Tip
If you’re new to the command-line tool, learn how to set it up and get started.
The 1Password command-line tool provides commands to manage and administer a 1Password account.
Sign in to an account to get started. Run op signin --help
to learn
more.
How to specify objects
You can specify all objects by name or UUID. You can also specify some objects by other attributes:
- Items: item link
- Login or Password items: domain name
- Users: email address
When you specify an item by name or domain, there may be more than one
item that matches. To be more specific, use the --vault
option to
only look in one vault at a time, or use a unique ID (UUID) instead.
Cache item and vault information
The command-line tool can use its daemon process to cache items, vault
information, and the keys to access information in an account. To use
the cache, use the --cache
option with a command. When working with
items, the cache is most effective after it has a list of the items in a
vault.
The daemon stores encrypted information in memory using the same encryption methods as on 1Password.com. It can read the information to pass to the command-line tool but can’t decrypt it. The tool starts the daemon automatically and it terminates itself after 24 hours of inactivity.
Commands
- add: Grant access to groups or vaults
- completion: Generate shell completion information
- confirm: Confirm a user
- create: Create an object
- delete: Remove an object
- edit: Edit an object
- encode: Encode the JSON needed to create an item
- forget: Remove a 1Password account from this device
- get: Get details about an object
- list: List objects and events
- reactivate: Reactivate a suspended user
- remove: Revoke access to groups or vaults
- signin: Sign in to a 1Password account
- signout: Sign out of a 1Password account
- suspend: Suspend a user
- update: Check for and download updates
Usage
op [command] [options]
Global options
--account shorthand use the account with this shorthand
--cache store and use cached information
--config directory use this configuration directory
-h, --help get help with a command
--session token authenticate with this session token
Get help
For help with any command, use the --help
option:
op <command> [subcommand] --help
add
Subcommands
Related commands
add group
Grants a group access to a vault.
op add group <group> <vault> [flags]
add user
Grants a user access to a vault or group.
op add user <user> [<vault> | <group>] [flags]
Options for add user
--role role set the user's role in a group (member or manager) (default "member")
completion
Generates shell completion information for the 1Password command-line tool.
op completion <shell> [flags]
How completion works
If you use Bash or Zsh, you can add shell completion for the 1Password
command-line tool. With completions loaded, after you start typing an
op
command, press Tab to see available commands and options.
Load shell completion information for Bash
To always load the completion information for Bash, add this to your
.bashrc
file:
source <(op completion bash)
To use shell completion in Bash, you’ll need the bash-completion
package.
Load shell completion information for Zsh
To always load the completion information for Zsh, add this to your
.zshrc
file:
eval "$(op completion zsh)"; compdef _op op
confirm
Confirms users.
op confirm [<user> | --all]
Options for confirm
--all confirm all unconfirmed users
Related commands
- create user: Create a user
create
Subcommands
- create document: Create a document
- create group: Create a group
- create item: Create an item
- create user: Create a user
- create vault: Create a vault
create document
Creates a document.
op create document <file> [flags]
Options for create document
--filename name set the file's name
--tags tags add one or more tags (comma-separated) to the item
--title title set the item's title
--vault vault save the document in this vault
How create document works
When you create a document, a JSON object containing its UUID is
returned. The document is saved to the Private or Personal vault
unless you specify another with the --vault
option.
Create a file from standard input
To create the file contents from standard input (stdin), enter a
hyphen (-
) instead of a path. You can use the --filename
option to
change the name of the file.
Examples for create document
Create a document from standard input:
cat auth.log.* | op create document - --title "Authlogs 2020-06" --file-name "auth.log.2020.06"
create group
Creates a group.
op create group <name> [flags]
Options for create group
--description description set the group's description
How create group works
When you create a group, a JSON object containing its UUID is returned.
create item
Creates an item.
op create item <category> [<encoded_item>] [<assignment> ...] [flags]
Options for create item
--generate-password[=recipe] give the item a randomly generated password
--tags tags add one or more tags (comma-separated) to the item
--title title set the item's title
--url URL set the URL associated with the item
--vault vault save the item in this vault
How create item works
Create an item using assignment statements or with a 1Password JSON object template.
When you create an item, a JSON object containing its UUID is returned.
The item is saved to the Private or Personal vault unless you specify
another with the --vault
option.
Create an item with assignment statements
Use an assignment statement to set a field’s value:
[<section>.]<field>=<value>
You can omit spaces when you specify the section or field name. You can
also refer to the field by its JSON short name (name
or n
).
phonetollfree=012066188656
The section is optional unless multiple sections have a field with the same name.
testingserver.address=db.local.1password.com
developmentserver.address=db.dev.1password.com
You can’t make a new custom section using an assignment statement.
Generate a password
Use the --generate-password
option to generate and set a random
password for a Login or Password item. By default, it will create a
32-character password made up of letters, numbers, and symbols.
You can customize the password with a password recipe. Specify the password length and which character types to use in a comma-separated list. Ingredients are:
letters
for uppercase and lowercase lettersdigits
for numberssymbols
for special characters (!@.-_*
)1
-64
for password length
Create an item with a template
If you want to create an item with custom sections or fields, use a JSON
object template. Download and edit a template for the category of item
you want to create. Run op help get template
for a list of template
categories. To create an item using a template:
-
Get a template for the category of item you want to create, and save it to a file:
op get template "Login" > login.json
-
Edit the template to add your information.
-
Encode the JSON object and create the item:
op create item "Login" "$(op encode < login.json)"
When you’re finished, delete the unencrypted JSON template file.
You can use a tool like jq (https://stedolan.github.io/jq/) to reformat JSON to make it easier to read.
If you use both a template and assignment statements in the same command, the assignment statements overwrite the template’s values.
Related commands
- encode: Encode the JSON needed to create an item
- get template: Get an item template
- list templates: Get a list of templates
create user
Creates a new user.
op create user <email_address> <name> [flags]
Options for create user
--language language set the user's account language (default "en")
Related commands
- confirm: Confirm a user
create vault
Creates a new vault.
op create vault <name> [flags]
Options for create vault
--allow-admins-to-manage true|false set whether admins can manage vault access
--description description set the group's description
delete
Subcommands
- delete document: Move a document to the Trash
- delete group: Remove a group
- delete item: Move an item to the Trash
- delete trash: Empty a vault’s Trash
- delete user: Completely remove a user
- delete vault: Remove a vault
delete document
Moves a document to the Trash.
op delete document <document> [flags]
Options for delete document
--vault vault look for the document in this vault
How delete document works
Specify items on standard input
The command treats each line of information on standard input (stdin) as
an object specifier. Run op help
to learn more about how to specify
objects.
The input can also be a list or array of JSON objects. The command will
get an item for any object that has a UUID key. This is useful for
passing information from one op
command to another.
delete group
Removes a group.
op delete group <group> [flags]
delete item
Moves an item to the Trash.
op delete item <item> [flags]
Options for delete item
--vault vault look for the item in this vault
How delete item works
Specify items on standard input
The command treats each line of information on standard input (stdin) as
an object specifier. Run op help
to learn more about how to specify
objects.
The input can also be a list or array of JSON objects. The command will
get an item for any object that has a UUID key. This is useful for
passing information from one op
command to another.
delete trash
Empties the Trash for the vault.
op delete trash <vault> [flags]
How delete trash works
The items in the Trash will be permanently deleted.
delete user
Removes a user and all their data from the account.
op delete user <user> [flags]
delete vault
Removes a vault.
op delete vault <vault> [flags]
edit
Subcommands
- edit document: Edit a document
- edit group: Edit a group’s name or description
- edit item: Edit an item’s details
- edit user: Edit a user’s name or Travel Mode status
- edit vault: Edit a vault’s name
Related commands
- add: Grant access to groups or vaults
edit document
Updates a document.
op edit document <document> <file> [flags]
Options for edit document
--filename name set the file's name
--tags tags add one or more tags (comma-separated) to the item
--title title set the item's title
--vault vault look up document in this vault
How edit document works
Replaces the file contents of a Document item with the provided file or with the information on standard input (stdin).
