Why need Connect Server, Why not directly to 1Password Server

Recently I used 1password secret automation service, and use docker to build "Connect Server" in my server

my question is: I can't understand why 1password secret automation need "Connect Server", It looks unnecessary because 1password-cli is directly connect to 1Password server, Is anyone know why or can give some idea for discuss?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided


  • jpmat296
    Community Member

    I have exactly the same question. Why a wrapper of 1Password CLI is not sufficient ? What are the benefits of Connect Server ?

    Someone to help please ?


  • Hi,

    That's a very understandable question! There are multiple reason why we introduced Connect:

    • Your data on the 1Password server is encrypted. Decrypting that is a pretty complicated process. Because Connect is hosted in your own infrastructure, it can handle decryption for us and provide a much simpler API. This makes it very easy to develop new integrations for Connect. You can even directly cURL to it without having to handle any encryption!
    • Connect maintains an (encrypted) copy of the vaults it has access to. This means that it will always be able to serve items, even if the 1Password servers cannot be reached.
    • Because Connect lives close to the applications that use it, the performance of operations is generally better.


  • loryans
    Community Member
    edited July 2022

    The problem is that the Connect Server doesn't offer near the level of functionality that the CLI does.
    I've just wasted time getting the Connect Server working in Azure (thanks to your help @Joris_1P btw), but it's not enough. I need to programmatically create vaults, and the ability to see vaults without having to scope it each time.

  • eugk
    Community Member

    Have not tried running this, as it is almost a deal breaker limitation for my use case.
    @Joris_1P Reasoning seems a bit artificial, (esp. first 2p), with only a few(imho) useful IRL scenarios being runtime secrets or big enterprise, otherwise it forces you to maintain 2 extra nodes on infrastructure that you potentially don't even have(competing with SSM/GSM/??, if you do). There is also either leaving extra endpoint public, with extra cert management, or figuring out network peering for automation/using self-hosted runners.

    Nevertheless, for anyone stumbling upon this - there is service-accounts beta in progress, which hopefully solves this for less-ops-overhead use cases. Now we just need a terraform module for that.

  • jewettg
    Community Member

    Hey @1Password - please offer a service we can pay for .. to host "our" 1Password Connect Server, in those cases where we do not have an infrastructure (and do no use the cloud or host in the cloud) that we can subscribe. Just like @eugk - he hosted in the cloud (I do not have the time or wish to DIY) .. so I would prefer to have y'all do it. I am a hobbyist and want to protect my credentials in my projects (m,y christmas tree LEDs, my Tesla connect code, etc.)

  • Thank you all for feedback and your use-cases 🙌 We are looking into ways to improve the experience for users who do not want to host a Connect server. I will make sure your feedback gets included.

This discussion has been closed.