Level up your business security with free, on-demand training and certification. Explore 1Password Academy today →
Introducing new .env file support in 1Password
Today, we’re introducing a first-of-its-kind feature available in the 1Password Desktop app. With the new local .env file destination in 1Password Environments, you can securely use and share .env files across your team, without rewriting how your app loads credentials. Here’s why it matters: Zero plaintext secrets on disk: Secrets are loaded into applications on demand. You can’t accidentally commit them. No cumbersome sharing of secrets: Teammates get instant access - no DMs or copying secrets. Built for teams: Version history, access control, and automatic updates - all in one place. Offline access: No more internet connection required to load secrets from 1Password. Secrets are sourced directly from the desktop app's local cache. Now available in beta on Mac and Linux. Interested to see it in action? Watch the demo video below. Video not displaying? Watch it here. 💬 Share feedback, get swag We want your input on what to build next: CI/CD integrations? Docker support? Something else? 📖 Read the docs to get started 👉 Join the discussion in the 1Password Developer Community 🧢 The first 10 developers to start a discussion on the 1Password Developer Community Hub to share feedback by October 31st will get exclusive 1Password swag. Be sure to tag your post with beta-environments.
1Password Environments Beta is awesome
Just wanted to drop some feedback after playing around with the new Environments Beta in 1Password. Honestly, I’m loving it so far. The local .env file mounting is just brilliant. Secrets are easy to access without having to run extra commands, but still secure – exactly what I want. Makes switching between machines seamless, too. A couple of things I’d really like to see next: 1. CLI Integration - being able to create/edit/list environments and variables from the terminal would make this so much more useful, right now, having to click around in the desktop app is a bit of a pain for dev workflows. 2. More integrations: AWS Secrets Manager is a great start, but would love to see GCP and other major providers such as GitHub, etc. A plugin system for integrations would be awesome also to help cover more niche players like Modal.com Overall, this is a huge step in the right direction for 1Password. Can’t wait to see where this goes next!.env files should support more file formats
Hey, I was incredibly excited to see the 1Password beta supporting .env files. After testing it out in the latest beta, I understand that this is incredibly useful for environments that support traditional .env files. However, as someone working with building mobile apps, specifically for iOS, I was hoping that the new feature was a tad more flexible, enabling me to use it in .swift files. Specifically, I was hoping that the new feature would replace references to secrets in existing files rather than creating a new (temporary) file. If it were replacing references in existing files, we could use the .env support in 1Password's Environment with any file template. I understand the downsides to this, but in the mobile landscape it's not uncommon to hardcode select secrets in the binary and even when doing so, we'd like to keep those secrets out of version control. Therefore, we have .swift template files that look like this: enum Secrets { enum SomeService { static var apiKey: String { "{{ op://Acme GitHub Actions/Some Service API Key/API Key }}" } } } These files are named Secrets.tpl.swift and are stored in version control. We use `op inject` to inject the secrets into these files and output them as Secrets.swift, so they're referenced at compile time. Secrets.swift is not checked into version control, of course. I was hoping that we could mount Secrets.tpl.swift or similar in 1Password Environments to have it handle the secrets for us, as .env files aren't really a thing in iOS development. I'm excited to use 1Password Environments with the new .env files in backend development, but I hope you'll consider making it more flexible, so it can accommodate more platforms too. Best regards, Simon B. Støvring
1Password Environments issue with VSCode and Claude Code Extension
I've noticed a curious issue in testing 1Password Environments in a repository where I'm editing with VSCode and using the Claude Code extension in VSCode. Since enabling 1P Environments, I've noticed that the Source Control sidebar gets stuck refreshing Git Status, and Claude Code slows or stalls. Running Claude Code outside of VSCode works fine (as does using Git in Terminal, and so I wonder if this is a VSCode issue? I have the VSCode 1Password extension, as well as the Claude Code for VSCode extension, among others. Happy to provide other details if you can let me know what would help.
