Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Events API
We need to track events occurring in 1password. I have enabled the Events API integration. If I run the CURL command: curl --request POST \ --url https://events.1password.com/api/v2/auditevents \ --header 'Authorization: Bearer <mytoken>' \ --header 'Content-Type: application/json' \ --data '{ "limit":1, "start_time": "2026-01-01T00:00:00Z" }' Being a windows shop, we prefer to use powershell for API requests. If I repackage the above into the following script, I continually get "Bad Request" $tok="<my token>" $header=@{ Authorization = "Bearer $($tok)" 'Content-Type'='application/json' } $data=@{ limit=100 'start_time'= '01-01-2026T00:00:00Z' } $url="https://events.1password.com/api/v2/auditevents" $response=Invoke-WebRequest -Uri $url -headers $header -Method post -Body $data -Authentication $response I cannot figure out the issue. Any ideas?
SCIM bridge deployment on Azure with private endpoint
Hi, I have setup a 1Password SCIM bridge successfully on Azure using the json template aca-op-scim-bridge-template.json. What I noticed is that the SCIM bridge is using a public URL which is also used with the Entra integration. Azure SCIM service is using the public URL and a bearer token to make connection to the 1Password SCIM bridge. I do see that it is possible to setup IP restriction on the URL but the problem is that the Azure SCIM service is using changing IP's. My first thought is using a private endpoint on the SCIM bridge and disallow public access. Does anyone already realized that? Is there a template for? Or am I thinking to difficult? Thanks in advance, WimConnect server sharing with multiple teams
I'm planning a new system architecture that will use 1Password Connect and I have a question about the security risks. Is it fair to say that anyone with root access to the Connect server can access all vaults that server has access to, even if they do not have an access token? So far I have not see any vulnerabilities without having an access token, but since the REST API is not encrypted, one could easily intercept the tokens using tcpdump. This question is relevant as we're considering how widely to share the Connect server. For example, one option is to run a single Connect server for the whole company which has access to all vaults. Each team would have their own access tokens, limited to specific vaults. This way, the server can be centrally managed by one team, which might be a more efficient use of time and resources. But some sensitive users might not accept that risk of their secrets being accessible by the system admin. So I just wanted to confirm. I'm curious how other folks run it. Do you deploy separate servers for each team or business unit? I'm also considering running it locally on each app instance that needs access, so each Connect server would have access to only the specific vault it needs.
Bug? CLI reveals SSH private keys _without_ --reveal
% op item get "$id" --format json | jq .ssh_formats {"openssh":{"reference":"op://Private/tsvm.plambert.net SSH Key/private key?ssh-format=openssh","value":"-----BEGIN OPENSSH PRIVATE KEY-----\nb3B..."}} Without the --reveal option, should it be showing me the actual private key?Cannot find "Destinations" tab for mounting secrets to local .env files
I am trying to use the feature "Access secrets from 1Password through local .env files" but I cannot find the "Destinations" tab. What I have done: Enabled "Show 1Password Developer experience" in Settings > Developer Enabled "Record and display activity" I can see and use the AWS Secrets Manager integration What I expected: According to the documentation, there should be a "Destinations" tab that allows me to mount secrets to a local .env file. What I see: The "Destinations" tab does not appear anywhere in the interface. I only see the AWS Secrets Manager integration option. Environment: 1Password version: Latest OS: Windows Account type: Individual Could you please help me understand how to access the Destinations feature, or let me know if this feature has been moved or deprecated? Thank you.
1Password guest account for a dev machine?
Hello friends, I've been reading about the Shai-Hulud/Sha1-Hulud malware which is currently spreading through npm packages with its TruffleHog payload, and there are plenty of other examples of supply-chain attacks against developer tools. My 1Password has everything in it; stuff that I use for indie-development, and personal things like logins to my email and banking. So now I'm thinking about making a clear separation between my indie-dev machine and other boxes that I use for traditional home-computing. 1Password's guest accounts look ideal for this. I could make a guest account which only has access to that one vault, and use only that guest account on my dev machine. Luckily my indie-dev items are already in a separate vault. Would that work? Have I missed any gotchas? (And would this be compatible with 1Password's acceptable use-cases for guest accounts?) MatthewDid you know: Zscaler & 1Password are integrated?
On our Enterprise side of the business - 1Password now integrates with Zscaler (Zero Trust network access (ZTNA)) through 1Password Device Trust to ensure only secure, compliant devices can access company applications. This integration verifies that Zscaler Client Connector, ZIA, or ZPA is properly installed and running before granting SSO access. If a device fails the check, 1Password Device Trust provides dynamic remediation guidance to the end user to bring it into compliance. This approach enforces Zero Trust access, strengthens endpoint security, and reduces risk by blocking misconfigured or unsecured devices while guiding users to quickly self-remediate issues. Check out the announcement to learn more.Service Account Security (feature request)
I just started using service accounts, so forgive me if this has already been discussed. I did not find anything while searching the forum. A few things that would greatly improve the security of service accounts from the top of my head: IP-limits for access Alerts (watchtower?) for unauthorized access attempts I think there should be a way to limit service account access to only certain IP-addresses and environments. My proposal is a combination of pre-defined environments (maintained by 1Password) like AWS region XXX, AWS region YYY ... Lists publicly available here: https://ip-ranges.amazonaws.com/ip-ranges.json Github Actions, Github Copilot ... Lists publicly available here: https://api.github.com/meta Other relevant environments you can think of And one should obviously also be able to create private lists of IP-addresses/prefixes (both IPv4 and IPv6) that can be allowed to use a certain service account. This will seriously limit the amount of damage that can happen IF (when) a service account token is leaked somewhere. When this is in place, watchtower (or similar functionality) should be able to alert you if someone tries to use a service account from outside the limited environments where it is allowed to be used. That way, you will immediately be notified if a token might be compromised, and can rotate it. Of course, if you have limited a service account to only be used from a github action, and the evil hacker also uses a github action to access your secrets, you will not know - but that is no worse than the current situation. In best case, the evil perpetrator will test the token from an invalid location first, so you will be notified and can hopefully act before any other secret data has been compromised.OpenAI API Keys... Oh mai
Just a heads up, on Github, a crafty person created a query to find OpenAI API keys via search. I'm not going to link to it, but here are some resources if you fall into this camp! We have an entire blog post from 2023 about this topic https://blog.1password.com/openai-chatgpt-exposed-api-keys/ AI Agents + 1Password (Blog) https://developer.1password.com/docs/sdks/ai-agent CLI https://developer.1password.com/docs/cli/secret-references SDK (Python, Go & Typescript/JS) https://developer.1password.com/docs/sdks/load-secrets GitHub Actions with 1Password (hide API keys in CI/CD) https://developer.1password.com/docs/ci-cd/github-actions
