Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Frustrations with .env File Handling and Environments in 1Password
To whom it may concern, I just tried to add some basic .env files to 1Password and was honestly surprised at how difficult and unsatisfying the experience was. I’ve always considered 1Password a premium, polished product, and I’ve really enjoyed using it so far. But in this case, the lack of functionality is pretty disappointing. I know you recently launched the Environments beta, which seems like a step in the right direction, but it’s clearly not fully fleshed out. Most programming projects of mine include multiple environment files, not just one. Some values in these files are sensitive, and others aren’t, so we should be able to choose which fields are masked (as passwords) and which are shown normally. Importing and exporting environment files should also be seamless, currently, it’s anything but. But the biggest issue with Environments right now is that they apparently don’t belong to vaults. That means I can’t share them with coworkers, which makes them basically useless for team projects. What’s the point of having them at all if they can’t be shared? So I tried workarounds: First, I attempted to store the variables in a secure note. While you can manually add fields, that’s clunky and time-consuming. Then I tried uploading the .env file to the note, but on macOS, the file picker doesn’t show hidden files, and apparently there’s no way to make it do so. This made it impossible to upload the file with its original name, a really basic oversight, and one that shouldn’t exist in a premium product. Next, I tried using a Document item. At least the drag-and-drop upload worked (unlike Secure Notes), but now I’m locked into a document type that only allows a single file. That’s just not workable when a project has multiple secret environment files. Even worse, if I want to replace the file, the drag-and-drop UI disappears entirely, so I can’t upload a hidden file again. I’d have to delete the entire document and start over. That’s absurd. I genuinely respect the work you’ve done on 1Password; it’s one of the few tools I’ve used that felt reliable and trustworthy out of the box. But these gaps in functionality around something as basic as handling environment files are frustrating. And for a product at this price point, I expect this sort of workflow to just work. It’s hard to believe these limitations haven’t already been addressed. On top of that, it was surprisingly difficult to even find a proper way to give feedback like this. That feels like a mistake, if users can’t easily tell you where the product falls short, you miss the chance to improve it. Anyway, I needed to get this off my chest. I hope this feedback is helpful, and that we’ll see improvements to these features soon. Best regards, Joël GrosjeanCLI Slow Performance
I have the 1Password desktop app installed and up to date on my macBook Pro, the `op` CLI is also installed, up to date, and working properly. All expected CLI queries work but they are surprisingly slow. After a bunch of trial and error, it seems that it is making a round-trip online as part of every single CLI query. I added the --debug flag and I can see cache hits, but the round trip online is still occurring. Disabling the network interface causes all queries to fail. Is it possible to get the 1Password CLI working fully offline to avoid all of this unnecessary round-trip business? Surely with the desktop app installed and CLI integration turned on, there has to be a way to make efficient (and offline) use of my 1Password vaults. Otherwise automation tasks that require secrets are simply too cumbersome to handle with 1Password, and I will require a secondary solution. And in that case, I may as well give up on 1Password.
Copy secret reference (using ID values)
This applies to all platforms (not just Mac), but I didn't see a community category for "all platforms", so I'm choosing Mac because it seems to have the highest user activity Perhaps I've missed some documentation, but I don't find a way to copy a https://developer.1password.com/docs/cli/secrets-reference-syntax/ using the desktop app. This seems like a basic and essential task during development. What I want is this format: op://vault_id/item_id/section_id/field_id or if the value isn't in a section: op://vault_id/item_id/field_id How can I do that easily — and get a secret reference defined by ID values (which should be immutable — vs. name values which can be modified)? More context: I find some ways to construct the URL manually (but this is not ideal): A URL can be copied which includes the vault and item ID among other query parameters: I get one in a format like this: https://start.1password.com/open/i?v={VAULT_ID}&i={ITEM_ID} However, that's not enough as it doesn't include the section/field, and would need to be manually edited or processed by other tooling as an additional step to get the required output. I can also use "Copy item UUID" and then paste that as an argument to a manually-typed CLI command to get much more than what's needed: % op --format=json item get x5k2wndiih6cmw2rugl7ol442i { "id": "x5k2wndiih6cmw2rugl7ol442i", // --- snip --- "vault": { "id": "{REDACTED_VAULT_ID}", // --- snip --- }, // --- snip --- "fields": [ // --- snip --- { "id": "credential", "type": "CONCEALED", "label": "credential", "value": "abc123", "reference": "op://{REDACTED_VAULT_NAME}/API Credential/credential" }, // --- snip --- ] } However, this still involves either manually copying+pasting IDs or using other tooling to parse and create the required output. The JSON does include a reference value for the target field, but the reference is built using names, which isn't satisfactory for the reasons described previously. For the example above, what I want to copy to the clipboard is the following (where {VAULT_ID} is replaced by the actual vault ID): op://{VAULT_ID}/x5k2wndiih6cmw2rugl7ol442i/credential I think that if the boolean option is enabled at Settings > Advanced > Show debugging tools: then there should be an option to copy a complete ID-based secret reference for every field in its contextual menu: This is a re-posting of previous issue — the 1Password team stopped responding and it was closed without comment: https://1password.community/discussion/139642/copy-secret-reference-using-id-values 1Password Version: 8.10.48 Extension Version: Not Provided OS Version: macOS 15.0.1 Browser: Not Provided
