1Password CLI

Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in, or reading/injecting/running secrets via op.

1Password CLI (`op`) brings the full power of 1Password to your terminal. It lets you read, create, edit, and delete vault items — passwords, API keys, SSH keys, secure notes — directly from scripts and the command line. The killer feature is `op run` and `op inject`, which let you inject secrets into environment variables or config files at runtime without ever writing them to disk. For developers and DevOps engineers, it's a game-changer: you can reference secrets in `.env` files as `op://vault/item/field` URIs, and `op run` resolves them on the fly. Combined with desktop app integration (biometric unlock), it eliminates the need to copy-paste credentials or store them in plaintext. The CLI supports multi-account setups, service accounts for CI/CD, and SSH agent integration. It works on macOS, Linux, and Windows. OpenClaw's skill wraps `op` commands in a tmux session to maintain authentication state across multiple operations — a critical workaround since each shell invocation gets a fresh TTY. Best suited for: developers managing secrets in scripts, DevOps teams automating credential injection, anyone who wants their AI assistant to securely access credentials without exposing them.

Tags: security, secrets, password-manager

Category: Security

Use Cases

  • Inject database credentials into development scripts without .env files
  • SSH agent integration — use 1Password as your SSH key manager
  • CI/CD secret injection via service accounts
  • Let your AI assistant securely access API keys and credentials
  • Automate credential rotation scripts
  • Template deployment configs with secret references

Tips

  • Use `op run` to inject secrets into any command: `op run -- npm start` resolves op:// references in .env
  • Enable biometric unlock in 1Password desktop for seamless CLI auth — no master password typing
  • Use `op inject` to template config files with secret references at deploy time
  • For CI/CD, create a service account instead of using personal credentials
  • Pair with the OpenClaw tmux skill for reliable multi-command sessions
  • Use `op item get --format json` for scriptable output parsing with jq

Known Issues & Gotchas

  • Each shell invocation gets a fresh TTY — you must use tmux to maintain auth state across commands
  • Desktop app integration requires 1Password 8+ and must be explicitly enabled in Settings > Developer
  • Session tokens expire after 30 minutes of inactivity; re-auth needed
  • op signin without app integration requires manual token management
  • On Linux without desktop app, you need to manage session tokens via eval $(op signin)
  • Service accounts have limited permissions — can't create vaults or manage users

Alternatives

  • Bitwarden CLI (bw)
  • pass (GNU)
  • Doppler
  • Vault (HashiCorp)

Community Feedback

1Password CLI is useful for writing bash scripts to automate various tech work tasks: connect to a database in the terminal using 'op' to fetch credentials.

— Reddit r/1Password

While 1Password is fantastic, their CLI is the worst CLI I've ever seen. Basically unusable. You should just be able to say 'give me the password for X'.

— Hacker News

1Password is an excellent tool for many, but its CLI didn't align with my needs. The limited usage, potential for confusion among collaborators, and added complexity made me reconsider.

— Medium

Using op run to securely load secrets into your zsh shell means credentials never touch disk. It's the cleanest secrets workflow I've found.

— Gruntwork Blog

Configuration Examples

Basic tmux auth session (OpenClaw pattern)

SOCKET="$TMPDIR/openclaw-tmux-sockets/openclaw-op.sock"
SESSION="op-auth-$(date +%Y%m%d-%H%M%S)"
tmux -S "$SOCKET" new -d -s "$SESSION"
tmux -S "$SOCKET" send-keys -t "$SESSION" 'op signin' Enter

Inject secrets via op run

# .env file with secret references
DB_PASSWORD=op://Development/PostgreSQL/password
API_KEY=op://Development/Stripe/secret-key

# Run with injected secrets
op run --env-file .env -- node server.js

Read a specific secret

op item get "GitHub Token" --fields label=credential --format json | jq -r '.value'

Installation

brew install 1password-cli

Homepage: https://developer.1password.com/docs/cli/get-started/

Source: bundled