Update a file from standard input
To update the file contents from standard input (stdin), enter a
hyphen (-
) instead of a path. You can use the --filename
option to
change the name of the file.
edit group
Changes a group’s name or description.
op edit group <group> [flags]
Options for edit group
--description description change the group's description
--name name change the group's name
edit item
Edits an item’s details.
op edit item <item> <assignment> [<assignment> ...] [flags]
Options for edit item
--generate-password[=recipe] give the item a randomly generated password
--vault vault look for the item in this vault
How edit item works
Use an assignment statement to change a field’s value:
[<section>.]<field>=<value>
You can omit spaces when you specify the section or field name. You can
also refer to the field by its JSON short name (name
or n
).
issuingcountry=Canada
The section is optional unless multiple sections have a field with the same name.
testingserver.address=db.local.1password.com
developmentserver.address=db.dev.1password.com
You can’t make a new custom section using an assignment statement.
Generate a password
Use the --generate-password
option to generate and set a random
password for a Login or Password item. By default, it will create a
32-character password made up of letters, numbers, and symbols.
You can customize the password with a password recipe. Specify the password length and which character types to use in a comma-separated list. Ingredients are:
letters
for uppercase and lowercase lettersdigits
for numberssymbols
for special characters (!@.-_*
)1
-64
for password length
edit user
Changes a user’s name or Travel Mode status.
op edit user <user> [flags]
Options for edit user
--name name set the user's name
--travelmode on|off turn Travel Mode on or off for the user (default )
edit vault
Changes a vault’s name.
op edit vault <vault> [flags]
Options for edit vault
--name name change the vault's name
Related commands
- list vaults: Get a list of vaults
- get vault: Get details about a vault
encode
Encodes the JSON data needed to create a new item with base64url
encoding. Accepts input from standard input (stdin
).
op encode [flags]
Examples for encode
Encode a basic item template:
op get template login | op encode
Save the encoded contents of a file to another file:
cat my-new-login.json | op encode > my-new-login.encoded-json
Related commands
- get template: Get an item template
- create item: Create an item
- edit item: Edit an item’s details
forget
Removes the details for a 1Password account from this device.
op forget <account> [flags]
get
Subcommands
- get account: Get details about your account
- get document: Download a document
- get group: Get details about a group
- get item: Get item details
- get template: Get an item template
- get totp: Get the one-time password for an item
get account
Gets details about your account.
op get account [flags]
get document
Downloads a document and prints the contents to standard output (stdout).
op get document <document> [flags]
Options for get document
--include-trash include items from the Trash
--output path save the document to the file path instead of stdout
--vault vault look for the document in this vault
How get document works
Save to a file
Use the --output
option to have op
save the document. This may
be useful in some shells to preserve the file’s original encoding.
The --output
option won’t overwrite an existing file. The
destination path must be an empty file or not exist.
Examples for get document
Save a document to a file called secret-plans.text
:
op get document "Top Secret Plan B" --output secret-plans.text
get group
Gets details about a group.
op get group <group> [flags]
How get group works
Use standard input to specify objects
If you enter a hyphen (-
) instead of a single object for this command,
the tool will read object specifiers from standard input (stdin).
Separate each specifier with a new line. For more information about how
to specify objects, run op help
.
You can also pass the command a list or array of JSON objects. The tool
will get an item for any object that has a UUID key, ignoring line
breaks. This is useful for passing information from one op
command
to another.
Examples for get group
Get details for all groups:
op list groups | op get group -
Get details for the groups who have access to a vault:
op list groups --vault "Production keys" | op get group -
get item
Returns details about an item.
op get item <item> [flags]
Options for get item
--fields fields only return data from these fields
--format format return data in this format (CSV or JSON) (use with --fields)
--include-trash include items in the Trash
--share-link get a shareable link for the item
--vault vault look for the item in this vault
How get item works
By default, get item
returns a complete 1Password JSON object.
Customize returned data
To only get details from specific fields, use the --fields
option.
Specify fields in a comma-separated list. You can omit spaces when you
specify the section or field name. You can also refer to the field by
its JSON short name (name
or n
).
When you specify one field, its data is returned as a simple string. If you specify more than one field, the data is returned in a simple key-value pair JSON object. If a field doesn’t exist, an empty value is returned.
Use the --format
option to change the output format to JSON or CSV.
Specify items on standard input
The command treats each line of information on standard input (stdin) as
an object specifier. Run op help
to learn more about how to specify
objects.
The input can also be a list or array of JSON objects. The command will
get an item for any object that has a UUID key. This is useful for
passing information from one op
command to another.
Items in the Trash
Items in the Trash are ignored by default. To get details for an
item in the Trash, specify the item by UUID or use the
--include-trash
option.
Examples for get item
Get details for all items with a specified tag:
op list items --tags documentation | op get item -
Get a CSV list of the website, username, and password for all logins in a vault:
op list items --categories Login --vault Staging | op get item - --fields website,username,password --format CSV
get template
Returns a template for an item type.
op get template <category> [flags]
How get template works
You can create a new item with a template.
Run op create item --help
for more information.
Categories are:
- Login
- Bank Account
- Membership
- Server
- Secure Note
- Database
- Outdoor License
- Social Security Number
- Credit Card
- Driver License
- Passport
- Software License
- Identity
- Email Account
- Reward Program
- Wireless Router
Related commands
- encode: Encode the JSON needed to create an item
- create item: Create an item
get totp
Gets an item’s current time-based one-time password (TOTP).
op get totp <item> [flags]
Options for get totp
--vault vault look for the item in this vault
How get totp works
Items in the Trash
Items in the Trash are ignored by default. To get the TOTP for an item in the Trash, specify the item by UUID.
get user
Gets details about a user.
op get user <user> [flags]
Options for get user
--fingerprint get the user's public key fingerprint
--publickey get the user's public key
How get user works
Use standard input to specify objects
If you enter a hyphen (-
) instead of a single object for this command,
the tool will read object specifiers from standard input (stdin).
Separate each specifier with a new line. For more information about how
to specify objects, run op help
.
You can also pass the command a list or array of JSON objects. The tool
will get an item for any object that has a UUID key, ignoring line
breaks. This is useful for passing information from one op
command
to another.
Examples for get user
Get details for all users:
op list users | op get user -
Get the public key for all users in a group:
op list users --group "Frontend Developers" | op get user - --publickey
Get details for all users who have access to a vault:
op list users --vault Staging | op get user -
get vault
Gets details about a vault.
op get vault <vault> [flags]
How get vault works
Use standard input to specify objects
If you enter a hyphen (-
) instead of a single object for this command,
the tool will read object specifiers from standard input (stdin).
Separate each specifier with a new line. For more information about how
to specify objects, run op help
.
You can also pass the command a list or array of JSON objects. The tool
will get an item for any object that has a UUID key, ignoring line
breaks. This is useful for passing information from one op
command
to another.
Examples for get vault
Get details for all vaults:
op list vaults | op get vault -
Get details for the vaults that a group has access to:
op list vaults --group security | op get vault -
Related commands
- list vaults: Get a list of vaults
- edit vault: Edit a vault’s name
list
Subcommands
- list documents: Get a list of documents
- list events: Get a list of events from the Activity Log
- list groups: Get a list of groups
- list items: Get a list of items
- list templates: Get a list of templates
- list users: Get the list of users
- list vaults: Get a list of vaults
list documents
Lists documents.
op list documents [flags]
Options for list documents
--include-trash include documents in the Trash
--vault vault only list documents in this vault
How list documents works
Returns a list of all documents the account has read access to by default. Excludes items in the Trash by default.
list events
Lists events from the Activity Log.
op list events [flags]
Options for list events
--eventid eid start listing from event with ID eid
--older list events from before the specified event
How list events works
Returns the 100 most recent events by default.
The Activity Log is only available for 1Password Business accounts.
Examples for list events
List events after a specific log entry:
op list events --eventid 319458129
List events before a specific log entry:
op list events --older --eventid 319179570
list groups
Lists groups.
op list groups [flags]
Options for list groups
--user user list groups that a user belongs to
--vault vault list groups that have direct access to a vault
How list groups works
Returns all groups in an account by default.
Examples for list groups
Get details for all groups:
op list groups | op get group -
Get details for the groups who have access to a vault:
op list groups --vault Staging | op get group -
Get details for the groups that a user is in:
op list groups --user wendy_appleseed@1password.com | op get group -
list items
Lists items.
op list items [flags]
Options for list items
--categories categories only list items in these categories (comma-separated)
--include-trash include items in the Trash
--tags tags only list items with these tags (comma-separated)
--vault vault only list items in this vault
How list items works
Returns a list of all items the account has read access to by default. Excludes items in the Trash by default.