"Connection Refused" when accessing 1Password ssh-agent within DevContainer
I've been trying to get this to work for a few hours and I'm at a loss for what to do next, so asking for ideas about what the problem could be. My software stack is macOS 26/Tahoe, 1Password 8.11.16, Orbstack (for containers), and VSCode w/DevContainers. I have my SSH keys in 1Password and when executed from the host system, the keys are visible (and SSH works): % SSH_AUTH_SOCK="${HOME}/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock" ssh-add -l 256 SHA256:... (ED25519) % ssh -T git@github.com Hi <username>! You've successfully authenticated, but GitHub does not provide shell access. I have the DevContainer configuration to bind-mount the socket into the container and set a proper `SSH_AUTH_SOCK` value: "mounts": [ "source=${env:HOME}/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock,target=/tmp/ssh-agent-1password.sock,type=bind" ], "remoteEnv": { "SSH_AUTH_SOCK": "/tmp/ssh-agent-1password.sock" }, ... when I am in the container, the socket looks right, `SSH_AUTH_SOCK` is correct, but `ssh-add` fails to connect with an error: root@5a53d7e1c685:/tmp# ls -la ssh-agent-1password.sock srw------- 1 root root 0 Nov 2 16:36 ssh-agent-1password.sock root@5a53d7e1c685:/tmp# echo $SSH_AUTH_SOCK /tmp/ssh-agent-1password.sock root@5a53d7e1c685:/tmp# ssh-add -l Error connecting to agent: Connection refused I've verified that the directory itself IS accessible to docker by changing `source=${env:HOME}/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock` to be `source=${env:HOME}/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sockk` and restarting the container -- when I do that, the directory `agent.sockk` is created within the directory as expected (which I am interpreting as evidence that Docker can traverse all the way to the directory and create a sub-folder within it). I suspect what is happening is that 1Password is blocking the connection entirely (meaning it isn't a filesystem permissions error or otherwise), but I'm not sure how to prove that is the case or how to fix it if it IS the case. Any ideas for diagnostic steps to take next?Agent forwarding in VS Code
The ssh agent forwarding documentation states: The IdentityAgent takes precedence over the SSH_AUTH_SOCK environment variable, so you may want to modify the ~/.ssh/config file for your remote workstation so the IdentityAgent setting is only applied if you're not in an SSH shell. Match host * exec "test -z $SSH_TTY" IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock" This advice works for a normal terminal session (e.g. iTerm -> ssh) but it does not work in the Visual Studio Code integrated terminal. The reason is that VS Code does NOT set the `SSH_TTY` environment variable, so this doesn't match, and so the terminal doesn't use the 1Password agent. Perhaps the better suggestion would be to test for an ssh client like so? Match host * exec "test -z '$SSH_CLIENT'" I can confirm this works both from iTerm and VS Code.
Trouble getting document items in Kubernetes with 1P Connect Operator
Hey everyone, I'm trying to get a document out of 1P and into a k8s secret with the Connect Operator, version 1.8.1. I can get Login items but not Document items, even though there seems to be a discussion about this exact topic stating that Documents are supported as of version 1.3.0. Does anyone else have experience with this? --- apiVersion: onepassword.com/v1 kind: OnePasswordItem metadata: name: config-file-dot-yaml namespace: default spec: itemPath: "vaults/dev/items/config-file.yaml" This is the OnePasswordItem I have. The Document config-file.yaml is in the vault dev, and kubectl describe secret config-file-dot-yaml returns an event of "No items found with identifier 'config-file.yaml' " Is there any examples out there of getting the document? Thanks!openv – A simple CLI tool to wrap commands with 1Password secrets from .env
Hey folks, 👋 I just released a new version of a small command-line tool I’ve been working on called openv. 💡 What it does: It automatically wraps selected dev commands (like npm dev, pnpm run, etc.) with op run, if your project’s .env file contains op:// secrets from 1Password. So instead of manually writing: run --env-file=.env -- npm run dev You can just type, as you would normally do: npm run dev And it will be wrapped automatically via a shell hook. 🧠 Why I built it: This started as a personal tool because I kept forgetting to wrap my dev commands with op run, and I wanted a smoother experience that "just works" based on .env contents. It hooks into ZSH (likely direnv), with support for allow/deny patterns (e.g., only wrap certain commands like pnpm start). 🛠️ Tech: Written in Rust Works in ZSH, Bash, and Fish Installable via Homebrew Fully local 🧪 Notes: This is an early release, mainly developed for my personal use. I’m sharing it here in case others find it useful. Feedback, issues, or even feature ideas are very welcome — but no pressure! GitHub: https://github.com/andrea11/openv Thanks for reading — and happy coding! 🚀CLI script for migration from .com to .eu
When switching regions as documented in https://support.1password.com/regions/ there are certain limitations: Files can’t be copied across regions. To copy a Document item, download the file to your computer, then upload it to the new account. To copy an item with an attached file, download the file to your computer, remove the attached file from the item, copy the item to the new account, and add the file attachment back to the copied item. Items with custom icons can’t be copied across regions. Edit the item to remove the custom icon, copy the item to the new account, and add the custom icon back to the copied item. Items with related item links can be copied, but you’ll need to relink items after you copy them. Has anyone made a smart script for the op commandline tool to detect which items are affected by the above limitations? Or does the app reliably complain if it can't copy 1:1 from .com to .eu?
