Skip to main content
December 28, 2021
Question

Reuse a session token from environment, not from command line

  • December 28, 2021
  • 2 replies
  • 365 views

The op signin command has an immensely useful functionality:

You can use the `--session` option with the `signin` command to reuse an
active token or to test whether a session has expired. This may be
useful when writing scripts that use the command-line tool. If the
session is active, the tool will use it and return the same token. If
the session is expired, you’ll have to sign in again.

However, as Michael pointed out in https://1password.community/discussion/123986/command-line-tool-v1-12-2-op-create-item-template-file-json it is insecure to provide secrets on the command-line. For example, in shared and cloud environments there's a risk of other users seeing the session token through ps or the token making its way to audit logs.

With that in mind, it would be fantastic if the token reuse functionality was usable with the session token in an environmental variable. I see two possible approaches:
1. Change the default behavior of op signin (without --session parameter) to reuse the existing session token by default. Add a new parameter e.g. --new-session to force a new sign-in.
2. Leave the current default behavior as it is, add a --reuse parameter to tell the CLI to try reusing the token from env.

Best regards,
Kamil Domański


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

2 replies

zcutlip
December 30, 2021

If I understand your question correctly, op already does this. E.g., in a bash, zsh, or similar environment, do:

console
$ eval $(op signin)

Then your session token is exported as an environment variable and is reused automatically (until it expires).

I'm suspect there are similar invocations for Windows and other shells.

Cheers,
Zach

1Password Employee
January 14, 2022

@zcutlip is right.

All op signin does is print this:
bash
export OP_SESSION_<account shorthand>=<session token>

When evaluated, it stores that environment variable for you for next invocations of 1Password CLI commands.

You can find the shorthand of your account using op signin --list.

PS: You're also right about there being a Windows equivalent, it's Invoke-Expression $(op signin)