Level up your business security with free, on-demand training and certification. Explore 1Password Academy today →
1password-credentials.json invalid?
Hi there I'm trying to setup the operator in my kubernetes cluster however, the connect server is complaining about the credentials. {"log_message":"(E) Server: (unable to get credentials and initialize API, retrying in 30s), Wrapped: (failed to FindCredentialsUni │ │ queKey), failed to loadCredentialsFile: Server: (LoadLocalAuthV2 failed to credentialsDataFromBase64), illegal base64 data at input byte 0","timestamp":"2026-04-30T19:05:07.6488449 │ │ 95Z","level":1} On investigation it seems that the data in the (freshly downloaded) file is not decoding as valid base64. (I'm downloading via windows and accessing file from WSL bash). For instance, this:- jq -r '.encCredentials.data' 1password-credentials.json | basenc --base64url -d > /dev/null && echo OK || echo BAD returns BAD, i.e. thinks that the data property is not decodable. image tags: 1password/connect-api:1.7.3 1password/connect-sync:1.7.3 Any help would be welcome, thanks in advance!April 2026 at 1Password: Post-quantum protection, External Checks close the access gap, and AI-era security
In April, we began rolling out new protections that will keep your data safe in a world with quantum computers, we expanded how teams can enforce access with External Checks in 1Password Device Trust, and shared new thinking on AI agents, credential sprawl, and what it takes to secure systems in a faster-moving threat landscape. In case you missed it A first step toward post-quantum security Introducing the first major milestone in our post-quantum cryptography (PQC) journey: as post-quantum protection in the 1Password web app! 1Password now supports hybrid post-quantum key exchange in PQC-capable browsers like Chrome or Firefox. It all happens automatically – no user action required. This helps protect against "harvest now, decrypt later" attacks, where adversaries capture encrypted traffic today in the hope that future quantum computers will be able to decrypt it. This is the first phase of a broader post-quantum roadmap focused on protecting your data against the threats of today and tomorrow. Read more about our first step toward post-quantum security. Building a Mythos-ready security program AI is accelerating how quickly vulnerabilities can be found and exploited, and security programs need to keep up. We looked at what security leaders can do now to prepare for a world where AI-driven vulnerability discovery happens at machine speed. The takeaway: patching still matters, but it can't be the entire strategy. Teams also need to limit the blast radius by controlling access, isolating agentic identities, replacing long-lived secrets, and making it harder for a single exploit to escalate into a larger breach. Read the full post on building a Mythos-ready security program. External Checks in Device Trust 1Password Device Trust can now factor in signals from other systems before allowing access to protected apps. With External Checks, access decisions can include more than device posture. Admins can pull in things like security training completion, policy acknowledgments, MFA enrollment, active employment status, and other verification signals from external systems. External Checks closes the gap between having a policy in place and actually enforcing it when someone tries to reach company apps and data. Learn more about External Checks in 1Password Device Trust. What we learned using AI agents to refactor a monolith We shared a behind-the-scenes look at how 1Password used AI agents to help refactor a large Go monolith. The work demonstrated how agents can be genuinely useful, especially for analyzing large codebases, building deterministic tools, and executing well-scoped changes. It also showed where they still need strong constraints, clear specifications, and human judgment. Read more about what we learned using AI agents to refactor a monolith. Protecting against OAuth-based supply chain breaches Credential sprawl continues to spread across SaaS apps, developer tools, automation workflows, and AI agents. OAuth makes it easy to connect new tools, but those connections can quietly become supply chain risks when permissions are broad, long-lived, or poorly tracked. We looked at how OAuth-based supply chain attacks happen, how Google Workspace admins can check which third-party apps currently have access, and why ongoing discovery is more effective than a one-time audit. Read more about protecting against OAuth-based supply chain breaches and credential sprawl. Chasing Entropy (Season 2) Season two of Chasing Entropy kicked off in April with three new episodes: Why secure-by-design is an incentives problem, with Bob Lord. Dave Lewis and Bob Lord get into secure-by-design principles, AI systems, software supply chains, and why security outcomes need to be owned at the organizational level. What cyber conflict reveals about power and doctrine, with Allie Mellen. Dave talks with analyst and author Allie Mellen about cyber conflict, attribution, geopolitics, and why defenders need to understand intent, not just indicators. Why friction is a security risk, with Dustin Heywood. Dave and IBM's Dustin Heywood (aka EvilMog) get into agentic AI, machine identity, quantum planning, and