Categories are:
- Login
- Bank Account
- Membership
- Server
- Secure Note
- Database
- Outdoor License
- Social Security Number
- Credit Card
- Driver License
- Passport
- Software License
- Identity
- Email Account
- Reward Program
- Wireless Router
Examples for list items
Get details for all items with a specified tag:
op list items --tags documentation | op get item -
Get a CSV list of the website, username, and password for all logins in a vault:
op list items --categories Login --vault Staging | op get item - --fields website,username,password --format CSV
list templates
Lists available item type templates.
op list templates [flags]
How list templates works
Use op get template
to get a template to use to create a new item.
Related commands
- create item: Create an item
- get template: Get an item template
list users
Lists users.
op list users [flags]
Options for list users
--group group list users who belong to a group
--vault vault list users who have direct access to vault
How list users works
Returns all users in an account by default.
When you use the --group
option, the output includes the user’s role
in the group.
Examples for list users
Get details for all users:
op list users | op get user -
Get the public key for all users in a group:
op list users --group "Frontend Developers" | op get user - --publickey
Get details for all users who have access to a vault:
op list users --vault Staging | op get user -
list vaults
Lists vaults.
op list vaults [flags]
Options for list vaults
--group group list vaults a group has access to
--user user list vaults a user has access to
How list vaults works
Returns all vaults the account has access to by default.
Examples for list vaults
Get details for all vaults:
op list vaults | op get vault -
Get details for vaults that a group has access to:
op list vaults --group Security | op get vault -
Get details for vaults that a user has access to:
op list vaults --user wendy_appleseed@1password.com | op get vault -
Related commands
- get vault: Get details about a vault
- edit vault: Edit a vault’s name
reactivate
Reactivates a suspended user.
op reactivate <user> [flags]
Related commands
- suspend: Suspend a user
remove
Subcommands
- remove group: Revoke a group’s access to a vault
- remove user: Revoke a user’s access to a vault or group
Related commands
- add: Grant access to groups or vaults
remove group
Revokes a group’s access to a vault.
op remove group <group> <vault> [flags]
remove user
Revokes a user’s access to a vault or group.
op remove user <user> [<vault> | <group>] [flags]
signin
Signs in to a 1Password account and returns a session token.
op signin [<sign_in_address> [<email_address> [<secret_key>]]] [flags]
Options for signin
-r, --raw only return the session token
--shorthand name set the short account name
How signin works
Sign in to an account
To sign in to an account the first time, use your sign-in address and email address:
op signin example.1password.com wendy_appleseed@1password.com
After you sign in the first time, you can sign in again using only the shorthand for the account:
op signin example
Use session tokens
The tool uses a session token to authenticate commands with
1Password.com. Sessions expire after 30 minutes of inactivity. You can
save the session token in an environment variable for the tool to use
automatically or provide a token with each command using the --session
option.
To use the environment variable, run the export
command that the tool
provides after you sign in. When you run a command, the tool uses it
automatically.
To provide a session token each time you run a command, sign in using
the --raw
option to get a token. Then use the --session
option with
each command.
Reuse a session token
You can use the --session
option with the signin
command to reuse an
active token or to test whether a session has expired. This may be
useful when writing scripts that use the command-line tool. If the
session is active, the tool will use it and return the same token. If
the session is expired, you’ll have to sign in again.
Work with multiple accounts
You can sign in to more than one account at a time. If you store the
session token in an environment variable, the tool will use the account
you most recently signed in to by default. Use the --account
option to
specify a different account. By default, the shorthand is your account’s
subdomain. You can change it the first time you sign in by using the
--shorthand
option, or in the configuration file. Hyphens (-
) are
converted to underscores (_
) for system compatibility.
Examples for signin
Sign in and set the environment variable in one step:
eval $(op signin example)
Related commands
- signout: Sign out of a 1Password account
signout
Signs out of a 1Password account.
op signout [flags]
Options for signout
--forget remove the details for a 1Password account from this device
How signout works
Signs out of the most recently used account by default.
Related commands
- signin: Sign in to a 1Password account
suspend
Suspends a user.
op suspend <user> [flags]
Related commands
- reactivate: Reactivate a suspended user
update
Checks for updates to op
. Downloads an updated version, if available.
op update [flags]
Options for update
--directory path download the update to this path