Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Getting rid of my individual account. I have a family account now.
I had an individual account, which I upgraded to a family account. ages ago. When logging into the program, it frequently shows both icons - I have nothing in that old individual account, but the program asks me for my old individual account's secret code (which I no longer have either) but I can't get rid of it. When doing a log in to the extension, when both icons are showing, it assumes I'm trying to open the individual account, and then fails, when I don't have for my old secret key. Then I have to click on the family icon, and then enter the password, and it opens, but it's an extra unnecessary step. How to get rid of it?
op.exe considered harmful?
I’d like to raise a point about the current security model of op.exe, and how it affects protection against supply-chain or similar attacks. Consider a scenario where an attacker manages to execute malicious code locally, for example, via a compromised Python package. While this is often considered “game over,” in practice we still want to avoid being the easiest target in such situations. A common behavior of malicious payloads is to harvest local secrets. While 1Password provides some protection against direct file access, an attacker can simply invoke op.exe, which actually centralizes access to clear-text secrets in a very convenient way. Although op.exe prompts the user for permission, my understanding is that this permission applies broadly (e.g., to the entire account for a period such as 10 minutes). As a user, I can see which application is requesting access, but not which vaults or items are being queried. In practice, the application name (e.g., WindowsTerminal) is not very helpful in determining whether the request is legitimate. I’d be interested in others’ perspectives on this. Some potential improvements that seem valuable to me: When requesting permission, op.exe should provide more context (e.g., which vaults and items are being accessed). Users should be able to grant permissions at a finer granularity: not just account-wide, but limited to specific vaults or even individual items. Another useful feature would be the ability to mark certain items or vaults as excluded from programmatic access (via op.exe, and possibly browser extensions). Even better, this could be the default behavior, requiring explicit opt-in at the item level. I understand that such restrictions would be enforced client-side and therefore not fully robust. However, they would still meaningfully increase the effort required for a malicious local process to enumerate and exfiltrate secrets, and thus provide practical security benefits. Finally, it might be worth considering stronger protections at the vault level—for example, requiring explicit user authentication (master password, or even a separate password) before allowing access to secrets. This could apply not only to op.exe, but also to the interactive 1Password client.
CLI Slow Performance
I have the 1Password desktop app installed and up to date on my macBook Pro, the `op` CLI is also installed, up to date, and working properly. All expected CLI queries work but they are surprisingly slow. After a bunch of trial and error, it seems that it is making a round-trip online as part of every single CLI query. I added the --debug flag and I can see cache hits, but the round trip online is still occurring. Disabling the network interface causes all queries to fail. Is it possible to get the 1Password CLI working fully offline to avoid all of this unnecessary round-trip business? Surely with the desktop app installed and CLI integration turned on, there has to be a way to make efficient (and offline) use of my 1Password vaults. Otherwise automation tasks that require secrets are simply too cumbersome to handle with 1Password, and I will require a secondary solution. And in that case, I may as well give up on 1Password.
1Password Environments issue with VSCode and Claude Code Extension
I've noticed a curious issue in testing 1Password Environments in a repository where I'm editing with VSCode and using the Claude Code extension in VSCode. Since enabling 1P Environments, I've noticed that the Source Control sidebar gets stuck refreshing Git Status, and Claude Code slows or stalls. Running Claude Code outside of VSCode works fine (as does using Git in Terminal, and so I wonder if this is a VSCode issue? I have the VSCode 1Password extension, as well as the Claude Code for VSCode extension, among others. Happy to provide other details if you can let me know what would help.1Password Environments Beta is awesome
Just wanted to drop some feedback after playing around with the new Environments Beta in 1Password. Honestly, I’m loving it so far. The local .env file mounting is just brilliant. Secrets are easy to access without having to run extra commands, but still secure – exactly what I want. Makes switching between machines seamless, too. A couple of things I’d really like to see next: 1. CLI Integration - being able to create/edit/list environments and variables from the terminal would make this so much more useful, right now, having to click around in the desktop app is a bit of a pain for dev workflows. 2. More integrations: AWS Secrets Manager is a great start, but would love to see GCP and other major providers such as GitHub, etc. A plugin system for integrations would be awesome also to help cover more niche players like Modal.com Overall, this is a huge step in the right direction for 1Password. Can’t wait to see where this goes next!Feature Request: GeneratorRecipe for Memorable Passwords
Currently in the API options for 1P Connect there is an ability to specify a "GeneratorRecipe" when creating a password for a record: https://developer.1password.com/docs/connect/api-reference/#item-generatorrecipe-object This is great for super-high-entropy random passwords but in some instances we would like to have the ability to specify that the generator create a "Memorable Password", as can be done in the 1P apps: Ideally this would then allow for specifying criteria similar to: "generate": true, "memorableRecipe": { "memorableRequirements": [ "HYPHENS", "CAPITALIZE", "FULLWORDS" ], "words": 4 } While this isn't needed all the time as the default 'generate' option is suitable in most scenarios, this would provide some extra flexibility. PS - In the same vein, it would nice to have this capability for the CLI's '--generate-password' option as well!! https://developer.1password.com/docs/cli/item-create/#create-an-itemWhat is an Agent Chassis?