1Password CLI Bug Report: Service Account Cannot Read Environments
Summary op environment read and op run --environment return "Environment was not found" when authenticated with a Service Account that has Read access to the Environment. Desktop app authentication works correctly with the same Environment ID. Environment op CLI version: 2.33.0-beta.02 OS: macOS 15.3 (arm64) 1Password Desktop App: 8.12.2 Account type: Individual (my.1password.com) Steps to Reproduce Create a 1Password Environment "AI Agent" with variables (e.g., BRAVE_API_KEY) Create a Service Account "Ghossty" with: Vaults: Dev (Read) Environments: AI Agent (Read) Export the Service Account token: export OP_SERVICE_ACCOUNT_TOKEN="<token>" Run: /usr/local/bin/op environment read <environment-id> Expected Result BRAVE_API_KEY=<value> GITHUB_PAT=<value> Actual Result [ERROR] 2026/02/18 18:41:55 bad input passed by the user: Environment was not found Workaround Confirmation Desktop app authentication works correctly with the same Environment ID: OP_SERVICE_ACCOUNT_TOKEN= /usr/local/bin/op environment read <environment-id> # Output: # GITHUB_PAT=[REDACTED:github-fine-grained-pat] # BRAVE_API_KEY=[REDACTED:api-key] Additional Context op whoami confirms the Service Account is authenticated: URL: https://my.1password.com User Type: SERVICE_ACCOUNT The Service Account was created on 2026-02-18 (after Environments beta was available) The SA has confirmed Read access to the Environment in the 1Password app UI op run --environment <id> -- printenv also fails with the same error Vault access works fine with the same SA (op item list --vault Dev succeeds) Impact Cannot use the official headless/automated approach for loading Environment variables in shell startup scripts. Forced to use desktop app authentication which requires biometric confirmation on every invocation.
Environments: Feedback
Today I tried fiddling with Environments beta feature on 1Password and wanted to leave some feedback. Background: We currently use AWS secrets for managing 200+ secrets in our application, but due to the lack of backups/redundancy I started looking at alternatives and considering we already heavily use 1P, I thought I'd give Environments a go. Generally speaking I love it. It is precisely what we need, however a few things came up along the way which I would like to share: [P0] The UI needs improvements (and probably soon). There's no sorting nor searching for variables, making it very diffcult to find stuff when you have 100s of variables. — on web variables don't show up at all. [P1] The AWS integration errors when the secret already exists. This made things a bit awkward for us, considering we manage our infra via Pulumi and we couldn't "create" the secret via Pulumi (had to do some hack to get around this). — this can become important if one wants to give 1P AWS role a very strict access (just the managed secret, not a wildcard policy as suggested in the docs). [P2] Ideally would be awesome to have a pulumi provider and fully manage Environments via pulumi (only the setup, not the variables). [P1] There is share with individuals but no share with "a team of people". Thanks again and keep up the good work. 🙌
Local Environment File Partial Override and Merging
First of all I am very pleased with the announcement of the new environment feature to mount into local .env files! For our use case it would be beneficial to allow merging different environments into the same .env file or to allow partial overrides of values locally that are persisting locking of the desktop application. For local development, we have a single starter .env file with a lot of empty values and not all of these values are used by all developers. For example we have an authentication related section that contains secrets that are per-developer. For example the developer specific Github PAT, Social Auth provider App identifiers and credentials. These should be still stored in the single env file that is used during development and we would like to avoid fragmentation into multiple files at the moment, as it complicates our containerized configuration. So I have two related feature requests: Would it be possible to allow merging of different environments into a single mounted file (conflict resolution aside for now)? Would it be possible to allow partial overrides of specific values based on the employee vault or local environment?Environments: any plans for CLI/API support?
Our team would love to adopt Environments but are running into some limitations: Programmatic writes to Environments Are there plans to support creating/updating Environments and their variables via the 1Password CLI or 1Password Connect? Currently, AWS Secrets Manager is our source of truth for application secrets and we have a Lambda job that syncs those secrets into 1Password using the 1Password CLI. We’d love to switch that sync to populate Environments, but we can’t do that (yet?) without a write API/CLI for Environments. Headless/CI usage We’d like to use Environments in CI. Unless I’m missing something, mounting Environments appears to be configured solely through the UI right now. Is there a way (or plan) to support Environments in CI pipelines, e.g. via a GitHub Action? For context, today we make this work with 1Password CLI + secure notes + secret references, which is fine, but the named pipe pattern would simplify a lot of workflows for us. Thanks!
