Forum Discussion

tielmanleroux's avatar
tielmanleroux
New Contributor
2 months ago

Feature Request: Optionally allow sharing recipients to edit/update entries

Hi

I love 1Password, cannot live without it in my personal and professional life. But one thing I struggle with is helping my customers maintain a safety first demeanor when it comes to sharing secrets.

With 1Password it is easy enough for me to share secrets with them securely, but the inverse is not true UNLESS they also have 1Password, or similar. 

[2025.10.09 - Update] After looking into WHY this doesn't exist I now understand the problem that allowing an external non vault member to write directly into my vault would break the security model as that external non vault member would need my keys to write into my vault. So instead it could be something like this

  1. You initiate a “Secret Request” from 1Password:
    • It generates a unique, signed URL.
    • Optionally, you can label it (“Please send me your API key for X”).
  2. The recipient (your customer):
    • Opens that link in their browser.
    • Enters their secret (password, API key, etc.).
    • Their browser encrypts it locally with a one-time symmetric key before upload.
    • The key is only embedded in the returned “Send” link that comes back to you.
  3. You receive the “return link”:
    • You open it once, decrypt locally, and copy the secret into your own vault.
    • Optionally, the link auto-expires after one view or a set time.
  4. 1Password’s servers never see plaintext, they just store encrypted blobs.

Full disclaimer, some AI servant came up with the above summary after I was trying to figure out why it may not be secure to just have people write directly into my vault and what the alternatives were.

[Original not so secure feature request below]

The feature I am looking for and would be willing to pay for, would be to allow sharing an entry, blank or otherwise, and then to optionally indicate that the sharing recipient may update the values or create new ones. Basically I want to allow someone external to be able to populate an entry in my vault as a mechanism for them to securely share secrets with me.

Use case: I need to do an integration project with my customer's ERP system and I need a secret from them. They need to share this secret with me and may not have a great way to do that securely. So if I could securely send them a link to an entry in my vault with edit permissions, then they could easily just drop the secret in there.

From a feature point of view, I guess it doesn't have to be limited to Update only, you could send someone a "Please create a new entry in my vault request", and then the entry would not have to exist prior to them getting the create request.

Let me know what you think

 

best practices
extended access management
feature request

3 Replies

  • 1P_Dave's avatar
    1P_Dave
    Icon for Moderator rankModerator
    2 months ago

    Hello tielmanleroux​! 👋

    Thank you for the continued feedback and for following up! Earlier this year we moved to a new community platform and threads that haven't been active in years weren't migrated. Even if a certain community thread wasn't migrated, any filed feature requests from that thread are still filed with our product team internally. 

    This feature request is still open with the team but there aren't any updates to share. For the time being, inviting external users as a guest is the best option if you'd like them to share items with you using 1Password: Share with guests in your team

    I've added your latest comments to the feature request that's filed with the team as well. 🙂

    -Dave

    PB-51190077

    • tielmanleroux's avatar
      tielmanleroux
      New Contributor
      2 months ago

      Thanks 1P_Dave​ 

      On second thought, I guess this kind of feature could impact your bottom line, as it technically requires less people to have 1PW accounts, and or limits the use of Guest accounts. So if that is a motivating factor for your business then I completely get that.

      But, like I said, this is definitely something that I would pay for, and perhaps others as well. And so, on the minute chance that the engineering team have not thought about it much, I present my AI inspired high level design (fully recognizing how presumptuous this may come across)

      The goal: let a non-member (the customer) create a temporary, signed, encrypted vault item that only you can decrypt, store it in your service as a staged item, let you open it one time, verify the signature, and then have the service convert it into a normal vault entry re-encrypted under your vault keys — all without exposing plaintext to the server beyond ephemeral local decryption on your client.

      High-level design (requirements)

      1. Customer can submit a secret through their browser (no account required).
      2. The secret is encrypted client-side; only the vault owner (you) can decrypt it.
      3. The submission is signed by the customer (browser key) so you can verify authenticity.
      4. The submission is stored on the server as a ciphertext blob (staged item) and kept until you accept it.
      5. When you accept, your client decrypts it locally, verifies signature, then re-encrypts and stores the permanent item in your vault under your vault encryption key.
      6. The staged blob is deleted (or zeroized) once consumed or expired.
      7. Server never sees plaintext; keys never permanently shared.

       

      I will stop now :D, thanks for humoring me

  • tielmanleroux's avatar
    tielmanleroux
    New Contributor
    2 months ago

    I logged this same request in 2022 (https://1password.community/discussion/134712/feature-request-edit-shared-items) But that does not seem to exist anymore, which made me feel like a sad panda