Jeff Malnick’s post is confident. It’s also detached from how developers actually ship code today and made me furious.“Agent chassis” boils down to: the script that runs your agent. Fine. But the security layer argument collapses when the tooling underneath is fragmented.Right now you pick between CLI, shell plugins, service accounts, connectors, environments — each with different auth models, rate limits, edge cases, and silent failures. None cleanly support a headless agent workflow. I’ve built workarounds for my workarounds.Agentic coding made this obvious. Agents need real credentials at runtime. Not desktop popups. Not biometric prompts in a terminal.The community built unofficial MCP servers. Anthropic shipped 50+ connectors. 1Password isn’t there.The spec is public. It’s buildable. So—who’s shipping it?
Automated bi-directional sync between 1Password and AWS Secrets Manager — is this actually possible?
Hey everyone, SRE at a small startup here. We've been using 1Password for a while and overall love it, but we're running into a friction point with our AWS setup that I'm hoping someone has solved. What we're trying to achieve: We want a proper bidirectional sync between 1Password vaults and AWS Secrets Manager. Specifically: 1Password → AWS SM: When someone on the team updates a credential in 1Password, it should automatically propagate to AWS Secrets Manager so our workloads pick it up without anyone having to manually copy-paste things. AWS SM → 1Password: We use AWS Secrets Manager's native auto-rotation for some credentials (RDS passwords, API keys, etc.). When AWS rotates a secret automatically, we'd want that updated value to flow back into 1Password so our employees can always go to 1Password as the single source of truth and get the current credential. On the new "Environments" feature (beta): We noticed the new Environments feature and got excited — it looked like exactly what we needed. But after digging in, it seems pretty limited right now. From what we can tell: There's no SDK support for managing environments programmatically There's no CLI support either (`op` doesn't seem to have environment management commands yet) Everything has to be done through the UI wizard This makes it really hard to automate. We provision new environments dynamically as part of our infrastructure-as-code workflows (Terraform), so we need to be able to create and configure environments programmatically. Is this on the roadmap? Are there any workarounds people are using? The SAML IdP requirement in Environments: Related to the above — the Environments setup wizard seems to require a SAML Identity Provider to be configured for each environment. We use Azure Entra ID as our IdP (federated through AWS Cognito), and we have a single IdP setup that covers all our environments. Is it actually required to have a separate SAML IdP per environment, or is there a way to reuse a single IdP across multiple environments? The wizard flow makes it seem like each environment needs its own IdP configuration, which would be a significant blocker for us — we can't dynamically spin up new IdP configurations every time someone creates a new environment in our platform. If this is a hard requirement, it basically rules out Environments for our use case entirely, since we'd need to automate IdP provisioning as part of environment creation, which is a whole other can of worms. Summary of questions: Has anyone built a reliable bidirectional 1Password ↔ AWS Secrets Manager sync? Especially the AWS SM → 1Password direction for auto-rotated secrets? Is there any programmatic/API access for Environments (SDK, CLI, REST API) that isn't documented yet, or is it genuinely UI-only right now? Is a separate SAML IdP per environment actually required, or can you reuse one IdP across environments? Thanks!Using a Service Account token to grant a connect server acces to a vault
Hey. I'm using a service account token in a GitLab CI/CD pipeline, where I first install the 1Password CLI. It works great when i create a vault and give permissions to some groups on that vault. I would like to use the command "op connect vault grant" to give our Connect Server access to that newly created vault, so that I can subsequently use our Connect Server and do operations on that newly created vault. However I am encountering the following error: $ op connect vault grant --server OUR-SERVER --vault "VAULT_NAME" [ERROR] 2026/02/18 16:35:30 There are 0 servers that match {"OUR-SERVER"}. Try again and specify the servers's UUID instead. This is a bit weird since I can type in that command locally, using 1password CLI, and it works great. I suspect that Service Account tokens cannot grant vault permissions to Connect servers, but i'd like to be sure. If it is the case, what alternative could be used to obtain the same behaviour ? The goal here is obviously to not have to do anything manually, and it is still secure since all our credentials and secrets are stored in Gitlab CI/CD variables. Thanks Edit: I also tried with the server ID instead of its name, but same result. Edit2: It is not possible, there is an "Unsupported commands" small blue paragraph in this documentation that I missed: https://developer.1password.com/docs/service-accounts/use-with-1password-cli/#supported-commandsIntroducing: Desktop auth for SDKs & 1Password Environments access for CLI, SDK & Service accounts
Today, we're introducing two new features to help developers get secrets to the right place at the right time, without sprinkling them across files, repos, and build logs. Programmatically read 1Password Environments (read‑only, now in beta) If you store project environment variables in 1Password Environments, you can now read them at runtime via the 1Password CLI and SDKs. That means tools can pull secrets when they’re needed, instead of maintaining .env files or managing long‑lived secret syncs. A few places this shines: CI/CD workflows: Retrieve and inject .env variables during builds using a service account. Containers/Kubernetes: Apps read connection strings at startup. Local + AI-assisted tooling: Scripts/Make targets fetch tokens on demand while keeping secrets out of the model context. Video not displaying? Watch it here. Desktop authentication for 1Password SDKs Fresh out of beta, SDK integrations can now authenticate through the 1Password desktop app with a biometric/password prompt. Sessions inherit the signed‑in user’s access and time out after 10 minutes of inactivity (or when 1Password locks). This unlocks higher‑impact workflows, including full vault management (create/read/update/delete/list), managing vault permissions, and batch item operations for teams operating at scale. Video not displaying? Watch it here. Check out the details For the full details, read the launch post. Questions, edge cases, or wish‑list items? Drop them below – we’re listening.