why security controls that add friction tend to get bypassed. Listen to Chasing Entropy wherever you get your podcasts. Random but Memorable April brought three new episodes of Random but Memorable to catch up on: What it takes to protect – and break into – data centers with Deviant Ollam Are you oversharing with AI? Author Jamie Bartlett has thoughts What to do if you’ve been hacked, with Glenn Wilkinson This month covered the physical side of security, safer AI habits, what to do after a compromise, and how supply chain attacks are feeding into one another. Release note highlights Browser extension Added settings that let you choose which item types appear as autofill suggestions in the inline menu. Reorganized Autofill settings for easier navigation. Fixed an issue where the browser extension didn’t unlock with the 1Password app. Fixed issues with the sign-in banner and Quick Access suggestions in Chrome and Chromium-based browsers on Mac. Fixed several autosubmit and website-specific autofill issues. Mac, Windows, and Linux Improved localization across supported languages. Updated the wording for unlock preset options. Fixed an issue where a LastPass import could fail if the account had multi-factor authentication enabled. Improved how 1Password recovers drafts of items. App icons shown in SSH, CLI, and SDK authentication prompts now display more quickly. [Mac only] Improved handling for shortened Apple Maps links. [Windows only] Fixed an issue where 1Password couldn’t be used as the Windows passkey manager when installed on an external drive. [Linux only] Added a “Start at login” setting, enabled by default in Settings > General. iOS and Android Improved localization across supported languages. Updated the wording for unlock preset options. Improved how 1Password recovers drafts of items. [iOS only] Fixed an issue that could cause excessive background battery use after using AutoFill. [iOS only] Fixed an issue that could prevent 1Password for Safari from unlocking. [Android only] Fixed a crash that could occur when first launching the app. 1Password CLI Added Shell Plugin support for Claude Code CLI, Scaleway CLI, AWS SAM CLI, AWS eksctl, AWS awslogs, and OpenAI Codex CLI. The AWS CDK shell plugin now supports AWS profiles that assume a role with the --profile flag. op run now properly terminates subprocesses when cancelled. 1Password CLI commands now support the Account Trust Log when authenticating with the 1Password desktop app.
Default Ctrl+. shortcut conflicts with Firefox 150+ GTK emoji picker on Linux
Starting with version 150.0, Firefox added support for the native GTK emoji picker in Linux. This is from the release notes (https://www.firefox.com/en-US/firefox/150.0/releasenotes/ ): Added support for the GTK emoji picker on Linux, allowing users to insert emoji using the system shortcut (typically Ctrl+.). GTK's native emoji picker is triggered by the "insert-emoji" signal, whose default keybindings are "Ctrl+." and "Ctrl+;". These are set at the toolkit level by GTK, so they can't be remapped via OS settings or Firefox's about:keyboard page. Since 1Password's browser extension uses "Ctrl+." as the default shortcut for activating it, the update causes the emoji picker to appear instead of the extension when the shortcut is pressed in a text field. The simplest workaround is to change 1Password's shortcut assignment in the extension's Settings page, but if you want to keep using the default without having Firefox interfere with it, I found two solutions: Set the value of the "widget.gtk.native-emoji-dialog" preference to "false" in Firefox's about:config page. This will completely disable the emoji picker feature. Add the code snippet below to "~/.config/gtk-3.0/gtk.css". This will unbind the "insert-emoji" signal from Ctrl+. and reassign it to a new shortcut (Ctrl+Shift+E in this case), but will do so for all GTK apps in your system. @binding-set EmojiSelectRemap { unbind "<Control>period"; bind "<Control><Shift>e" { "insert-emoji" () }; } entry, textview { -gtk-key-bindings: EmojiSelectRemap; } Given this situation, it would be worth the 1Password team considering either changing the default shortcut for the Firefox browser extension on Linux or adding a note on this issue to the documentation.Upcoming 1Password webinars
Hi folks, Here's an overview of all the webinars we have coming up in the next several weeks. I hope we'll see you there! Tuesday, May 12th at 8 AM PDT / 11 AM EDT (60 minutes): What's new? 1Password MSP Edition Join our quarterly webinar that is designed to keep you informed, equipped, and connected. During this session you will hear the latest updates from 1Password, get answers to your questions, and learn from your peers. Tuesday, June 2nd at 9 AM PDT / 12 PM EDT (60 minutes): What's new? The 1Password quarterly security spotlight and roadmap review In this webinar, you can look forward to learning about our recent product releases, a glimpse into our product roadmap, upcoming events with 1Password, a deep dive into actionable ways 1Password can support your business' security goals. Thursday, June 4th at 11 AM BST / 12 PM CEST / 1 PM EEST (60 minutes): What's new? The 1Password quarterly security spotlight and roadmap review This is the same webinar, but scheduled to be more convenient for Europe, the Middle East, and Africa.
