Skip to main content

1Password Connect

PropertyValue
descriptionSelf-hosted 1Password Connect server for accessing vault items through a private API.
tagsref
rating

1Password Connect is a self-hosted server from 1Password that lets apps and infrastructure access vault items and secrets through a private REST API.

Instead of having every app talk directly to 1Password.com, you deploy a Connect server inside your own environment. Your apps then communicate with that Connect server over HTTP.

What it does

  • Exposes a private REST API for reading and managing 1Password vault items
  • Caches encrypted 1Password data inside your infrastructure
  • Lets backend systems access secrets without depending on a personal user account
  • Supports server-side integrations for apps, automation, and CI/CD workflows
  • Works with 1Password CLI, SDKs, and custom HTTP integrations

Core concepts

Connect server

A Connect server is a Secrets Automation workflow that gives your systems controlled access to 1Password data.

It is designed for machine-to-machine use cases such as deployment pipelines, web services, and infrastructure automation.

Containers

1Password Connect is typically deployed with Docker or Kubernetes and runs as two containers:

  • 1password/connect-api
  • 1password/connect-sync

The API container serves the Connect API, while the sync container keeps the local encrypted data in sync with 1Password.

Credentials and tokens

Connect uses two important credentials:

  • 1password-credentials.json
  • a Connect access token

The credentials file is a JSON file used when setting up the Connect server. The token is then used by apps and tools that need to talk to that server.

Environment variables

Two common environment variables are:

  • OP_CONNECT_HOST
  • OP_CONNECT_TOKEN

These are commonly used when integrating 1Password CLI or other automation tools with a Connect server.

Common use cases

Common workflows

Deploy Connect

The most common setup is to deploy Connect with Docker or Kubernetes inside your infrastructure.

Access Connect from the CLI

You can use 1Password CLI with a Connect server by setting OP_CONNECT_HOST and OP_CONNECT_TOKEN.

Common commands include:

  • op read
  • op run
  • op inject
  • op item get --format json

Test the API

You can test the Connect REST API with cURL.

Example pattern:

curl $OP_CONNECT_HOST/v1/vaults -H "Authorization: Bearer $OP_CONNECT_TOKEN"

Work with JSON responses

Connect API responses are typically returned as JSON.

That makes Connect useful for scripts, infrastructure tooling, and application integrations.

Practical notes

  • 1Password Connect is primarily for server-side and automation use cases, not everyday human sign-in flows.
  • It reduces coupling to personal accounts, which is useful for production systems.
  • Because Connect runs in your infrastructure, it can reduce latency and allow repeated local secret reads after initial sync.
  • It is often a better fit for staging and production environments than interactive secret workflows.
  • If you are only working interactively in a terminal, 1Password CLI is usually the simpler starting point.

Sources Used

Frequently Asked Questions

Is 1Password Connect the same as 1Password CLI?

No. 1Password CLI is the interactive terminal tool. 1Password Connect is the self-hosted server-side integration layer for apps and services.

When To Use 1Password Connect

Use 1Password Connect when services need machine access to secrets through a private REST API, especially in deployment, provisioning, staging, or production workflows.

Is 1Password Connect Required For Local Terminal Work?

No. For local interactive work in a terminal, 1Password CLI is usually the simpler choice.