1Password Connect
1Password Connect is a self-hosted server from 1Password that lets apps and infrastructure access vault items and secrets through a private REST API.
Instead of having every app talk directly to 1Password.com, you deploy a Connect server inside your own environment. Your apps then communicate with that Connect server over HTTP.
What it does
- Exposes a private REST API for reading and managing 1Password vault items
- Caches encrypted 1Password data inside your infrastructure
- Lets backend systems access secrets without depending on a personal user account
- Supports server-side integrations for apps, automation, and CI/CD workflows
- Works with 1Password CLI, SDKs, and custom HTTP integrations
Core concepts
Connect server
A Connect server is a Secrets Automation workflow that gives your systems controlled access to 1Password data.
It is designed for machine-to-machine use cases such as deployment pipelines, web services, and infrastructure automation.
Containers
1Password Connect is typically deployed with Docker or Kubernetes and runs as two containers:
1password/connect-api1password/connect-sync
The API container serves the Connect API, while the sync container keeps the local encrypted data in sync with 1Password.
Credentials and tokens
Connect uses two important credentials:
1password-credentials.json- a Connect access token
The credentials file is a JSON file used when setting up the Connect server. The token is then used by apps and tools that need to talk to that server.
Environment variables
Two common environment variables are:
OP_CONNECT_HOSTOP_CONNECT_TOKEN
These are commonly used when integrating 1Password CLI or other automation tools with a Connect server.
Common use cases
- Loading secrets into CI/CD pipelines
- Giving backend apps access to credentials without using a personal account
- Exposing vault items to internal services through a private REST API
- Running secret-aware automation on a server or in containers
- Integrating 1Password secrets into deployment and provisioning workflows
Common workflows
Deploy Connect
The most common setup is to deploy Connect with Docker or Kubernetes inside your infrastructure.
Access Connect from the CLI
You can use 1Password CLI with a Connect server by setting OP_CONNECT_HOST and OP_CONNECT_TOKEN.
Common commands include:
op readop runop injectop item get --format json
Test the API
You can test the Connect REST API with cURL.
Example pattern:
curl $OP_CONNECT_HOST/v1/vaults -H "Authorization: Bearer $OP_CONNECT_TOKEN"
Work with JSON responses
Connect API responses are typically returned as JSON.
That makes Connect useful for scripts, infrastructure tooling, and application integrations.
Practical notes
- 1Password Connect is primarily for server-side and automation use cases, not everyday human sign-in flows.
- It reduces coupling to personal accounts, which is useful for production systems.
- Because Connect runs in your infrastructure, it can reduce latency and allow repeated local secret reads after initial sync.
- It is often a better fit for staging and production environments than interactive secret workflows.
- If you are only working interactively in a terminal, 1Password CLI is usually the simpler starting point.
Sources Used
- https://developer.1password.com/docs/connect/
- https://developer.1password.com/docs/connect/get-started/
- https://developer.1password.com/docs/connect/api-reference/
- https://developer.1password.com/docs/connect/concepts
- https://developer.1password.com/docs/connect/cli
Frequently Asked Questions
Is 1Password Connect the same as 1Password CLI?
No. 1Password CLI is the interactive terminal tool. 1Password Connect is the self-hosted server-side integration layer for apps and services.
When To Use 1Password Connect
Use 1Password Connect when services need machine access to secrets through a private REST API, especially in deployment, provisioning, staging, or production workflows.
Is 1Password Connect Required For Local Terminal Work?
No. For local interactive work in a terminal, 1Password CLI is usually the simpler choice.