Restricting CLI access to vaults

I'd like to use 1Password (Business) to access secrets from a coding assistant, but the `op` CLI is kind of all-or-nothing right now. When logged in, it provides access to all of the user's credentials. Those might range from low-risk development environment credentials to high-risk production secrets. The coding assistant might just need a subset of the low-risk credentials.

I'm not sure how this could be improved. A few ideas:

Restrict the op CLI as a whole to specific vaults only
When the desktop integration is enabled, restrict certain apps (coding assistants) to specific vaults
When using `eval $(op signin)`, provide a command-line argument that restricts it to only specified vaults. `eval $(op signin --vaults=1,2,3)`
Exclude specific vaults from the CLI. One of our developers noted they'd prefer not to give the CLI access to their personal/family items.

cli

feature request

Forum Discussion

Restricting CLI access to vaults

Featured discussions

December 2025 at 1Password: More browser options, easier sign-in, and safer saving and filling

Recent discussions

[BUG REPORT] Two issues when editing multiple password fields

Allow environments to be assigned to groups

Restricting CLI access to vaults

Disabling interactive prompt to set up account in op CLI?

1Password Chrome extension is incorrectly manipulating <code> blocks