Skip to main content
1Password CLI allows you to securely provision secrets in development environments, use scripts to manage items and provision team members at scale, and authenticate with biometrics in the terminal.

Eliminate plaintext secrets in code

To use op run with Environments, you’ll need to install the latest beta build of 1Password CLI, version 2.33.0-beta.02 or later.
You can store your project secrets in 1Password Environments (beta), then use 1Password CLI to securely pass your variables to an application or script without exposing your credentials in plaintext. Environments are dynamic: if you update your variables in 1Password, the changes will be reflected in your project without needing to update the code directly. You can also share Environments with other people on your team, so everyone can stay in sync. For example, you can create an Environment for a development context, like iOS App Staging, then use op run --environment <environmentID> to provision your app with your staging secrets. Changing to a different development context like production is as simple as pointing to a different ID.
You can also replace hardcoded secrets in your code using secret references.

Learn more

Automate administrative tasks

1password.com open to show the people who have access to a vault alongside a terminal window displaying the same information.
With 1Password CLI, IT administrators can set up scripts to automate common tasks, like provisioning users, managing permissions, managing items, and generating custom reports. For example, this script will loop through each vault the person who runs the script has access to and provide:
  • the vault name
  • the number of items in the vault
  • the last time the vault’s contents were updated
  • the users and groups that have access to the vault along with their permissions
vault_details.sh
#!/usr/bin/env bash
for vault in $(op vault list --format=json | jq --raw-output '.[] .id')
do
        echo ""
        echo "Vault Details"
        op vault get $vault --format=json | jq -r '.|{name, items, updated_at}'
        sleep 1
        echo ""
        echo "Users"
        op vault user list $vault
        sleep 1
        echo ""
        echo "Groups"
        op vault group list $vault
        sleep 1
        echo ""
        echo "End of Vault Details"
        sleep 2
        clear
        echo ""
        echo ""
done

Learn more

See our repository of example 1Password CLI scripts for inspiration for your own projects. You’ll find scripts that can help you:
To learn more about how to accomplish these tasks with 1Password CLI, see the following guides:

Sign in to any CLI with your fingerprint

With our shell plugin ecosystem, you can use 1Password to securely authenticate all your command-line tools. Store your CLI access credentials in your 1Password vaults then sign in to your CLIs with your fingerprint instead of entering your credentials manually or storing them in an unencrypted format on your computer. Shell plugins unlock the ability to securely share credentials between team members. Store a token in a shared 1Password vault, and all people with access to the vault will be able to sign in with them. And you can use shell plugins across multiple environments, so you don’t have to spend time signing in and out between projects. For example, the ngrok shell plugin can securely tunnel the local app to the internet for a web development project running on your computer. The ngrok authtoken is not stored anywhere on the computer. When the ngrok CLI is run, the shell plugin provisions the authtoken as an environment variable for the ngrok binary to consume, and when the process exits, the environment variable is cleared.

Learn more

Get started with one of our most popular shell plugins:
Or choose a plugin from our library of more than 40 command-line tools to get started with. If the tool you want to use isn’t supported yet, you can build your own plugin. You can also: