Skip to main content
July 1, 2025
Solved

Error when working with the API

  • July 1, 2025
  • 2 replies
  • 142 views


I want to pull a specific secret from a specific vault, but I can't do it. The token was created in the Service Account and made correctly, with access to read the required vault.

headers = {"Authorization": f"Bearer {OP_TOKEN}"}
url = f"https://api.1password.com/v1/vaults/{OP_VAULT_ID}/items/{OP_ITEM_ID}"

Response is:
403 Client Error: Forbidden for url: https://api.1password.com/v1/vaults/{OP_VAULT_ID}/items/{OP_ITEM_ID}

Where can be an issue?
We're using Teams Starter Pack

Best answer by estoler-ag

The query wouldn't be valid because 'api.1password.com' is not a valid URL as we do not have public facing APIs for the 1Password service. This is something we've definitely heard feedback for before so I can add your backing to the request.

At this time, your best option would be to setup a Connect Server for API calls specifically.

Alternatively, you could instead use a Service Account and our SDKs in your Lambda function which would connect directly to the 1Password service, just not through a standard REST API like the example you first posted. Below is an example pulling a secret from a vault using our Python SDK:

# Retrieves a secret from 1Password. Takes a secret reference as input and returns the secret to which it points.
value = await client.secrets.resolve(
    f"op://{created_item.vault_id}/{created_item.id}/username"
)
print(value)

 

2 replies

estoler-ag
1Password Employee
July 1, 2025

Hi valerykolganov, 

Thanks for posting the question! Due to 1Password's security model and how we encrypt your data, you would want to setup a Connect Server to be able to programmatically access your vaults and items. Check out our docs here.

Ethan

July 1, 2025

It's possible! But I still would like to do it without a server, and use it directly. 
My AWS Lambda function can't make a valid query, I want to figure it out

estoler-ag
1Password Employee
July 1, 2025

The query wouldn't be valid because 'api.1password.com' is not a valid URL as we do not have public facing APIs for the 1Password service. This is something we've definitely heard feedback for before so I can add your backing to the request.

At this time, your best option would be to setup a Connect Server for API calls specifically.

Alternatively, you could instead use a Service Account and our SDKs in your Lambda function which would connect directly to the 1Password service, just not through a standard REST API like the example you first posted. Below is an example pulling a secret from a vault using our Python SDK:

# Retrieves a secret from 1Password. Takes a secret reference as input and returns the secret to which it points.
value = await client.secrets.resolve(
    f"op://{created_item.vault_id}/{created_item.id}/username"
)
print(value)