1Password CLI reference
If you're new to 1Password CLI, learn how to set it up and sign in to your account.
Command structure
1Password CLI uses a noun-verb command structure that groups commands by topic rather than by operation.
The basic structure of a command starts with the 1Password program op, then the command name (noun), often followed by a subcommand (verb), then flags (which include additional information that gets passed to the command).
For example, to retrieve a list of all the items in your Private vault:
To get a list of all global commands and flags, run the following:
Command reference
- account: Manage your locally configured 1Password accounts
- completion: Generate shell completion information
- connect: Manage Connect server instances and tokens in your 1Password account
- document: Perform CRUD operations on Document items in your vaults
- events-api: Manage Events API integrations in your 1Password account
- group: Manage the groups in your 1Password account
- inject: Inject secrets into a config file
- item: Perform CRUD operations on the 1Password items in your vaults
- plugin: Manage the shell plugins you use to authenticate third-party CLIs
- read: Read a secret reference
- run: Pass secrets as environment variables to a process
- service-account: Manage service accounts
- signin: Sign in to a 1Password account
- signout: Sign out of a 1Password account
- update: Check for and download updates
- user: Manage users within this 1Password account
- vault: Manage permissions and perform CRUD operations on your 1Password vaults
- whoami: Get information about a signed-in account
Global flags
Unique identifiers (IDs)
When you retrieve information about an object using the get and list subcommands, you'll see a string of numbers and letters that make up the object's unique identifier (ID).
You can use names or IDs in commands that take any account, user, vault, or item as an argument.
IDs are the most stable way to reference an item. An item's ID only changes when you move the item to a different vault. Commands provided with an ID are also faster and more efficient.
To get the ID for the item Netflix:
See result...
To get the IDs for all vaults in an account:
See result...
Shell completion
You can add shell completion so that 1Password CLI automatically completes your commands.
With shell completion enabled, start typing an op command, then press Tab to see the available commands and options.
- Bash
- Zsh
- fish
- PowerShell
To enable shell completion with Bash:
Install the bash-completion package
Add this line to your
.bashrcfile:
To enable shell completion with Zsh, add this line to your .zshrc file:
To enable shell completion with fish, add this to your .fish file:
To enable shell completion with PowerShell, add this to your .ps1 file:
You'll need to enable script execution in PowerShell to start using shell completion. To do that, start a PowerShell window as an administrator and enter:
Cache item and vault information
1Password CLI can use its daemon process to cache items, vault information, and the keys to access information in an account.
The daemon stores encrypted information in memory using the same encryption methods as on 1Password.com. It can read the information to pass to 1Password CLI, but can’t decrypt it.
On UNIX-like systems, caching between commands is enabled by default. This helps maximize performance and reduce the number of API calls.
If you use 1Password CLI in an environment where caching is not possible, you can turn it off by appending the --cache=false flag to your commands, or by setting the OP_CACHE environment variable to false.
Caching is not currently available on Windows.
Alternative character encoding
By default, 1Password CLI processes input and output with UTF-8 encoding.
You can use an alternative character encoding with the --encoding option.
Supported alternative character encoding types:
gbkshift-jis
Beta builds
To download 1Password CLI beta builds, navigate to the 1Password CLI downloads page and select Show betas. On Linux, you can switch the channel from "stable" to "beta" when adding the 1Password repository in your package manager.
Example commands
Items
To get information about an item:
You'll see the item's ID, title, vault, when it was created, when it was last modified, the item's version, if it's marked as a favorite, the type of item it is, and the item's fields.
If an item name includes spaces or special characters, enclose it in quotes. For example:
See result...
To use op item get to retrieve specific fields, include the --fields flag followed by a comma-separated list, with the prefix label= before each field name. For example, to only retrieve the username and password for the item work email:
See result...
Learn more about working with items.
Users and groups
To get details about a user:
See result...
To list the users who belong to a group:
See result...
Learn more about working with users and groups.
Vaults
To create a new vault named Test:
To get details about an existing vault:
See result...
To list the vaults in an account:
See result...
Learn more about working with vaults.
Secrets
To insert a secret into an environment variable, config file, or script without putting the plaintext secret in code, use a secret reference that specifies where the secret is stored in your 1Password account:
Then, you can use op read, op run, or op inject to replace the secret reference with the actual secret at runtime.
To resolve a secret reference and confirm it outputs correctly:
See result...
Learn more about loading secrets.
Get help
For help with any command, use the --help option: