1password.com UUID format?

The documentation for OPVault claims that:

each item is associated with a universally unique identifier, the UUID. These are 128-bit numbers that are chosen as RFC 4122 Version 4 UUIDs

and that 1Password uses OPVault in CloudKit records:

The OPVault security design is not limited to the OPVault file format. Indeed, we use the OPVault design within SQLite data records and CloudKit records.

The 1Password UUID format doesn't quite look like an RFC 4122 UUID. They're a bunch of 26-character strings, but I can't quite seem to translate them to a proper UUID.

Example UUIDs:

it fits the base32 alphabet of RFC 4648, but yields malformed UUIDs when padded out.

Are these actually RFC 4122 UUIDs? If so, what encoding scheme are they using here?

more to the point, I'm wondering if the UUIDs leak any information. The docs for 1Password's OPVault UUIDs claim that

Because each UUID is chosen at random, it contains no information about the content of an item. These UUIDs reveal no information about the creators system other that than the fact that they are RFC 4122 Version 4 UUIDs. When a user modified information in an item the UUID remains the same, although the time stamp associated with it will change.

but I'm not sure this is still true of the new (?) format.

1Password Version: 7.2.5
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: 1password.com


  • actually, an update -- the UUIDs for items generated manually are, in fact, base-32 encoded RFC 4122 UUIDs.

    It's only items/vaults generated via the op CLI that have malformed UUIDs.

  • on op version 0.5.5:

    Items and vaults added with the op CLI have UUIDs that don't match the RFC 4122 format.

    Example UUIDs generated by the CLI:

    Valid UUID versions are 1 through 5, meaningful only when the variant is RFC_4122.

    But for IDs generated by the desktop client:

    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided

  • BenBen AWS Team

    Team Member
    edited March 2019

    Thanks @kiranb. I suspect that is a bug in the CLI. I'm going to reach out to @cohix who works on that tool to see if he can chime in.

    I've merged the two threads on this into one thread in the CLI category.


  • Also possibly of note - conducting the same analysis on my personal and work vaults, I can see that almost everything (since most things were made via browsers or the UI) are valid UUID4s… but all the auto-provisioned "welcome kit" examples are invalid. I don't know if this automation is driven by the same CLI tool, but I'm guessing not, since my account predates the availability of op.

  • rickfillionrickfillion Junior Member

    Team Member


    The documentation you quote is for OPVault which is different from what we do for 1Password.com vault items. But regardless I think you may have found a difference in how our different apps generate the new style UUID.

    The welcome kit items are generated by the web app which does not share uuid code with the CLI.

    We’ll need to look into this.


This discussion has been closed.