Announcing the 1Password command-line tool public beta

Here at AgileBits, we’ve been working hard over the last few months to bring power users, developers, and administrators more powerful ways to interact with 1Password. We’re proud to announce that we have something that fits the bill. It’s called the 1Password command-line tool, and we can’t wait to see what you build with it. Let me take this opportunity to walk you through the exciting potential.

Introducing op

1Password apps are available on just about every platform, but they’ve always had the same dependency: a graphical interface. Now all of 1Password is available with just two characters: op.

The 1Password command-line tool makes your 1Password account accessible entirely from the command line. A simple op signin will securely authenticate you with the 1Password service and give you access to a wide range of capabilities:

Getting usernames and passwords from items:

$ op get item OpenProxy | jq '.details.fields[] | select(.designation=="password").value'

"genuine-adopt-pencil-coaster"

Creating new items and vaults:

$ op create item login $(cat aws.json | op encode) --title="AWS"

{"uuid":"5hinhvejl7wtmbeorfts7ho3di","vaultUuid":"i5imjpvdivbsxo56m2ap2n66gy"}
$ op create vault devops

{"uuid":"ny5khay7t3lmhrp4pjsxl4w34q"}

Working with documents:

$ op create document ./devops.pdf --vault=devops --tags=architecture

{"uuid":"i3rsiwjfh7aryvbu5odr4uleki","vaultUuid":"ny5khay7t3lmhrp4pjsxl4w34q"}

If you’re a team administrator, you can also manage other users and shared vaults — all without leaving your terminal:

op suspend john@acmecorp.com

One of the most frequent requests we receive from 1Password Teams customers is the ability to export the Activity Log. With the Pro plan, op list events makes it easy to ingest activity data into the application of your choosing. Be it Splunk, Kibana, Papertrail, or your own tool, op outputs JSON, so it’s simple to work with.

But we didn’t just build the tool to solve specific requests. It’s flexible enough to handle use cases we haven’t even thought of. The possibilities are endless, and we know you’ll come up with something amazing.

🎶 Rock, robot rock (solid) 🎶

The command structure is similar to tools you already use, providing easy integration with your workflow. Now automated systems can have access to secure credentials without ever storing them in plaintext. Here at AgileBits, for example, we’ve been using op for the last few months as part of our automated build systems. It’s been super useful for fetching secure keys and tokens required for building and deploying 1Password. After a secure op signin, we have a script that fetches the appropriate signing key from a shared vault and automatically signs new builds.

The tool was written from the ground up with the battle-tested Go programming language, the very same we used to build the 1Password service itself. As with every 1Password client, all encryption and decryption is done on your machine locally, ensuring the highest level of security best practices you’ve come to expect from the entire family of 1Password apps.

Get yo’ *NIX on

Our dreams of late have been filled with penguins. Two weeks ago we shared a treat with Linux users, and this week it becomes a feast. You might have already tried 1Password for Linux and Chrome OS, but we know what really makes developers salivate: a CLI. You can download op for macOS, Linux, FreeBSD, OpenBSD, and NetBSD on i386, ARM, and AMD64 architectures. Oh, and our Windows friends can play too!

What’s next?

If you’re as excited as we are about this, here’s everything you need to get started:

We highly value the thoughts of people using the beta in the real world, so we can continue improving the tool for you. As we work toward a stable release and eventually open source, please bear in mind that there may be breaking changes down the line, but we’re more than happy to work with you to resolve any issues. We look forward to working together to create some truly useful and powerful tools, and we can’t do it without you.

Now let’s get ready to 🎶 pipe it, grep it, cat it, sed it 🎶

74 replies
Newer Comments »
    • Dave Teare
      Dave Teare says:

      It’s awesome hearing your excitement! I’m glad you like what you see. 🙂

      I’m not sure of the intricacies of a launchpad.net package but I’ll be sure to pass along your feedback to those who do. Part of this beta process is to better understand what users like yourself need so please keep the feedback coming! ❤️

      Take care,

      ++dave;

    • Connor Hicks
      Connor Hicks says:

      Thank you! As Dave said, we’re using the public beta period to determine things like this; what our users want. We’re keeping an internal list of these sorts of wants and needs and we’ll use it to help make decisions on features and availability going forward.

      Cheers!
      Connor

  1. Julian
    Julian says:

    This makes me very happy.

    Obviously in the long term a native client for Linux would be highly desirable although a Chrome extension is a great start.

    Your competitor, Enpass, currently provides cross-platform support and they’re entirely free.

    As long as the 1Password CLI works in Linux I’ll be happy for the moment. I don’t like logging in via the 1Password website because of the inherent issues with JavaScript cryptography.

    With the gradual demise of MacOS (see recent usage statistics), Windows and Linux platforms are going to become essential to your business model.

    Whilst I’m on this blog I’d like to see a blog post about he ‘hidden’ features such as /log when somebody gets the time. I’ve yet to come across a one-stop-shop listing all the commands.

    Reply
    • Dave Teare
      Dave Teare says:

      Hi Julian! 👋

      I agree that would be great. It’s certainly something we’d love to see in the future as well. The issue as always is time: we all only have a finite amount of it so we can’t always work on every fun project that we’d like to.

      For now our plan for Linux is a two pronged approach: the CLI Connor discussed in this post and the new Chrome extension for Chrome OS and Linux users. The CLI is for power users needing to script things while the extension makes using 1Password directly within your browser a treat.

      Both of these are in beta testing at the moment so we’ll need a while to complete these (and implement our ideas that won’t make it into the initial release) before we add any additional things to our Linux plate. 🙂

      I hope you join both betas and enjoy 1Password on Linux!

      Take care,

      ++dave;

    • Connor Hicks
      Connor Hicks says:

      Thanks for the great feedback, it’s awesome to see passionate users getting their hands on the tool in real life! As for the logging options, the tool currently only logs barebones error messages, it’s not yet useful for real debugging. For future releases, we’ll be fleshing out the logging to make it more useful, and start documenting the log options. Keep an eye on the release page and the CLI forum for more details going forward.

      FYI all of the commands are documented here: https://support.1password.com/command-line/ and also using the –help flag on any command (top-level or subcommand) while using the tool.

      Cheers!
      Connor

  2. Disgruntled user
    Disgruntled user says:

    A command line version of 1P, but no Chromebook version!?!?!? SMH, this is what happens when you let stoned engineers run the product team.

    Reply
    • Dave Teare
      Dave Teare says:

      Hello Disgruntled user! 👋

      I’m sad to hear you’re in a state of disgruntlement. That’s certainly not a state we want to see you in!

      Thankfully I think I have the perfect cure for you: we have a Chromebook version of 1Password in the works already. Connor linked to it in his post above and we’re in private beta testing already. We’d love to have you join our beta testing family and you can learn more here:

      https://discussions.agilebits.com/discussion/79609/a-present-for-linux-and-chrome-os-users/p1

      With any luck this news will turn your frown upside down. 🙂

      Take care,

      ++dave;

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Hi Justin,

      The command-line tool is a client for the 1Password service. So far our early testers have been using it for managing 1Password Team accounts or scripting the use of secrets within their organizations.

      Though I also use it to get certain things from my family account. I’ve got a script which I use to get my Tarsnap keys from to fetch a latest backup of various servers and systems I manage around the house. (OK, now that I read over that I realize that I am probably not the most typical of Family account users. And if I would put my FreeBSD servers on systems with more reliable power supplies I wouldn’t need to restore from backup to often)

    • John
      John says:

      Ay, and there’s the rub! I knew this sounded too good to be true. Of course it’s not available for standalone, local vault customers. Oh well, can’t really be too upset with something you didn’t have in the first place. Pity, this sounds like a really cool tool and I could definitely see some cool automation benefits to using it. I’ll just go back to the corner with the rest of the local vault plebs. Enjoy your shiny new toys everyone else. :(

      Oh and before you guys inevitably mention it, respectfully no thank you, I do not want to sign up for the subscription service. I prefer local, WLAN synced vaults. And even if I did want it, unfortunately I couldn’t afford it.

    • Dave Teare
      Dave Teare says:

      Hi John,

      You’re right, this CLI is only available to those subscribed to our 1Password service. This CLI (as well as our upcoming present for Chrome OS and Linux users) were made possible by the centralized architecture provided by our new service.

      As for me inevitably mentioning signing up to our subscription service, of course that is an option and a mighty good one at that. But not to worry, we have no intention of forcing you to sign up. It’s up to us to demonstrate to you how much better our hosted system is and get you excited to make the switch. In addition to unlocking features like the CLI tool Connor discussed in this post and the upcoming reimagined Chrome extension, there are other benefits inherent with 1Password Memberships as well, such as item history, data loss protection, seamless sync, etc. This list will continue to grow and I hope that in time we’ll be successful in getting you excited. Until then, you can continue enjoying 1Password as you have been.

      Take care,

      ++dave;

    • Alexis
      Alexis says:

      @Dave Everything you say is true. Although the paid plan/membership also brings a HUGE drawback, at least for me: you f-ing have a copy of my vault! Like… why? There is 0 technical reason why a command line tool wouldn’t be able to connect to the 1password running on my machine, or just reading the vault directly…
      I’m sorry, but you are trying to force us to pay more.
      The reason I chose 1password in the first place:
      – no membership
      – seemingly working on windows (I’m sorry but the old app is just crap, it’s actually got worse…)
      – you don’t have a copy of the data
      – I sync the data however I want

      I guess it’s time for me to look at an alternative…

    • Dave Teare
      Dave Teare says:

      Hi Alexis,

      Thanks for sharing your thoughts with me. I can see where you are coming from and if I were in your shoes I could see myself feeling the same way. Please allow me to share a few thoughts from my perspective and hopefully you’ll be able to continue using 1Password.

      Since we’re having this discussion in the comments section of our CLI announcement it’s fitting to start there. You’re right, our CLI does not support standalone licenses and we have no plans of changing that. The main reason for this is the CLI was primarily created for our 1Password Teams customers. Tasks like exporting activity logs to Splunk, onboarding new users, and suspending users are things needed by our very large teams. Automating tasks like these are simply not needed by individuals.

      Of course that’s not to say there’s no value of a CLI for individuals. While we’re primarily targeting the CLI at teams, things like grabbing a password from an item can be very useful to an individual who’s running their own server. In this scenario, however, the server would need to have access to your data, which would require making a connection to another server to grab the information. We designed our server APIs specifically to make tasks like this very efficient and secure. Attempting to shoehorn these features into three other APIs (CloudKit, Dropbox, and WLAN Sync) is something we’re not interested in doing. Even if there was sufficient demand for this I’m not convinced it’s even possible. Of course we could read the data from the local files directly, but that would greatly curtail the usefulness of this utility, so I don’t want to go that route either.

      As for Windows, I’m not sure if you’ve seen them or not, but we’ve had several posts about 1Password 6 for Windows. The most recent were Kate’s Introducing 1Password 6.6 for Windows and 1Password 6.7 for Windows: A feature buffet and you can see there’s been some really awesome improvements for Windows so far this year. I think you’ll really enjoy it. Now the thing is, for several reasons 1Password 6 for Windows only supports 1Password memberships at this time but we’ve announced already that 1Password 7 for Windows will support standalone licenses. While we’re not ready to announce anything specific on when 1Password 7 will arrive, I will go out on a limb and say you should be able to test drive a beta by the end of this year.

      As I mentioned to John above, we have no intention of forcing you to sign up to our subscription service. It’s up to us to demonstrate to you how much better our hosted system is and get you excited about making the switch. Obviously we’re not there yet for you and that’s okay – users like you are why we continue to support standalone licenses for 1Password and why we are keeping support for them in 1Password 7. Perhaps we’ll succeed in getting you excited in the future or perhaps we won’t – either way I hope you’ll be able to continue using 1Password.

      Take care,

      ++dave;

    • Alexis
      Alexis says:

      @Dave First off thanks for the answer. And don’t get me wrong, I’m excited for most of the new stuff. Except you ask me to host my data. And that’s just not happening :-)
      Something that lets you setup a webdav over ssl or something is cool.

      I trust you guys, don’t get me wrong, but not enough to just have all my passwords (even encrypted etc.) sitting ducks with everybody’s else’s. It just doesn’t make sense from a security standpoint.

      As for the windows version, maybe version 7 will work. But in the meantime, we both know what the other one is worth :-)

    • Kate Sebald
      Kate Sebald says:

      Hey Alexis!

      1Password 4 is a bit polarizing. As a Windows user since forever, I actually rather like it myself. It reminds me of the old days of Windows when I was first learning to use a computer with something more than DOS. Despite its age and the fact that it looks a bit less than pretty, 1Password 4 really is still a very powerful program with a lot of flexibility that I find pretty fun to use (if perhaps not to troubleshoot). Beyond my nostalgic affection for it, though, I still know of quite a few folks who remain in love with 1Password 4 and won’t leave it for anything. Value is in the eye of the beholder and for more folks than you might think, 1Password 4 still holds quite a bit of value.

      That said, one reason we are no longer selling 1Password 4 for Windows is because we are no longer actively developing it. Our view is that one of the things you pay for when you buy a license is ongoing improvements. 1Password 4 will now only continue to receive bug fixes and security updates. With 1Password 7 in the pipes 1Password 4’s days as the latest app for folks using standalone vaults on Windows is coming to an end, so we think our time is better spent getting 1Password 7 ready to go. I’m pretty excited about that. Having everyone using the same new, modernized app no matter where you store your vaults will be awesome and I’m definitely looking forward to hearing your thoughts when it’s ready. 🙂

      I trust you guys, don’t get me wrong, but not enough to just have all my passwords (even encrypted etc.) sitting ducks with everybody’s else’s.

      I’m glad to hear you trust us. One thing I try to stay conscious of is that some folks’ reluctance (or refusal) to try out a 1Password membership has nothing at all to do with us. In reality, “the cloud” is a scary place for some folks and not without reason. As I said in a recent blog post, data breaches are old hat these days. It’s easy for us to say we’re different, but harder for us to do demonstrate that we truly are. I hope by being transparent about our security practices, working to inform folks of how we secure your data, and ensuring you are the only person who ever has the keys to unlock your vault we’re able to show we truly are different from the folks who have leaked your data (and mine, for that matter) over the years. But I do know that hurdle is still pretty tall and it may well take a bit more work to surmount it.

      As Dave mentioned, we love 1Password memberships, but our job is to give you the information you need to make the best decision for you. If a 1Password membership isn’t what’s best for you, standalone vaults are here for you and it’s up to us to prove to you that your data aren’t sitting ducks on our servers so that (maybe) you’ll change your mind one day. We never want to force you to make the switch. We want it to be your choice. 🙂

      I hope, even if you don’t decide to give a membership a try any time soon, you do take the time to learn more about the security features of 1Password memberships, if you’re interested, and to share any feedback you might have about security with us. It’s perhaps a lofty goal, but we hope to one day make our servers a place everyone feels safe storing their encrypted vaults. Maybe that takes a new security feature (or many), maybe it just takes time and maybe, for some, it’s never gonna happen, but dag nabbit, we’re gonna try so your feedback is always appreciated.

      Thank you for taking the time to share your thoughts and for sticking with us for so long. We know you wouldn’t take the time to talk to us about this stuff if you didn’t want us to succeed, so thank you and keep the feedback coming.❤️ 🙂

    • Connor Hicks
      Connor Hicks says:

      I bet if you did a search for “1password-cli” on homebrew, you’d find something our friends over there put together!

      Nothing official from us just yet!

  3. Andy
    Andy says:

    While I’m all for short commands, is it such a great idea to use two letters? To avoid mistakes perhaps a more descriptive name would make sense… then the user is free to alias it to whatever they please. This looks very promising though!

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Hi Andy,

      If you are worried about typos with “op”, then you can alias it to something longer. That way, you only have to be sure to get the command right once (where you define the alias).

      Anyway, have fun with it.

    • MattyH
      MattyH says:

      Agreed. Also two letter commands are a precious resource.

      1p might be a better option — less likely to collide with others.

    • James R Cutler
      James R Cutler says:

      I have to agree – op gets mapped to open by helpful autocorrect, while 1p works unmolested with almost anywhere. I type Command-Space and then “1p” instead of removing my hands from the keyboard and messing around with the mouse. You (agilebits) taught me that.

      Besides, now that we aren’t limited to ASR-33 typing speeds, the effective difference between typing ‘1p’ and ‘1password’ is negligible. But the hassle of correcting autocorrections of ‘op’ to ‘open’ really is close to a deal breaker.

    • Kate Sebald
      Kate Sebald says:

      Hey James! Autocorrect is the worst, isn’t it? And yet, I find I miss it when I turn it off. You can’t win. On Windows, I have to use ./op, plus I don’t even have the option of autocorrect, so this never does get me, but I definitely understand the struggle. I’ll be sure to pass your feedback along to the team. 🙂

    • Dan
      Dan says:

      I should’ve caught that given the music notes emojis. However, I was thinking of the Bop It toy. “Push it! Pull it! Twist it! Bop it!”

  4. Jean Mertz
    Jean Mertz says:

    This is awesome. We use https://passwordstore.org in combination with 1Password, the former for our automated build scripts and CI, the latter for our employees.

    With this CLI, we can converge everything into 1Password, and use the groups functionality to separate access for specific automated services.

    Truely an awesome addition to an already wonderful suite of tools.

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Thank you so much. We (particularly Connor and Stefan) have put a lot of work into this for exactly the kind of usage you describe.

  5. Greg S
    Greg S says:

    If I have to ask this question I probably shouldn’t be using it, but what are the two macOS versions?

    Secondly, Homebrew is a common way to distribute some things on macOS. Not sure if it’s appropriate for this software. “Homebrew installs the stuff you need that Apple didn’t.” https://brew.sh. Includes updating.

    Although probably easier and better if can be an option in the macOS app installation. Other apps do this. TextMate is one example. https://panic.com/transmit/

    Reply
    • Connor Hicks
      Connor Hicks says:

      Hey there Greg,

      There are macOS builds for 368 (32-bit) and amd64 (64-bit) if you purchased your Mac in the past… 5 years, you’re most likely going to want the amd64 version.

      As for Homebrew, we are not officially supporting it just yet, but a little birdy told me that the folks over a homebrew may have put a cask together on their own :)

Newer Comments »

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *