Level up your business security with free, on-demand training and certification. Explore 1Password Academy today →
I would like EPM with my SOC workflow for Oauth. Looking forward to SCIM improvements for SecOps.
Didn't understand half of what the blog post went over b/c i had to remember so many acronymns. https://1password.com/blog/automating-soc-workflows-with-1password-enterprise-password-manager Look at what is happening in society. People are live streaming implementations of openclaw and exposing their tokens. OPENCLAW DEMO THAT YOU NEED TO WATCH. I TIMESTAMPED IT SO U GO TO GOOD PART
op.exe considered harmful?
I’d like to raise a point about the current security model of op.exe, and how it affects protection against supply-chain or similar attacks. Consider a scenario where an attacker manages to execute malicious code locally, for example, via a compromised Python package. While this is often considered “game over,” in practice we still want to avoid being the easiest target in such situations. A common behavior of malicious payloads is to harvest local secrets. While 1Password provides some protection against direct file access, an attacker can simply invoke op.exe, which actually centralizes access to clear-text secrets in a very convenient way. Although op.exe prompts the user for permission, my understanding is that this permission applies broadly (e.g., to the entire account for a period such as 10 minutes). As a user, I can see which application is requesting access, but not which vaults or items are being queried. In practice, the application name (e.g., WindowsTerminal) is not very helpful in determining whether the request is legitimate. I’d be interested in others’ perspectives on this. Some potential improvements that seem valuable to me: When requesting permission, op.exe should provide more context (e.g., which vaults and items are being accessed). Users should be able to grant permissions at a finer granularity: not just account-wide, but limited to specific vaults or even individual items. Another useful feature would be the ability to mark certain items or vaults as excluded from programmatic access (via op.exe, and possibly browser extensions). Even better, this could be the default behavior, requiring explicit opt-in at the item level. I understand that such restrictions would be enforced client-side and therefore not fully robust. However, they would still meaningfully increase the effort required for a malicious local process to enumerate and exfiltrate secrets, and thus provide practical security benefits. Finally, it might be worth considering stronger protections at the vault level—for example, requiring explicit user authentication (master password, or even a separate password) before allowing access to secrets. This could apply not only to op.exe, but also to the interactive 1Password client.Developer Doc "bugs"
As we are starting to develop utilizing 1Password SDK, I have been finding some "bugs" in the documentation. I would love to see these updated (to help other people). We have been having to create our own internal documentation. From: https://developer.1password.com/docs/sdks/manage-items/#update-an-item Update an item To update an item, fetch the item you want to update, specify the changes you want to make, then pass the updated item to the client.Items.Put function. # Update a field in your item item.fields[0].value = "new_value" item.websites.append( Website( label="my custom website 2", url="https://example2.com", autofill_behavior=AutofillBehavior.NEVER, ), ) updated_item = await client.items.put(item) Website is not a data type: NameError: name 'Website' is not defined From the page: https://developer.1password.com/docs/sdks/concepts/#field-types There is no Data Type "Website", but there is a Data Type "Url", which I also tried, and it does not work either: NameError: name 'Url' is not defined I finally, looking at the source code figured out that I had to do yet another "import": from onepassword.types import ItemField, Website, AutofillBehavior to make this work. Is there other documentation pages that go over all the other parts of "types.py" that tell us when they are used, where it is used, and how to do import for them? Same goes for other code pages (secrets, items, errors, vaults, etc..)Introducing 1Password Developer Office Hours
1Password Developer Office Hours - Announcement Introducing 1Password Developer Office Hours We're launching a new live series for developers who build with 1Password. Every month, we'll go deep on a developer tool, feature, or workflow - live demos, product deep-dives, and open Q&A with the people who build and support these tools. No registration. No slides-only presentations. Just drop in, ask questions, and leave with something useful. Session 1: 1Password Environments - From Development Through to Production Thursday, March 19 at 1:00 PM ET / 10:00 AM PT Our first session covers 1Password Environments end to end: CLI, SDKs, Service Accounts, conventions, and practical tips for managing secrets across your development, staging, and production workflows. We'll be joined by a guest from the 1Password Solutions team for a live walkthrough and Q&A. What we'll cover: Setting up and organizing Environments for multi-stage workflows Working with the CLI and SDKs to manage secrets across environments Service Account patterns for CI/CD and production Tips and common pitfalls How to join: https://1password.zoom.us/j/95230687587?pwd=eAI6KzzRdEV5nZmGc8TlfBBFInGg7a.1&jst=3 No registration required. Just click the link at session time. What's coming next: April: Securing AI Agents with 1Password SDKs May: SSH Keys Done Right - 1Password SSH Agent Have a topic you'd like us to cover? Drop it in the comments / thread below. See you on March 19.
How do you store Membership Anywhere digital cards securely?
Hi everyone, Lately I’ve noticed that many museums, cultural institutions, and organizations are moving toward digital membership cards instead of physical ones. Some platforms, like Membership Anywhere, provide digital passes that members can access from their phone or add to mobile wallets. While these solutions are convenient, I sometimes wonder about keeping a secure backup of important membership details. For example, if a membership includes a number, QR code, or digital pass, losing access to the original email or app could make it harder to retrieve later. I know wallet apps like Apple Wallet or Google Wallet can store some passes, but not every organization supports those formats. So I’m curious how others handle this. Do you store things like digital membership cards or membership details inside your password manager, or do you rely entirely on the original app or email?Meet the 1Password team at KubeCon Europe
KubeCon + CloudNativeCon Europe is coming up on March 23–26 in Amsterdam. A few folks from the 1Password team will be there and we'd love to meet you! If you rely on 1Password for your development work – the CLI in your terminal, Service Accounts in CI/CD, or 1Password Connect in a Kubernetes cluster – we’d love to know if you’re attending and if you’d like to meet the team. We want to hear more about how you’re using 1Password Developer tools, what’s working (and what’s not), and what you’d like to see next. Tell us about the awkward edge cases, security tradeoffs, and the problems you’re solving for today. If you’re a 1Password customer attending KubeCon Europe and you’re up for a short chat with the 1Password team, please let us know using this form: Let us know if you'll be at KubeCon. Not traveling this time? Reply here with what you’re building and how you’re managing human and machine credentials.What is an Agent Chassis?
Jeff Malnick’s post is confident. It’s also detached from how developers actually ship code today and made me furious.“Agent chassis” boils down to: the script that runs your agent. Fine. But the security layer argument collapses when the tooling underneath is fragmented.Right now you pick between CLI, shell plugins, service accounts, connectors, environments — each with different auth models, rate limits, edge cases, and silent failures. None cleanly support a headless agent workflow. I’ve built workarounds for my workarounds.Agentic coding made this obvious. Agents need real credentials at runtime. Not desktop popups. Not biometric prompts in a terminal.The community built unofficial MCP servers. Anthropic shipped 50+ connectors. 1Password isn’t there.The spec is public. It’s buildable. So—who’s shipping it?
Amazing Command Line Workflow
This is my last post due to this janky editor. I had this in a nice format to read but due to the errors and time wasted its plain text I spend most of my time in the terminal and struggle with quickly searching credentials or notes on the 1password application and will be building out out a new little command that outputs all fields from a selected item. op item get "$(op item list --format json | jq -r '.[] | "\(.id) \(.title) [\(.vault.name)]"' | fzf | awk '{print $1}')" --format json | jq -r '.fields[] | "\(.label): \(.value // .reference // "(empty)")"' See a video of the workflow here -> https://screen.studio/share/0oSfsVhj Hopefully u will have a laugh. Thanks to the solution from mcky op item get $(op item list | fzf --header-lines=1 | awk '{print $1}') Here is the final version of the command. It is a basically a poor man's TUI for 1password. #!/usr/bin/env bash set -euo pipefail # Parse arguments COPY_MODE=false QUERY="" while [[ $# -gt 0 ]]; do case $1 in -c|--copy) COPY_MODE=true shift ;; -h|--help) echo "Usage: opsearch [OPTIONS] [QUERY]" echo "" echo "Options:" echo " -c, --copy Copy selected field value to clipboard" echo " -h, --help Show this help message" echo "" echo "Examples:" echo " opsearch # Interactive search" echo " opsearch github # Search for 'github' in titles" echo " opsearch --copy # Copy mode (interactive)" echo " opsearch --copy aws # Search 'aws' and copy result" exit 0 ;; *) QUERY="$1" shift ;; esac done # Function to copy to clipboard based on OS copy_to_clipboard() { local value="$1" if command -v pbcopy &> /dev/null; then # macOS echo -n "$value" | pbcopy echo "Copied to clipboard (macOS)" elif command -v xclip &> /dev/null; then # Linux with xclip echo -n "$value" | xclip -selection clipboard echo "Copied to clipboard (xclip)" elif command -v wl-copy &> /dev/null; then # Linux with wl-copy (Wayland) echo -n "$value" | wl-copy echo "Copied to clipboard (wl-copy)" else echo "Warning: No clipboard tool found (pbcopy, xclip, or wl-copy)" >&2 echo "Value: $value" return 1 fi } # Select item via fzf (with optional query filter) if [[ -n "$QUERY" ]]; then # Search mode: filter items by query item_id=$(op item list --format json | jq -r --arg q "$QUERY" '.[] | select(.title | ascii_downcase | contains($q | ascii_downcase)) | "\(.id)\t\(.title)\t[\(.vault.name)]\tcreated: \(.created_at[:10])\tmodified: \(.updated_at[:10])"' | column -t -s $'\t' | fzf --header="Filter: $QUERY" | awk '{print $1}') else # Interactive mode: show all items item_id=$(op item list --format json | jq -r '.[] | "\(.id)\t\(.title)\t[\(.vault.name)]\tcreated: \(.created_at[:10])\tmodified: \(.updated_at[:10])"' | column -t -s $'\t' | fzf | awk '{print $1}') fi if [[ -z "$item_id" ]]; then echo "No item selected." >&2 exit 1 fi # Fetch full item JSON once item_json=$(op item get "$item_id" --format json) vault=$(echo "$item_json" | jq -r '.vault.name') item=$(echo "$item_json" | jq -r '.title') # Display all fields echo "" echo "=== $item [vault: $vault] ===" echo "" echo "$item_json" | jq -r '.fields[] | "\(.label): \(.value // .reference // "(empty)")"' # In copy mode, skip the field selection and use fzf for field echo "" if [[ "$COPY_MODE" == true ]]; then echo "=== Select field to copy ===" else echo "=== Select a field for reference commands ===" fi # Pick a field via fzf field=$(echo "$item_json" | jq -r '.fields[].label' | fzf) if [[ -z "$field" ]]; then echo "No field selected." >&2 exit 1 fi # Get the field value for copying field_value=$(echo "$item_json" | jq -r --arg f "$field" '.fields[] | select(.label == $f) | .value // .reference // empty') # Copy mode: copy and exit if [[ "$COPY_MODE" == true ]]; then if [[ -n "$field_value" && "$field_value" != "null" ]]; then echo "" copy_to_clipboard "$field_value" echo "Field: $field" else echo "Error: Field '$field' has no value to copy" >&2 exit 1 fi exit 0 fi # Reference mode: show commands ref="op://$vault/$item/$field" echo "" echo "Reference: $ref" echo "" echo "Commands:" echo " op read \"$ref\"" echo " op run --env MYVAR=\"$ref\" -- <command>" echo " op inject -i <template> -o <output> # use: {{ $ref }}" echo "" echo "Copy mode: opsearch --copy" Now type opsearch and never context switch from the terminal.
