Feature request: 1Password-managed MCP proxy for HTTP MCP servers without OAuth
I’d love to see something like mcp-remote, but built into 1Password and designed around 1Password’s security model.
The use case is HTTP-based MCP servers that require credentials but don’t support OAuth, for example servers that need an Authorization header with a PAT, API key, or Basic token.
I am using Codex, and today, the common workaround is to either hardcode secrets into MCP config (not good), or start Codex with op run --environment <environment-id> -- /Applications/Codex.app/Contents/MacOS/Codex but that will expose the env variables to the whole Codex process. The latter approach is workable, but not great.
What I’m hoping for is a local 1Password-managed MCP transport proxy:
- MCP client (Codex, Claude) connects locally to 1Password/proxy over stdio
- 1Password connects to the configured remote HTTP MCP server
- 1Password injects auth headers/tokens from environment into outbound HTTP requests
- secrets are never returned to the MCP client or exposed to the agent
- every credential use can require approval and be audited
- this works for HTTP MCP servers that do not support OAuth
This would fit nicely with 1Password’s “access without exposure” model. The AI agent would not see secrets. The MCP config in Codex can just point to the local 1Password MCP proxy without any credentials. The MCP server would receive only the credential it needs, at runtime, through a deterministic 1Password-controlled channel.
A concrete example: Atlassian’s Rovo MCP server requires to be accessed over HTTP with a PAT-based Authorization header for Bitbucket-related tools (their OAuth does not work for that). A 1Password-managed proxy could inject the header with PAT securely without exposing the PAT to the Codex process by starting Codex via op run --environment .…
Another example is Bugcrowd MCP which only support API token auth.
This would make 1Password the safest central place to manage credentials for non-OAuth MCP servers across Codex, Claude, Cursor, Kiro, and other MCP clients.
