It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
CLI Offline Usage
In light of the current AWS outage, which seems to have affected 1Password as well, it would be nice if the 1password CLI did not rely on servers to work. My local vaults continued to work offline; however, the `op run` CLI stopped working. It would prompt for 1Password authentication, but after approving, the CLI command would hang. I suspect this is related to a generous server timeout, which means the CLI will wait 30 seconds or longer for a server response that never comes. This stopped me from being able to do any development work, since I depend on the 1Password CLI to run software securely on my machine. This was only a brief outage (~15 min maybe?), but the CLI's reliance on 1Password servers seems unnecessary when the app already allows me to access all my credentials without an internet connection.
1Password Environments Beta is awesome
Just wanted to drop some feedback after playing around with the new Environments Beta in 1Password. Honestly, I’m loving it so far. The local .env file mounting is just brilliant. Secrets are easy to access without having to run extra commands, but still secure – exactly what I want. Makes switching between machines seamless, too. A couple of things I’d really like to see next: 1. CLI Integration - being able to create/edit/list environments and variables from the terminal would make this so much more useful, right now, having to click around in the desktop app is a bit of a pain for dev workflows. 2. More integrations: AWS Secrets Manager is a great start, but would love to see GCP and other major providers such as GitHub, etc. A plugin system for integrations would be awesome also to help cover more niche players like Modal.com Overall, this is a huge step in the right direction for 1Password. Can’t wait to see where this goes next!
Cannot create now service account or rotate token
I'm having trouble creating new service account or rotating existing service account token with 500 error: Attempts via op CLI fails as well. $ op service-account create ... [ERROR] 2025/10/20 17:01:12 (500) Internal Server Error: Server experienced a fatal error. There's no sign of outage in service account at https://1password.statuspage.io/. Has anyone experienced the same thing?
"op inject" does not find item in vault
Hi, I'm currently trying to generate a .env file locally using a .env.reference containing secret references, but I keep getting an error when running op inject. Any help on this would be much appreciated. --- .env.reference APP_ENV="op://Env_Server_Local/APP_ENV/password" FRONTEND_APP_URL="op://Env_Server_Local/FRONTEND_APP_URL/password" SERVER_URL="op://Env_Server_Local/SERVER_URL/password" > When running op read, it works % op read op://Env_Server_Local/APP_ENV/password development > When running op inject to generate the .env file, it fails. The secret does exist and was not deleted or archived. % op inject -i packages/server/.env.reference -o packages/server/.env [ERROR] 2025/06/13 08:45:14 could not find item APP_ENV in vault Env_Server_Local, because it has been deleted or archived. Please restore the item if you want to use it with secret provisioning. I feel it might be due to adding new items to the vault / updating existing items. --- 1password-cli : 2.31.1 desktop app: 1Password for Mac 8.10.80 (81080023) ---- This is blocking us from fully integrating 1password as secrets manager. Any help appreciated 🙏
Fingerprint sensor support on remote systems?
Hello, maybe I missed something. Hence, I am asking before buying a new Mac Keyboard with sensor ... I use 1Password for: local stuff on my Mac on remote systems over ssh Visual Studio Code (VSC) remote over ssh VSC Docker devcontainers on remote Linux systems (In VSC open a folder on a remote system, open the project folder in docker devcontainers) Typing in the vault password is a cumbersome thing, when done too often, and restarting and rebuilding the containers, are new shells / terminals requesting entering the 1Password vault password often. Hence, I am looking for a way to make this simpler and hoped for support of the fingerprint sensor on remote systems.
Tooling to expose 1Password entries as environment variables for specific commands
The https://github.com/bevry/dorothy provides a secret command, which interfaces with the 1Password CLI, to do such things as secret get and sercret env -- command to grab your secrets only when they are needed, and expose them only to the command that needs it. This is much more secure than exposing your secrets to your environment, which is commonly sent to a server when malicious software runs. I use it all the time, relevant links: https://github.com/bevry/dorothy#secrets https://github.com/bevry/dorothy/blob/master/commands/secret My .dorothy/user/secrets/secrets.json file looks like so: json { "DISCOURSE_BEVRY_SERVER": ["personal", "bevry discourse", "server"], "DISCOURSE_BEVRY_ROOT": ["personal", "bevry discourse", "root"], "DISCOURSE_BEVRY_SSH": ["personal", "ssh keys", "bevry discourse"], "SCALEWAY_SSH": ["personal", "ssh keys", "scaleway"] } Which I use like so: bash secret get DISCOURSE_BEVRY_ROOT DISCOURSE_BEVRY_SSH SCALEWAY_SSH secret env DISCOURSE_BEVRY_SERVER -- ssh 'root@$DISCOURSE_BEVRY_SERVER' You can create your own configuration file by writing .dorothy/user/secrets/secrets.json directly, or by using: ``` bash secret map e.g. for my configuration file earlier, I would configure the database like so secret map DISCOURSE_BEVRY_SERVER personal 'bevry discourse' server secret map DISCOURSE_BEVRY_ROOT personal 'bevry discourse' root secret map DISCOURSE_BEVRY_SSH personal 'ssh keys' 'bevry discourse' secret map SCALEWAY_SSH personal 'ssh keys' scaleway ``` You may be able to trial it standalone (without setting up Dorothy) by running: bash --rcfile <(curl -fsSL https://dorothy.bevry.workers.dev) secret ... Let me know your thoughts and suggestions. 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Sync Type: Not Provided
Security concern with allowing Terminal complete access to my 1P account via op CLI
I have a shell script that uses 1Password secret reference: export EXAMPLE_API_KEY=$(op read "op://Vault-Name/Example API Token/Specific-Token/Token") But when it's loaded, I have to authorise the terminal/shell to have access to it (see screenshot) My concern is that it's giving the terminal/shell access to my entire account and all vaults within it when I only want to provide it with access to one entry within a single vault. What happens if I had a malicious script installed that scans for 1Password secret references across multiple files? The script might not be able to identify the "account" but it just needs the vault names. Then it can start to build up common names for identifying secrets stored within 1Password and try requesting them, and if I've already authorised the terminal/shell I won't see a popup notification and so the script would be free to access the secrets. Initially, I moved any secrets I use for development work into a separate vault, which I thought would help when it came to the terminal/shell requiring access via a 1Password secret reference because it would only have access to that specific vault (reducing the blast radius) but that's when I noticed it wasn't getting access to just the vault but the entire account. I'm not sure how much of an issue people think this is but it worries me. 1Password Version: 8.10.40 Extension Version: Not Provided OS Version: macOS 15.1 Browser: Chrome
