name: 1password-cli
description: Use this skill when working with the 1Password CLI (op command) for secrets management, retrieving API keys, injecting secrets into development environments, or any task involving 1Password vault operations. Triggers on: "1password", "op command", "secrets management", "api keys from vault", "op run", "op read", "service account token".
1Password CLI Skill
Use this skill when working with the 1Password CLI (op command) for secrets management, retrieving API keys, or injecting secrets into development environments.
Installation
# macOS
brew install 1password-cli
# Verify installation
op --version
Authentication Methods
1. Desktop App Integration (Interactive - Recommended for Development)
Enable biometric authentication (Touch ID/Windows Hello) through the 1Password desktop app:
- Open 1Password app > Settings > Developer
- Enable "Integrate with 1Password CLI"
- Run any
opcommand - you'll be prompted to authenticate
# This will prompt for biometric auth
op vault list
2. Service Account Token (Non-Interactive - CI/CD & Automation)
For automated environments without user interaction:
# Set the service account token as environment variable
export OP_SERVICE_ACCOUNT_TOKEN="ops_..."
# Now commands work without prompts
op vault list
Create service accounts in 1Password.com > Developer Tools > Service Accounts.
3. Manual Sign In (Legacy)
# Sign in and create a session
eval $(op signin)
# Or for a specific account
eval $(op signin --account my-team.1password.com)
Secret Reference Syntax
Secret references use the URI format: op://vault/item/[section/]field
op://vault-name/item-name/field-name # Simple field
op://vault-name/item-name/section/field-name # Field in a section
op://Private/GitHub/password # Example: GitHub password
op://dev/Stripe/publishable-key # Example: Stripe key
Get Secret References
# Get reference for a specific field
op item get "GitHub" --vault Private --fields password --format json | jq -r '.reference'
# Output: op://Private/GitHub/password
Reading Secrets
Read a Single Secret
# Using secret reference
op read "op://vault-name/item-name/field-name"
# Examples
op read "op://Private/API Keys/openai-key"
op read "op://dev/Database/password"
Get Item Details
# Get full item as JSON
op item get "item-name" --vault "vault-name" --format json
# Get specific field
op item get "GitHub" --fields password
# Get multiple fields
op item get "Database" --fields username,password
List Items
# List all vaults
op vault list
# List items in a vault
op item list --vault "Private"
# Search for items
op item list --tags api-key
Injecting Secrets into Environment Variables
Using op run
The most secure way to use secrets - they exist only during command execution:
# Set secret reference in environment
export DB_PASSWORD="op://app-prod/database/password"
# Run command with secrets injected
op run -- ./my-script.sh
# Secrets are automatically masked in output
op run -- printenv DB_PASSWORD # Shows: <concealed by 1Password>
# Disable masking if needed
op run --no-masking -- printenv DB_PASSWORD
Using .env Files
Create a .env file with secret references:
# .env file
DATABASE_URL="op://dev/postgres/connection-string"
API_KEY="op://dev/my-api/key"
SECRET_TOKEN="op://dev/app/secret-token"
Run with the env file:
op run --env-file=.env -- npm start
op run --env-file=.env -- python app.py
Environment-Specific Secrets
Use variables to switch between environments:
# .env file with variable
DB_PASSWORD="op://$APP_ENV/database/password"
# Switch environments
APP_ENV=dev op run --env-file=.env -- ./start.sh
APP_ENV=prod op run --env-file=.env -- ./start.sh
Common Use Cases
Retrieve API Keys for Development
# Get a single API key
OPENAI_KEY=$(op read "op://Private/OpenAI/api-key")
# Use in a command
curl -H "Authorization: Bearer $(op read 'op://Private/OpenAI/api-key')" ...
Populate Environment for Local Development
# Create .env.local with secret references
cat > .env.local << 'EOF'
SUPABASE_URL="op://dev/Supabase/url"
SUPABASE_KEY="op://dev/Supabase/service-role-key"
ANTHROPIC_API_KEY="op://dev/Anthropic/api-key"
EOF
# Start development server with secrets
op run --env-file=.env.local -- npm run dev
Export Secrets to Shell Session
# Export secrets for current shell session
export GITHUB_TOKEN=$(op read "op://Private/GitHub/token")
export NPM_TOKEN=$(op read "op://Private/npm/token")
Use in Scripts
#!/bin/bash
# deploy.sh - uses 1Password for secrets
# Ensure we have access
op whoami > /dev/null 2>&1 || eval $(op signin)
# Get deployment credentials
DEPLOY_KEY=$(op read "op://prod/deploy/ssh-key")
API_TOKEN=$(op read "op://prod/api/token")
# Use in deployment...
Creating and Managing Items
Create a New Item
# Create API key item
op item create \
--category "API Credential" \
--title "My API Key" \
--vault "dev" \
--fields "api-key=sk-abc123"
# Create login item
op item create \
--category Login \
--title "Service Account" \
--vault Private \
--fields "username=admin,password=secret123"
Update an Item
# Update a field
op item edit "My API Key" --vault dev "api-key=sk-newkey456"
Delete an Item
op item delete "Old API Key" --vault dev
Security Best Practices
-
Use Service Accounts for CI/CD: Never use personal credentials in automated environments
-
Limit Vault Access: Service accounts should only access vaults they need
-
Use
op runOver Export: Secrets only exist during command execution, not in shell history -
Avoid Logging Secrets:
op runmasks secrets by default - keep it enabled -
Rotate Service Account Tokens: Regularly rotate tokens used in CI/CD pipelines
-
Use Secret References in Code: Store references, not secrets, in configuration files
-
Audit Access: Review service account usage reports in 1Password.com
Troubleshooting
"You are not currently signed in"
# Check current session
op whoami
# Sign in again
eval $(op signin)
# Or set service account token
export OP_SERVICE_ACCOUNT_TOKEN="ops_..."
"Item not found"
# List available vaults to verify access
op vault list
# Search for the item
op item list --vault "vault-name" | grep "item-name"
Desktop App Integration Not Working
- Ensure 1Password app is running and unlocked
- Check Settings > Developer > "Integrate with 1Password CLI" is enabled
- Restart terminal after enabling integration
Quick Reference
| Command | Description |
|---|---|
op vault list | List all accessible vaults |
op item list --vault X | List items in vault X |
op item get "Name" | Get item details |
op read "op://..." | Read a secret value |
op run -- cmd | Run command with secrets |
op run --env-file=.env -- cmd | Run with .env secrets |
op whoami | Check current session |
op signin | Sign in interactively |