cli/grant-revoke-vault-permissions/) - [Work with vaults](/docs/cli/reference/management-commands/vault/) --- ## Verify the authenticity of 1Password CLI To confirm the authenticity of 1Password CLI, the tool and all its updates are digitally signed and offered exclusively by 1Password. Always get updates directly from 1Password, and always [check to make sure that you have the latest version](/docs/cli/reference/update/). **Mac:** ### ZIP file To confirm that the contents of the 1Password CLI ZIP file are authentic, unzip the file, then run the following command in the unzipped folder: ```shell gpg --keyserver keyserver.ubuntu.com --receive-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22 gpg --verify op.sig op ``` ### Package file To confirm the 1Password CLI installer file is authentic, you can verify the digital signature before installation. 1. Open the 1Password CLI installer. If you see "This package will run a program to determine if the software can be installed", select **Continue**. This will not begin the installation. 2. Select the lock icon in the top right corner of the installer window. If you don't see the lock icon, the package is unsigned, and you shouldn't install it. 3. Select **Developer ID Installer: AgileBits Inc. (2BUA8C4S2C)**. If you see a different developer ID, or the certificate doesn't have a green checkmark indicating that it's valid, don't install the package. 4. Select the triangle next to Details and scroll down. 5. Make sure that the SHA-256 fingerprint in the installer matches one of the following fingerprints. If they match, the signature is verified. Select **OK** and continue installation. _[The 1Password CLI installer window showing the developer ID and fingerprints.]_ | Hash | Fingerprint | |---------|-------------| | SHA‑256 | CA B5 78 06 1B 02 09 FB 70 93 4D A3 44 EF 6F EB CD 32 79 B1 C0 74 C5 4B 0D 7D 55 57 43 B9 D8 9F | | SHA‑256 | 14 1D D8 7B 2B 23 12 11 F1 44 08 49 79 80 07 DF 62 1D E6 EB 3D AB 98 5B C9 64 EE 97 04 C4 A1 C1 | The installer automatically verifies the files in the package. If any file has an issue, installation stops without changes to your system, and you'll see a message that the installer encountered an error. **Windows:** To confirm the 1Password CLI installer for Windows is authentic, verify that the signing certificate for `op.exe` was issued to AgileBits by Microsoft Corporation, and that the [Extended Key Usage (EKU)](https://learn.microsoft.com/en-us/azure/trusted-signing/concept-trusted-signing-cert-management#subscriber-identity-validation-eku) is correct. 1. Open PowerShell as an Administrator. 2. Verify that the certificate was issued to AgileBits: ```powershell Get-AuthenticodeSignature -FilePath .\op.exe | Select-Object -ExpandProperty SignerCertificate | Select-Object Subject #code-result open Subject ------- CN=Agilebits, O=Agilebits, L=Toronto, S=Ontario, C=CA ``` 3. Verify the certificate was issued by Microsoft Corporation: ```powershell Get-AuthenticodeSignature -FilePath .\op.exe | Select-Object -ExpandProperty SignerCertificate | Select-Object Issuer #code-result open Issuer ------ CN=Microsoft ID Verified CS AOC CA 02, O=Microsoft Corporation, C=US ``` 4. Verify the EKU matches 1Password's EKU of `1.3.6.1.4.1.311.97.661420558.769123285.207353056.500447802`: ```powershell Get-AuthenticodeSignature -FilePath .\op.exe | Select-Object -ExpandProperty SignerCertificate | Select-Object -ExpandProperty EnhancedKeyUsageList #code-result open FriendlyName ObjectId ------------ -------- 1.3.6.1.4.1.311.97.1.0 Code Signing 1.3.6.1.5.5.7.3.3 1.3.6.1.4.1.311.97.661420558.769123285.207353056.500447802 ```