Change to autostart on Linux in 8.12.12
The new Start at Login option in 8.12.12 places a .desktop file in ~/.config/autostart. I've always used this to autostart 1Password at login. The problem is, 1Password now overwrites my file's Exec= with a --silent flag suppressing the window for me to authenticate and unlock my browser. I've changed permissions on the .desktop file to read-only so that 1Password cannot modify the file but this is not ideal. I've tried disabling the Start at Login option, which I would presume would then leave my folder alone, but instead it will seek out and delete any 1password.desktop file I place in there every time the application starts. Please have some option to allow the desktop application to OPEN at login rather than forcing it to start in the background as not all desktop environments have a tray (GNOME being the obvious one) for the user to invoke a backgrounded app in order to authenticate at login. Though all things being equal I'd really prefer that you not modify files that I create.
Why the requirement for group id >= 1000?
In various places people have had to discover, and workaround the fact that the 1Password Browser-Helper and CLI not only require being in a specific group (fine), and have setgid set (also fine), but the gid of that group must by greater or equal to 1000 for the integration to work: Arch: Can not connect to desktop app | 1Password Community Gentoo: [SOLVED] Browser support error on Gentoo Linux | 1Password Community NixOS: https://github.com/NixOS/nixpkgs/commit/2a58907251af76c67c6d14c1e84e73f7eaeb95e8 I've been working on a distro package for a Linux distribution I'm building and also had to discover this. As per the previous implementation in the AUR, my package uses systemd-sysusers to automatically manage users and groups required by packages. By default these automatically assigned gids are less than 1000, which causes the browser integration to fail. I can work around by hard-coding a gid, but it would be better if it just worked with the automatically assigned one. I'm wondering what's the reason for the >= 1000 requirement, and can the need for it be removed to make packaging simpler, cleaner, and consistent with other packages that need specific users and groups.
Feature Request unlock 1Password with FIDO Key
Thanks for the Windows Hello support to unlock with Camera or PIN. Could you consider unlocking 1Password with a FIDO key lets say by tapping an NFC reader, or the key is connected to the USB port and user just touches the key or reads the finger print and authorises the unlock? thanks
Can we get 1st-party support for keyboard shortcuts?
Now that the interface to edit/set keyboard shortcuts has been removed from 1Password running under Wayland, It would be preferable if the installation package made the shortcuts available to configure by default, rather than https://support.1password.com/keyboard-shortcuts/?linux#wayland. I wrote about this before under a blog of post yours, but it was ignored. It's trivial to add Desktop Action sections to your existing launcher file, and reference them in an Actions= directive: [Desktop Entry] Name=1Password Exec=/opt/1Password/1password %U Terminal=false Type=Application Icon=1password StartupWMClass=1Password Comment=Password manager and secure wallet MimeType=x-scheme-handler/onepassword;x-scheme-handler/onepassword8; Categories=Office; Actions=Show;QuickAccess;Lock;Fill; [Desktop Action Show] Name=Show 1Password Icon=window-symbolic Exec=1password --show [Desktop Action QuickAccess] Name=Show Quick Access Icon=search-symbolic Exec=1password --quick-access [Desktop Action Lock] Name=Lock 1Password Icon=lock-symbolic Exec=1password --show [Desktop Action Fill] Name=Fill in Browser Icon=web-browser-symbolic Exec=1password --fill Putting a symlink to this expanded .desktop file under /usr/share/kglobalaccel/ makes those keyboard shortcuts appear in KDE Plasma's Settings app:1Password Passkeys not usable in Chromium-based browsers
I’m running into an issue with 1Password Browser Extension and passkeys on Linux and MacOs. Its just not useable anymore. The option “Save and sign in with passkeys” is greyed out. 1Password never appears in passkey login flows. I have the issue on MacOS and Linux with Vivaldi and Chrome. Different machines and different browser but chrome based. With Firefox it works. What I’ve already tried Reinstalling the extension Reconnecting the desktop app Used nigthly builds Installed older chrome versions No change. Can someone help please. Thanks!
