Is there a write-only API we could use to (only) push secrets into our business account?

My team and I use 1Password for sharing secrets, and we find it immensely useful. We have a process that creates secret tokens which we also need to share between the team. Right now, those tokens are generated on a server, sent to us, and we then copy/paste them into 1Password.

It would be great if we could configure this server to use a write-only API and have it push those secrets directly to our 1Password account. We have considered using the command line tool, but since that has read access it's a little too insecure for us to automate with.

This is something that's important to us and the business; I believe the business we work for would be happy to pay for such an API.

Thanks!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:API

Comments

  • paulpharr
    paulpharr
    Community Member

    Hi Philip,

    I think want you are asking for has a lot in common with my recent CLI request here:

    https://1password.community/discussion/116501/does-cli-support-beta-feature-item-sharing-send-a-copy-of-an-item-to-a-team-member

    Paul

  • ag_tommy
    edited October 2020

    @phillipoldham

    My apologies for the delay in replying. Did you happen to see the suggested link from @paulpharr ? I will pass your questions onto the team.

  • Hi @phillipoldham,

    I love that you're looking to make that process more secure.

    From a technical perspective this could be done, but it's not something we currently support. Paul is right that this is similar in nature to the request for the "Send a Copy" feature, but in the case of Send a Copy, it would require that the secret be put in a vault that the CLI has read access to first and it sounds like you're wanting to avoid that.

    We've considered allowing "Create but not Read" access on vaults before which would get you what you're looking for, but built via policy restrictions as opposed to cryptography. For some people that might be sufficient but I suspect others would say that this doesn't go far enough in protecting the secret once written.

    So for the time being I'm sad to report that there's no way that I can think of to achieve what you're looking for in an automated fashion. It's something that I'd love for us to make possible one day though.

    Rick

  • phillipoldham
    phillipoldham
    Community Member

    Hi all, and thanks for the comments.

    I think @rickfillion understands what we're looking for: "create but not read" functionality to be able to set a locally known (but short-lived) secret to 1Password with some additional metadata.

    It is sad to hear this isn't available. I do hope it is added in the future, as I think it could be a game-changer for small businesses who need to automate their systems and already rely on 1Password for secret management.

  • Thanks for the insight @phillipoldham. We'll do some additional brainstorming on how we might address this. :+1:

    Ben

This discussion has been closed.