1Password Credential Broker is now in private beta

We're excited to share that 1Password Credential Broker is now in private beta!

Credential Broker helps teams give CI/CD pipelines, machine workloads, and eventually AI agents access to the credentials they need, only when they need them. Instead of storing long-lived tokens in config files, environment variables, or pipelines, workloads can prove their identity at runtime, get the specific credential they’re approved to use, and lose that access when the job is done.

The private beta starts with GitHub Actions. When a workflow runs, GitHub issues a signed identity token that confirms which repo, branch, and workflow is executing. 1Password Credential Broker checks that identity against a policy configured in 1Password, then delivers only the approved vault item for that job.

That means teams can:

• Avoid storing long-lived service account tokens in pipelines
• Scope machine workload access to specific vault items
• Remove standing vault access from CI/CD jobs
• See audit events with attribution for the repo, branch, workflow, environment, and commit involved

Credential Broker is part of the 1Password Unified Access platform, extending the same vault, governance, and audit tools teams already use for human credentials to machine workloads and agents.

The private beta is available to existing Enterprise Password Manager customers, starting with GitHub Actions support. General availability is targeted for late 2026.

If your team is interested in early access, you can sign up here.

To learn more, visit the 1Password Credential Broker page.