1Password CLI
1Password CLI is the official command-line interface for 1Password.
It uses the op command to sign in from the terminal, inspect vaults and items, read secrets, inject secret values at runtime, and automate access to credentials without storing them in plaintext.
What it does
- Connects your terminal to a 1Password account
- Lets you work with vaults, items, users, and groups
- Resolves secret references such as
op://vault/item/field - Loads secrets into environment variables, scripts, and config files at runtime
- Supports shell plugins for selected third-party CLIs
- Supports non-human automation through service accounts and 1Password Connect
Command structure
The 1Password CLI executable is op.
1Password CLI uses a noun-verb command structure.
Examples:
op whoamiop vault listop item listop item get "GitHub"op plugin init ghop read "op://Engineering/GitHub/token"
Core concepts
Secret references
A secret reference points to a field stored in 1Password without exposing the plaintext secret in code.
Pattern:
op://vault/item/field
You can resolve secret references with:
op readop runop inject
IDs vs names
You can reference vaults and items by name or ID.
In scripts and automation, prefer IDs because they are more stable and reduce ambiguity.
Shell plugins
1Password Shell Plugins let supported third-party CLIs use credentials stored in 1Password instead of plaintext config files or copied tokens.
Common examples include tools like gh, aws, and kubectl.
Service accounts and Connect
For automation, 1Password CLI can work with:
- Service accounts for scoped programmatic access
- 1Password Connect for server-side deployment and CI/CD secret access patterns
Common workflows
Sign in
The most common setup uses the 1Password desktop app integration.
op signinop whoamiop signout
List vaults or items
op vault listop item listop item get "GitHub"
Read a secret
op read "op://Production/Database/password"
Run a command with secrets
If an .env file contains secret references instead of plaintext secrets:
op run --env-file=.env -- npm run dev
Inject secrets into a template
op inject -i config.tpl -o config.yml
Configure a shell plugin
op plugin listop plugin init gh
Common use cases
- Local development without committing plaintext secrets
- Staging and pre-production workflows that still need real secret access
- Running scripts that need API keys, tokens, or passwords
- Managing vault items from the terminal
- Authenticating developer tools through 1Password
- CI/CD, deployment, or server automation with service accounts or 1Password Connect
Practical notes
- Use secret references instead of hardcoding secrets in code or .env files.
- Use
--format jsonwhen you want machine-readable output in scripts. - Shell completion is available for Bash, Zsh, fish, and PowerShell.
- Shell plugins currently support Bash, Zsh, and fish.
- For server-side apps and long-running automation, 1Password Connect is often a better fit than a purely interactive CLI workflow.
Sources Used
- https://developer.1password.com/docs/cli
- https://developer.1password.com/docs/cli/reference/
- https://developer.1password.com/docs/cli/secret-references/
- https://developer.1password.com/docs/cli/reference/management-commands/plugin
- https://developer.1password.com/docs/cli/app-integration
Frequently Asked Questions
Is 1Password CLI the same as 1Password?
No. 1Password is the product and vault platform. 1Password CLI is the terminal tool used to work with that data through the op command.
Is 1Password Connect Required To Use 1Password CLI?
No. You can use 1Password CLI directly for interactive terminal workflows without 1Password Connect.
When To Use 1Password CLI Instead Of 1Password Connect
Use 1Password CLI when the main user is a human working in a terminal, especially for local development, staging, or ad hoc secret access. Use 1Password Connect when apps and services need server-side access.