Announcing the 1Password command-line tool public beta

Here at AgileBits, we’ve been working hard over the last few months to bring power users, developers, and administrators more powerful ways to interact with 1Password. We’re proud to announce that we have something that fits the bill. It’s called the 1Password command-line tool, and we can’t wait to see what you build with it. Let me take this opportunity to walk you through the exciting potential.

Introducing op

1Password apps are available on just about every platform, but they’ve always had the same dependency: a graphical interface. Now all of 1Password is available with just two characters: op.

The 1Password command-line tool makes your 1Password account accessible entirely from the command line. A simple op signin will securely authenticate you with the 1Password service and give you access to a wide range of capabilities:

Getting usernames and passwords from items:

$ op get item OpenProxy | jq '.details.fields[] | select(.designation=="password").value'


Creating new items and vaults:

$ op create item login $(cat aws.json | op encode) --title="AWS"

$ op create vault devops


Working with documents:

$ op create document ./devops.pdf --vault=devops --tags=architecture


If you’re a team administrator, you can also manage other users and shared vaults — all without leaving your terminal:

op suspend

One of the most frequent requests we receive from 1Password Teams customers is the ability to export the Activity Log. With the Pro plan, op list events makes it easy to ingest activity data into the application of your choosing. Be it Splunk, Kibana, Papertrail, or your own tool, op outputs JSON, so it’s simple to work with.

But we didn’t just build the tool to solve specific requests. It’s flexible enough to handle use cases we haven’t even thought of. The possibilities are endless, and we know you’ll come up with something amazing.

🎶 Rock, robot rock (solid) 🎶

The command structure is similar to tools you already use, providing easy integration with your workflow. Now automated systems can have access to secure credentials without ever storing them in plaintext. Here at AgileBits, for example, we’ve been using op for the last few months as part of our automated build systems. It’s been super useful for fetching secure keys and tokens required for building and deploying 1Password. After a secure op signin, we have a script that fetches the appropriate signing key from a shared vault and automatically signs new builds.

The tool was written from the ground up with the battle-tested Go programming language, the very same we used to build the 1Password service itself. As with every 1Password client, all encryption and decryption is done on your machine locally, ensuring the highest level of security best practices you’ve come to expect from the entire family of 1Password apps.

Get yo’ *NIX on

Our dreams of late have been filled with penguins. Two weeks ago we shared a treat with Linux users, and this week it becomes a feast. You might have already tried 1Password for Linux and Chrome OS, but we know what really makes developers salivate: a CLI. You can download op for macOS, Linux, FreeBSD, OpenBSD, and NetBSD on i386, ARM, and AMD64 architectures. Oh, and our Windows friends can play too!

What’s next?

If you’re as excited as we are about this, here’s everything you need to get started:

We highly value the thoughts of people using the beta in the real world, so we can continue improving the tool for you. As we work toward a stable release and eventually open source, please bear in mind that there may be breaking changes down the line, but we’re more than happy to work with you to resolve any issues. We look forward to working together to create some truly useful and powerful tools, and we can’t do it without you.

Now let’s get ready to 🎶 pipe it, grep it, cat it, sed it 🎶

76 replies
« Older CommentsNewer Comments »
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Challenge accepted! (Though not the challenge you expect.) I will see if I can get a Macports port file set up before someone sets up a Homebrew cask. (I think I might be the only Macports user around here. Everyone else uses Homebrew.)

    • Connor Hicks
      Connor Hicks says:

      Nothing official, but a little birdy told me that the fine people over at homebrew have added it already :)

  1. CttW Apps
    CttW Apps says:

    I’d like to create a shell function to serve as a wrapper for op and JSON parson; however, I don’t want to sign in every time the wrapper is called because that would be wasteful. Is there a method to check if the existing OP_SESSION_XXX token is still valid? Ideally “op signin” would check the current token before prompting the user to authenticate and get a new one; however, in my testing I’m able to get a new token with each “signin” request when the 30min expiry for the previous token has not passed. Thanks.

    • Connor Hicks
      Connor Hicks says:

      That’s a great question! At the current time, there’s no explicit “check for valid token” command. That is a great idea though, I’ve added it to our feature ideas list. For now, I would suggest running the op get account command as your “check”. If that returns a non-zero exit code, you are not signed in (it’s essentially the only error that command would ever throw). I know it’s not ideal, but hopefully it’ll work for now :) Please head over to the forums if you have any more ideas (it’s the fastest way to get in touch with me and to have longer conversations)


  2. Robert
    Robert says:

    I upgraded to 1Password accounts just for this (although I think it’s not cool that new features are cloud only). Then I realized this does not take advantage of touch ID, forces me to store the secret key on the disk. I really hope you will improve it. Given all this I am back to 1Password standalone version.

    • Connor Hicks
      Connor Hicks says:


      Thanks for giving the tool a try, let me see if I can address your concerns. As a CLI, we aren’t really able to take advantage of system functions like TouchID at this time. There are some pretty strict requirements for apps to use it, and unfortunately the CLI won’t qualify. Our Mac app does indeed support it, though!

      As for the secret key, we store it exactly the same way as the other apps, it just happens to be in a more “visible” location (your home directory, rather than a buried directory). We set up very strict UNIX permissions on the ~/.op directory and on the file itself so that no other users on the system (except of course, superusers) can access it.

      I hope that helps! Please feel free to email me ( goes straight to me) if you want to discuss it in more detail, you can also head over to our forums to have a lenthier discussion.


  3. Eleanora
    Eleanora says:

    Unfortunately you need a subscription for it. You guys doing a great job driving your service into the ground and unusable – So Long, and Thanks for All the Fish

    • Dave Teare
      Dave Teare says:

      Hi Eleanora,

      You’re right, the command line utility Connor discussed in this post is only available to those subscribed to our 1Password service. This new command line client as well as our upcoming present for Chrome OS and Linux users were made possible by the centralized architecture provided by our new service. Having control of both the client and the server provide us with many new opportunities that we didn’t have available to us before.

      As for the fish, you’re very welcome, but just so you know, there’s no need to say goodbye. As excited as we are about our new subscription service we have no intention of forcing you to sign up. It’s up to us to demonstrate to you how much better our hosted system is and get you excited to make the switch. In addition to unlocking features like the CLI tool Connor discussed in this post and the upcoming reimagined Chrome extension, there are other benefits inherent with 1Password Memberships as well, such as item history, data loss protection, seamless sync, etc. This list will continue to grow and I hope that in time we’ll be successful in getting you excited. Until then, you can continue enjoying 1Password as you have been.

      Take care,


  4. Joel
    Joel says:



    Coming up to mention that I’m yet another user who purchased several versions of 1password over the years and feels betrayed that only the subscription users are capable of using these tools.

    I KNOW you’re a business. I KNOW you need to make money. I KNOW you owe me (and others) jack squat — but, man. This is such a kick to the nuts.

    As a loyal and enthusiastic user, who’s recommended and installed 1p on family/friends’ computers over the years (“Yes, yes I know it’s expensive but it’s totally worth it!”, I would say) I think this is probably the final straw. It’s time to find something else.

    • Kate Sebald
      Kate Sebald says:

      Hey Joel! Limiting this to 1Password memberships wasn’t at all meant as a slight to folks who chose standalone vaults. In fact, open source CLI tools already exist for standalone vaults, so we didn’t genuinely see a need there. Instead, most of the tasks we already had in mind when building this were specific to folks using our hosted service as they were the folks asking for it. Stuff like managing vault permissions and exporting certain data maintained server-side just isn’t a concern with standalone vaults. We would never kick you anywhere (we’re lovers, not fighters) and while we might maybe hope that some of the tools that take advantage of our hosted service convince you to give it a try, we still appreciate y’all no matter where you store your vaults.❤️

  5. Donald Nash
    Donald Nash says:

    Two observations: First, wrapping a PowerShell module around op would be awesome for folks like me who use it extensively for automation and orchestration. PowerShell has a built in ability to convert its native objects to/from JSON. Wrapping op shouldn’t be too difficult, but it might be a bit tedious.

    Second, regarding all the heat you’re getting for emphasizing your subscription service, I think maybe you’re not quite grasping the nature of some of the complaints, at least not those I’ve seen in this thread. Some people have security requirements that simply can’t be satisfied with the subscription service, and Dave’s comments about getting people excited about switching to it ignore these concerns. Add to that the fact that so many new features are only available via subscription makes it look like you’re abandoning standalone vaults. I can understand your excitement about the new service and all the things it lets you do, but at some point if you don’t back-fill those new features into standalone vaults then those people are going to have a legitimate concern. And given the paucity of reassurance on this topic, I’d say that they already have a legitimate concern. I know you can’t make promises about what you’ll be doing in the future, but throwing a bone to these folks could go a long way. Something like, “Yes, we plan on adding features x, y, and z to the standalone version, but not features a and b. But we don’t have a time table just yet, and no plan survives first contact with the enemy. Please bear with us,” would go a long way.

    Disclaimer: I’m a subscription user.


    P.S. Dave: quit copying my “++” prefix on your signature. :-) I’ve been using it since 1985 or so. Get off my lawn! :-P

    • Kate Sebald
      Kate Sebald says:

      Hey Don! I’ll leave PowerShell to Connor as I think I actually heard the whoosh as the went over my head, but as one of the folks who has spent a lot of time responding to subscription concerns, I did want to jump in with my two cents there. Specific concerns really do vary a lot and that’s one reason I prefer one-on-one conversations with folks about their specific concerns over trying to address a generalized complaint about subscriptions or cloud storage in general. Of course, that is itself kind of general, so let’s talk specifics.😉

      Some people have security requirements that simply can’t be satisfied with the subscription service

      This is a particularly tough one. Some folks do have security requirements we truly can’t meet. Others require we meet certain standards we already do meet or are working towards. Others have no specific security requirements and just hate cloud storage. If someone comes out and tells me that a client of theirs, for example, requires that none of their data be stored on the cloud, then I get that and the conversation can shift to standalone vaults from there. If someone requires that we have a certification we don’t have yet or keep their servers in a specific place we don’t have infrastructure in yet, I get that and can save the pitch for when we can meet those requirements. The tough one is when someone tells me they just generally don’t trust the cloud.

      I recently used the phrase, “data breaches are old hat,” and it’s sad, but true. For that reason, I totally get that the cloud is viewed as a scary place my some. The news doesn’t do the cloud any favors. All the same, though, I always think maybe I can convince these folks. Maybe I can explain how we do things differently by putting security first in all things and being open and transparent about what we do to keep data safe and this will push them to give it a try. Maybe it just takes time to make them comfortable or they have a specific suggestion that might ease their concerns. Maybe new features will tempt them over the edge. Maybe they won’t be convinced at all.

      In these conversations with customers, we try to address specific concerns and recognize what needs to happen to make a 1Password membership not just a viable choice but genuinely the best choice for every customer. This sort of feedback helps us make 1Password better, so I love these conversations. That said, we may sometimes miss a specific underlying concern giving them impression we’re dismissing it, or just fail to recognize someone who simply won’t be convinced. I’ve had to apologize for doing just that myself a few times and I’m sure I’ll miss the mark again, though I try to do better each time. All the same, we really do listen to what folks have to say and I hope our enthusiasm isn’t interpreted as a lack of concern. If anyone does feel their concerns were dismissed, I hope they’ll tell me (or that I’ll realize I’ve goofed), because that just means I’m missing out on a chance to improve 1Password for that person. What makes any given person feel secure varies greatly and the best way to make a safe place for folks to store their data is to figure out what a safe place looks like for everyone.🙂

      the fact that so many new features are only available via subscription makes it look like you’re abandoning standalone vaults.

      I don’t think that’s an unreasonable interpretation, but the reality is that a lot of these new features leverage server infrastructure to work. Take Travel Mode, for example. If you remove data from your device with a standalone vault that isn’t synced, that data is gone. If you want to remove data that is synced, you need to remove it on each device individually or remove it from Dropbox or iCloud entirely (in which case it’s still gone) because there’s no central server tracking whether a vault is safe for travel or not and nothing that’s able to tell all of your devices at once to get rid of vault X. Our hosted service is what makes Travel Mode work as seamlessly as it does. Most of the time, it’s easier to add features to the apps generally than it is to segregate standalone vaults, so if it’s a feature that makes sense for everyone and works the same for everyone, generally everyone will get it.

      at some point if you don’t back-fill those new features into standalone vaults then those people are going to have a legitimate concern.

      I try to treat all concerns as legitimate, whether I agree with them or not. Often, my word is all folks have to go on and that’s a tough spot to be in. Of course, we’re always open to talking about specific features folks would like to use with standalone vaults, whether or not I can make any promises (which I almost always can’t). Since I don’t want anyone to think they’re the enemy (we’re all friends here), I’d instead say that theory and practice are two very different things and rarely do they mirror each other perfectly. As I’ve said before, this often makes talking about the future tough because I don’t want to set unrealistic expectations or make promises I can’t keep, but we do try to share what we can as soon as we can. Still, we do always want to hear from people, no matter what. Whether you see it unfolding or not, y’all really do draw the roadmap with your suggestions and requests so never hold back.🙂

    • Donald Nash
      Donald Nash says:


      I understand that some features like Travel Mode simply don’t work for standalone vaults, and that’s okay (see “features a and b” in my original post). But the new CLI isn’t one of those things. The existence of open source CLI tools for standalone vaults is not an excuse for you not to cover them yourselves. Third party open source tools lack vendor support, and thus are dependent on the vagaries their communities. If the format of your standalone vaults changes, then those tools will quit working until they can be updated. Meanwhile, a vendor supported solution would presumably be updated when the new vault format is released. Also, I would suspect (not having used them), that the inputs, behaviors and outputs of those tools are different than op, which means that higher level tools which need to use both must have two sets of “driver” code rather than a single one.

      I won’t do a case by case analysis of recent features which I think could reasonably support standalone vaults and which couldn’t. The comparison of Travel Mode to the CLI sets the boundaries rather well, and in any case I’m quite sure that you folks have a better handle on it than I do. But the existence of comments like Joel’s would seem to demonstrate a bit of a blind spot on you folks’ part. Many people really, really like standalone vaults. It doesn’t matter if their concerns are legitimate or just an implacable “I hate cloud,” because the result is the same either way. Any time you announce a new feature that only works for the subscription model, you will alienate these people unless you either make it clear that it’ll be implemented for standalone vaults as well, or explain why that simply can’t be done (like your explanation of Travel Mode).

      I’m truly not meaning to bash on you folks. I really like 1P, and its continued success means it will continue to be available to me. More than that, I really like AgileBits as a company and how it is run (ref. Dave’s recent comments about corporate governance). That’s why comments from disgruntled users leaving the platform bother me. I realize there probably aren’t very many such people, but alienating customers enough that they leave is usually not a sound business decision, and that is worrying.


    • Kate Sebald
      Kate Sebald says:

      Hey Don! I’m not intending to imply that the existence of open source tools means that there wouldn’t be advantages to something we developed. I’m a bit biased, of course, but I think our customer support is awesome, so I definitely see advantages to having a tool we support directly beyond what you mentioned. That said, my point is not that folks using standalone vaults don’t have a need, just that no significant need had been communicated to us. As most folks understand, we do have to make choices in prioritizing where to spend resources and time (particularly developers’ time) is one of the most precious resources we have, so we go to great lengths to focus those resources on features that will most benefit the most people.

      As I pointed out at the end of my prior comment, these decisions really are more strongly influenced by what y’all are communicating to us than anything else. If we hear from a small handful of customers that they want feature A, we’ll keep track of it, but feature B that has hundreds of requests is going to get our attention first. Similarly, if the vast majority of requests for feature B come from folks using a 1Password membership, that will play a role in the decision as well. One reason I noted Travel Mode specifically is because that we did anticipate folks using standalone vaults would want it. Unfortunately, it was also an instance where that just couldn’t be done. All the same, we did explain this right away because we anticipated that sort of response. Another “feature” folks using standalone vaults often requested was 1Password 6 for Windows generally. Some folks love 1Password 4, but quite a few have been asking for an upgrade for some time, and so we are incorporating standalone vaults into 1Password 7 for Windows.

      In short, we didn’t anticipate a need with CLI and need to see comments like Joel’s to know it’s there. More than that, we need to see quite a few of them to know that need is far-reaching. For CLI, we didn’t see a need there and didn’t expect one. Time may tell us we’re wrong and, if that does happen, we’ll have to consider the feedback we’ve received and see what the best course of action is for us then.

      Of course, it saddens all of us to see folks leaving, especially folks who have been with us for a long time. We know the choices we make will never be popular with everybody, but that knowledge doesn’t make hearing folks are upset easy or enjoyable. No one sets out to alienate anyone, but any time we make a choice about features or future development, we know some folks are going to be upset regardless of our choice. The best we can ask of ourselves is to make the decisions that ensure we’re spending time and resources in such a way as to make 1Password the best it can be for the most folks possible (and to be agile and adjust when we learn we were wrong).

    • Donald Nash
      Donald Nash says:


      I understand having to prioritize what you’re doing, and I’ve never had a problem with that. That’s why I’ve held my peace as I’ve watched all the new stuff come out that only works for subscribers. You’ve got a new widget, and you want to make good use of it to maximize return on your investment in creating it. That’s a completely reasonable priority. So is oiling the squeaky wheel first.

      My complaint is more about your communication. You did a good job with Travel Mode, explaining up front why it is only available to subscribers. With regard to the CLI, much of the angst could have been avoided with two simple sentences: “The CLI only works for subscription users because that’s where we’ve had feedback that there’s a need. If you use standalone vaults and would prefer a solution from us rather than the open source packages currently available, then please let us know so we can prioritize accordingly.”

      It’s important to keep in mind that some people will feel alienated about the lack of a new feature even if it’s a feature they don’t plan on using. It’s about feeling left out rather than actually being left out. “If they’re not going to implement feature X for standalone vaults, then what else are they not going to give us?” It may not be entirely rational, but it is entirely human. That’s why I’m suggesting more up-front communication when rolling out new features that are limited to only part of your customer base (standalone vs subscriber, Mac vs Windows, whatever), rather than waiting for complaints. That can make the difference between, “Grumble, grumble, time to find a new password manager,” and “Oh, thanks for asking! Yes, I’d love one.”


    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Thanks, Don, for helping us understand how we may have been alienating readers. And you are correct that the blog announcement could been drafted in a way that would have gone over better. This was simply an accidental oversight due to where our heads are at.

      It’s no secret that the focus of our development is on our service, and we also (internally at least) talk about op as “the command-line client“. Those two combined meant that for us it went without saying that this is a client for our service. Of course something that goes without saying for us is something that really should be said in the blog post.

      We didn’t do enough here to consider an outsider’s perspective despite writing for outsiders. Some of that I blame on being caught up in our own excitement about what we are doing. I suspect that that is why I missed this when I read over the prepublication draft, and I expect that that is true of everyone else here as well.

      So yes, we could have presented that better and we should have presented that better. Thank you for helping us understand that.

      -j Chief Defender Against the Dark Arts @ AgileBits

    • Donald Nash
      Donald Nash says:


      Yes, that’s exactly what I’ve been trying to say. Getting inside someone else’s head is hard. Since I’m one of the “someone else” from your perspective, that puts me on the side that sees this issue more clearly. It’s all just a matter of perspective.

      Just to be clear, I’m not laying blame here. You guys are completely justified in being caught up in the excitement. The new service is a big deal, and I’m not so far removed from app/service development that I don’t get that way myself sometimes. I never for a moment thought that there was any deliberate intent to leave anyone out. That’s part of why I’ve been such a dog with a bone on this. “No, no, no, guys! I know you’re not like that! Make them understand!”

      Thanks for listening.


    • Joel
      Joel says:

      Mr Don – If the whole developer/engineer thing doesn’t work out you should try corporate communications ;).

      On a serious note, thank you for articulating on behalf of those of us that are less adept. Your points are on the money.

    • Donald Nash
      Donald Nash says:

      Corporate communications? Seriously?!? How insulting! :-)

      Seriously, thanks for the praise. What communication skills I have are mostly due to nearly 30 years watching how people fail to communicate. It’s actually rather fascinating when you’re an outside observer, and I’m fortunate that my career has afforded me a great deal of that experience. Being a total language nerd helps, too.

      Kate and Jeffrey: Thanks for taking the time to hear me out. Although I try to keep it reigned in, I have a tendency to get a bit blustery sometimes.


      P.S. Really, I just want that PowerShell module. :-P

  6. John Clendenen
    John Clendenen says:

    CLI brings lots of great automation possibilities but also some risk.

    I would like to be able to:

    Disable CLI use per account and per vault so that only IT can use CLI and so extremely sensitive credentials aren’t available to it.
    Be able to rate-limit queries to make it more difficult to quickly dump whole vaults.
    See a detailed log of access to shared vaults.
    As an admin, send new credentials to a user’s personal vault (without having read access to the vault or the credentials after they’re sent).

  7. Lucian
    Lucian says:

    Apologies if I’m missing something obvious, but is the CLI tool only meant to be available to teams?

    I mean the statement here “The main reason for this is the CLI was primarily created for our 1Password Teams customers.” suggests otherwise, but I’ve just downloaded it and cannot get past the signin stage, where it requires a Secret Key, but “If you purchased 1Password as a standalone app without a membership, then you don’t have a Secret Key, and you don’t need to sign in when you open the app.”

    What gives?

    • Kate Sebald
      Kate Sebald says:

      Hello Lucian! The CLI tool is available to anyone with a 1Password account — Teams, Individuals or Families. As has been mentioned in previous comments, the CLI tool was designed with enterprise needs in mind, but it’s also meant to be flexible. We not only expect that folks will come up with ways to use it we never thought of, we’re counting on it and excited to hear about what y’all accomplish with op.

      That said, the CLI tool does not support standalone vaults, so you’re not really missing anything here. If you use 1Password with standalone vaults now, you won’t be able to use the CLI tool unless you switch to a 1Password membership. Since the CLI tool was designed specifically for our hosted service, like 1Password 6 for Windows, it’s a bit different from other apps which can be used without an account. Of course, 1Password memberships come with a lot of great benefits beyond access to the CLI tool and they’re free to try for 30 days. So, if you want to give the CLI tool a spin and you’re currently using a standalone vault, get signed up, migrate your data, and give it a try. 🙂

      If you do decide to give a go, be sure to stop by the forum and share what cool things you do with op and any feedback you have too. We love to heard from you.❤️

« Older CommentsNewer Comments »

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.