Announcing the 1Password command-line tool public beta

Here at AgileBits, we’ve been working hard over the last few months to bring power users, developers, and administrators more powerful ways to interact with 1Password. We’re proud to announce that we have something that fits the bill. It’s called the 1Password command-line tool, and we can’t wait to see what you build with it. Let me take this opportunity to walk you through the exciting potential.

Introducing op

1Password apps are available on just about every platform, but they’ve always had the same dependency: a graphical interface. Now all of 1Password is available with just two characters: op.

The 1Password command-line tool makes your 1Password account accessible entirely from the command line. A simple op signin will securely authenticate you with the 1Password service and give you access to a wide range of capabilities:

Getting usernames and passwords from items:

$ op get item OpenProxy | jq '.details.fields[] | select(.designation=="password").value'

"genuine-adopt-pencil-coaster"

Creating new items and vaults:

$ op create item login $(cat aws.json | op encode) --title="AWS"

{"uuid":"5hinhvejl7wtmbeorfts7ho3di","vaultUuid":"i5imjpvdivbsxo56m2ap2n66gy"}
$ op create vault devops

{"uuid":"ny5khay7t3lmhrp4pjsxl4w34q"}

Working with documents:

$ op create document ./devops.pdf --vault=devops --tags=architecture

{"uuid":"i3rsiwjfh7aryvbu5odr4uleki","vaultUuid":"ny5khay7t3lmhrp4pjsxl4w34q"}

If you’re a team administrator, you can also manage other users and shared vaults — all without leaving your terminal:

op suspend john@acmecorp.com

One of the most frequent requests we receive from 1Password Teams customers is the ability to export the Activity Log. With the Pro plan, op list events makes it easy to ingest activity data into the application of your choosing. Be it Splunk, Kibana, Papertrail, or your own tool, op outputs JSON, so it’s simple to work with.

But we didn’t just build the tool to solve specific requests. It’s flexible enough to handle use cases we haven’t even thought of. The possibilities are endless, and we know you’ll come up with something amazing.

🎶 Rock, robot rock (solid) 🎶

The command structure is similar to tools you already use, providing easy integration with your workflow. Now automated systems can have access to secure credentials without ever storing them in plaintext. Here at AgileBits, for example, we’ve been using op for the last few months as part of our automated build systems. It’s been super useful for fetching secure keys and tokens required for building and deploying 1Password. After a secure op signin, we have a script that fetches the appropriate signing key from a shared vault and automatically signs new builds.

The tool was written from the ground up with the battle-tested Go programming language, the very same we used to build the 1Password service itself. As with every 1Password client, all encryption and decryption is done on your machine locally, ensuring the highest level of security best practices you’ve come to expect from the entire family of 1Password apps.

Get yo’ *NIX on

Our dreams of late have been filled with penguins. Two weeks ago we shared a treat with Linux users, and this week it becomes a feast. You might have already tried 1Password for Linux and Chrome OS, but we know what really makes developers salivate: a CLI. You can download op for macOS, Linux, FreeBSD, OpenBSD, and NetBSD on i386, ARM, and AMD64 architectures. Oh, and our Windows friends can play too!

What’s next?

If you’re as excited as we are about this, here’s everything you need to get started:

We highly value the thoughts of people using the beta in the real world, so we can continue improving the tool for you. As we work toward a stable release and eventually open source, please bear in mind that there may be breaking changes down the line, but we’re more than happy to work with you to resolve any issues. We look forward to working together to create some truly useful and powerful tools, and we can’t do it without you.

Now let’s get ready to 🎶 pipe it, grep it, cat it, sed it 🎶

76 replies
« Older Comments
  1. Sam
    Sam says:

    While I am very happy to see this being released, the developer ux of this cli is horrid. I haven’t played around with it long, but here are major problems I have with it:
    – using eval
    – op get item _, only returns a single value for items with the same name (when not using guid)
    – everything needs to be piped to jq or similar, why have an external dependency to make your cli even remotely usable?
    – there isn’t (or at least I couldn’t find it) a copy password to clipboard function; I have written a shortcut to do this with xclip, but it should be an included feature.
    – no set of included search (I can grep/sed, but that’s not the same) when listing; for example I have 4 sets of AWS credentials all starting ‘AWS – purpose’, being able to filter ‘AWS’ or ‘AWS – *’ should be included.

    Reply
    • Connor Hicks
      Connor Hicks says:

      Hey there Sam, thanks for taking the time to share your thoughts! Let me hit each point as you asked them:

      • We eval[uated] (see what I did there) several different methods of storing encrypted state when using the CLI, and using eval to set an environment variable was by far the most user friendly way we could come up with. Luckily, if you don’t want to use it, we provided some alternatives. If you add the –output=raw flag to the signin command, you’ll be given the session token as a string. From there, you can pass that session token into any other command using the –session=[token] command. No eval!
      • This has been pointed out by several different users and we’re working on some improvements there. I think the current plan is to restrict op get item to using UUIDs, and add a second op search items command that will return multiple results in a list. That’s all I can say for now, look out for future releases for improvements.

      • The CLI in its current state is meant to be used by machines; i.e. it’s meant to be used in scripts and cron jobs rather than read by a human. That being said, we are working on some different strategies to make the CLI more useful sans jq.

      • It’s true we do not have a clipboard copy feature at this time. Working on it!

      • See #2 :)

      Please keep in mind that this is a beta, and its purpose is exactly this – gain insight from our users on how they want to use the tool and use that feedback to improve the product. We’re going to do just that. :)

      Please feel free to reply or send an email to support+cli@agilebits.com if you have any further feedback!

      Cheers,
      Connor

    • Kate Sebald
      Kate Sebald says:

      Hey Tink! We hear you (and my apologies for cleaning up your comment a bit. We do understand your frustration, despite this edit). We know there isn’t a critical mass of love out there for subscriptions in general. Anyone who has signed up for a gym membership in the past has a pretty good reason to hate them, so we’ve put a lot of focus on not only telling folks that 1Password memberships are different, but really showing it.

      1Password memberships are more than just the 1Password apps. They are a whole host of services that help to make securely managing your data easier. They’re automatic syncing with nothing to set up, fine-grained permissions to control access for teams, control over what you share and sharing made easy for families, a complete item history for those items you didn’t realize you still needed, and protection for your data while you travel. All of this while ensuring your data is protected by strong end-to-end encryption and the keys to that data are yours and yours alone. Plus, we’re not just sitting on our laurels, we’re always working to make 1Password and all of the features of 1Password.com better every single day. From the CLI tool, to 1Password X for Chrome, to the new Slack app for teams, we’re always working on The Next Big Thing.

      Chances are your gym membership gets you about the same thing now as years ago, and your cable bill probably went up even though service is no better. We really are different. Your 1Password memberships is your choice. Always. If you give a 1Password membership a try and aren’t sure you’ll want to stick with it, it’s free for 30-days and after that you can set your subscription not to auto-renew so you have the opportunity to reassess if you’d like. If you do decide it’s not for you, you can cancel without having to talk to retention (or anyone else) and take your data with you back to a standalone vault (or somewhere else entirely if you’d like). It’s your choice. We’re not looking to trap anyone or lock you in to using 1Password until the end of days (though we’d be delighted if that’s what you chose to do). If standalone licenses are what you prefer, they’re still here for you both now and for 1Password 7, but we do hope you’ll give a 1Password membership a try and give us the opportunity to show you that we really are different.❤️🙂

  2. James R Cutler
    James R Cutler says:

    Kate,
    A while ago you said, “That said, my point is not that folks using standalone vaults don’t have a need, just that no significant need had been communicated to us.”
    Part of the business decision by many to purchase 1Password using standalone vaults has been the existence of standalone vaults. An obvious communication to Agilebits that this was a significant need should be the purchase of 1Password and updates thereto rather than another product.

    If I am not required to change my software or my business processes going to Version 7 — including NOT switching to AgilebitsCloud vaults — then I can accept continuing scheduled payments to Agilebits instead of repeating the purchase process for each update.

    Differently put, the 1Password purchase decision was based on 1Password meeting specific requirements including, but not limited to, standalone vaults.

    So, except for being annoyed by constant nagging to upgrade to High Sierra, oops, I mean 1Password Subscription, I can tolerate paying for a subscription as long as I can still run my business the way I want and keep my data where I want. Comments in other forum entries have already given me hope for this, except for the nagging, of course.

    Reply
    • Kate Sebald
      Kate Sebald says:

      Hey James! That statement was specifically in reference to the command-line tool discussed in this post, not about standalone vaults in general. We’re certainly aware that some folks share your preference for standalone vaults and that’s just fine. We’ve continued to support standalone vaults across platforms and have no intention of changing that, including in 1Password 7.

      That said, the command-line tool really isn’t an update to 1Password. It’s a new product to fill a need shared with us by many of our 1Password Teams customers. Yes, it’s only for our 1Password membership customers and I understand that this makes some of our standalone customers uneasy. Rest assured, we have no intention of removing standalone vaults, but we’re also going to continue to work to improve 1Password memberships which likely will include features that won’t be available to standalone vaults. While we know that stinks for y’all, those who already chose a 1Password membership deserve a great product with consistent updates and improvements, same as our long-time standalone customers, so the fact that we cannot offer a feature to everyone isn’t going to stop us from building those improvements.

      Does this all mean we might nag you a bit about 1Password memberships when you don’t want to be? Probably. We try to feel out when folks aren’t interested and to be considerate about that, but we are passionate about what we’re building and love to share it with all of you. If it’s not your bag, that’s fine. After all, we’re not the boss of you so you don’t have to use it just because we think you should. Still, we hope you’ll keep an open mind and forgive us if we get a bit too excited. In the meantime, standalone vaults are here for you and will remain here in 1Password 7. No worries at all. ❤️🙂

  3. Anders Nordby
    Anders Nordby says:

    This is nice. But please extend “op list users” to include the fields “last access”, “joined” and especially “status”. I want to validate our 1Password users whether they should be suspended or not.

    Reply
  4. Matias Piipari
    Matias Piipari says:

    This is great news! It would be awesome if you made available .deb packages for this tool for Ubuntu via an apt repository.

    Reply
    • Kate Sebald
      Kate Sebald says:

      Hey Yutian! The CLI tool is still in beta, so it’s not something we’ve shouted about too much just yet. It is pretty awesome, though, and even pretty usable for someone who tends to steer clear of the command line like myself. I hope you have a chance to give it a try and love it and I’ll be sure to let Connor know just how excited you are. 😊

  5. Don Nash
    Don Nash says:

    The only problem I have with using “1p” is that digits are more difficult to type than letters, but that’s going to vary from one person to the next. I like the idea of using a long and unambiguous name and then letting people create aliases as they see fit.

    Reply
« Older Comments

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.