Developer Resources

1Password command-line tool: Full documentation

A complete list of every command and option in the 1Password command-line tool.

Tip

If you’re new to the command-line tool, learn how to set it up and get started.

The 1Password command-line tool provides commands to manage and administer a 1Password account.

Sign in to an account to get started. Run op signin --help to learn more.

How to specify objects

You can specify all objects by name or UUID. You can also specify some objects by other attributes:

  • Items: item link
  • Login or Password items: domain name
  • Users: email address

When you specify an item by name or domain, there may be more than one item that matches. To be more specific, use the --vault option to only look in one vault at a time, or use a unique ID (UUID) instead.

Cache item and vault information

The command-line tool can use its daemon process to cache items, vault information, and the keys to access information in an account. To use the cache, use the --cache option with a command. When working with items, the cache is most effective after it has a list of the items in a vault.

The daemon stores encrypted information in memory using the same encryption methods as on 1Password.com. It can read the information to pass to the command-line tool but can’t decrypt it. The tool starts the daemon automatically and it terminates itself after 24 hours of inactivity.

Use alternative character encoding

By default, the command-line tool processes input and output with UTF-8 encoding. You can use an alternative character encoding with the --encoding option. Supported alternative character encoding types:

  • gbk
  • shift-jis

Commands

  • add: Grant access to groups or vaults
  • completion: Generate shell completion information
  • confirm: Confirm a user
  • create: Create an object
  • delete: Remove an object
  • edit: Edit an object
  • encode: Encode the JSON needed to create an item
  • forget: Remove a 1Password account from this device
  • get: Get details about an object
  • list: List objects and events
  • manage: Manage group access to 1Password integrations
  • reactivate: Reactivate a suspended user
  • remove: Revoke access to groups or vaults
  • signin: Sign in to a 1Password account
  • signout: Sign out of a 1Password account
  • suspend: Suspend a user
  • update: Check for and download updates

Usage

op [command] [options]

Global options

    --account shorthand   use the account with this shorthand
    --cache               store and use cached information
    --config directory    use this configuration directory
    --encoding type       use this character encoding type
-h, --help                get help with a command
    --session token       authenticate with this session token

Get help

For help with any command, use the --help option:

op <command> [subcommand] --help

add

Subcommands

  • add connect: Grant access to vaults to 1Password Secrets Automation
  • add group: Grant a group access to a vault
  • add user: Grant a user access to a vault or group
  • edit: Edit an object
  • remove: Revoke access to groups or vaults

add connect

Subcommands

add connect server

Grants a Connect server access to a vault.

op add connect server <server> <vault> [flags]

add group

Grants a group access to a vault.

op add group <group> <vault> [flags]

add user

Grants a user access to a vault or group.

op add user <user> [<vault> | <group>] [flags]

Options for add user

--role role   set the user's role in a group (member or manager) (default "member")

completion

Generates shell completion information for the 1Password command-line tool.

op completion <shell> [flags]

How completion works

If you use Bash or Zsh, you can add shell completion for the 1Password command-line tool. With completions loaded, after you start typing an op command, press Tab to see available commands and options.

Load shell completion information for Bash

To always load the completion information for Bash, add this to your .bashrc file:

source <(op completion bash)

To use shell completion in Bash, you’ll need the bash-completion package.

Load shell completion information for Zsh

To always load the completion information for Zsh, add this to your .zshrc file:

eval "$(op completion zsh)"; compdef _op op

confirm

Confirms users.

op confirm [<user> | --all]

Options for confirm

--all    confirm all unconfirmed users

create

Subcommands

create connect

Subcommands

create connect server

Adds a 1Password Connect server to your account and generates a credentials file for it.

op create connect server <name> [flags]

Options for create connect server

--vaults vaults   grant the Connect server access to these vaults

How create connect server works

The 1password-credentials.json file is saved in the current directory.

create connect token

Issue a new token for an Connect server.

op create connect token <server> <name> [flags]

Options for create connect token

--expires-in duration   set how the long token is valid for
--vault vault           grant access to this vault

How create connect token works

Returns a token.

You can only grant a token access to a vault that the server has access to and only the permissions the server has for it.

By default, the --vault option grants the same permissions as the server. You can further limit the permissions a token has to read-only or write-only by adding a comma and r or w after the vault specification. For example:

op create connect token "Dev" "Dev k8s token" --vault Kubernetes,r

op create connect token "Prod" "Prod: Customer details" --vault Customers,w

create document

Creates a document.

op create document <file> [flags]

Options for create document

--filename name   set the file's name
--tags tags       add one or more tags (comma-separated) to the item
--title title     set the item's title
--vault vault     save the document in this vault

How create document works

When you create a document, a JSON object containing its UUID is returned. The document is saved to the Private or Personal vault unless you specify another with the --vault option.

Create a file from standard input

To create the file contents from standard input (stdin), enter a hyphen (-) instead of a path. You can use the --filename option to change the name of the file.

Examples for create document

Create a document from standard input:

cat auth.log.* | op create document - --title "Authlogs 2020-06" --file-name "auth.log.2020.06"

create group

Creates a group.

op create group <name> [flags]

Options for create group

--description description   set the group's description

How create group works

When you create a group, a JSON object containing its UUID is returned.

create item

Creates an item.

op create item <category> [<encoded_item>] [<assignment> ...] [flags]

Options for create item

--generate-password[=recipe]   give the item a randomly generated password
--tags tags                    add one or more tags (comma-separated) to the item
--title title                  set the item's title
--url URL                      set the URL associated with the item
--vault vault                  save the item in this vault

How create item works

Create an item using assignment statements or with a 1Password JSON object template.

When you create an item, a JSON object containing its UUID is returned. The item is saved to the Private or Personal vault unless you specify another with the --vault option.

Create an item with assignment statements

Use an assignment statement to set a field’s value:

[<section>.]<field>=<value>

You can omit spaces when you specify the section or field name. You can also refer to the field by its JSON short name (name or n).

phonetollfree=012066188656

The section is optional unless multiple sections have a field with the same name.

testingserver.address=db.local.1password.com
developmentserver.address=db.dev.1password.com

You can’t make a new custom section using an assignment statement.

Generate a password

Use the --generate-password option to generate and set a random password for a Login or Password item. By default, it will create a 32-character password made up of letters, numbers, and symbols.

You can customize the password with a password recipe. Specify the password length and which character types to use in a comma-separated list. Ingredients are:

  • letters for uppercase and lowercase letters
  • digits for numbers
  • symbols for special characters (!@.-_*)
  • 1-64 for password length

Create an item with a template

If you want to create an item with custom sections or fields, use a JSON object template. Download and edit a template for the category of item you want to create. Run op help get template for a list of template categories. To create an item using a template:

  1. Get a template for the category of item you want to create, and save it to a file:

     op get template "Login" > login.json

  2. Edit the template to add your information.

  3. Encode the JSON object and create the item:

     op create item "Login" "$(op encode < login.json)"

When you’re finished, delete the unencrypted JSON template file.

You can use a tool like jq (https://stedolan.github.io/jq/) to reformat JSON to make it easier to read.

If you use both a template and assignment statements in the same command, the assignment statements overwrite the template’s values.

create user

Creates a new user.

op create user <email_address> <name> [flags]

Options for create user

--language language   set the user's account language (default "en")

create vault

Creates a new vault.

op create vault <name> [flags]

Options for create vault

--allow-admins-to-manage true|false   set whether admins can manage vault access
--description description             set the group's description

delete

Subcommands

delete connect

Subcommands

delete connect server

Removes a 1Password Connect server.

op delete connect server <server> [flags]

How delete connect server works

The credentials file and all the tokens for the server will no longer be valid.

delete connect token

Revokes a token for a Connect server.

op delete connect token <token> [flags]

Options for delete connect token

--server string   only look for tokens for this 1Password Connect server

delete document

Permanently deletes a document. Use the --archive option to move it to the Archive instead.

op delete document <document> [flags]

Options for delete document

--archive       move the document to the Archive
--vault vault   look for the document in this vault

How delete document works

Specify items on standard input

The command treats each line of information on standard input (stdin) as an object specifier. Run op help to learn more about how to specify objects.

The input can also be a list or array of JSON objects. The command will get an item for any object that has a UUID key. This is useful for passing information from one op command to another.

Examples for delete document

Move a document to the Archive:

op delete item --archive "2019 Contracts"

delete group

Removes a group.

op delete group <group> [flags]

delete item

Permanently deletes an item. Use the --archive option to move it to the Archive instead.

op delete item <item> [flags]

Options for delete item

--archive       move the item to the Archive
--vault vault   look for the item in this vault

How delete item works

Specify items on standard input

The command treats each line of information on standard input (stdin) as an object specifier. Run op help to learn more about how to specify objects.

The input can also be a list or array of JSON objects. The command will get an item for any object that has a UUID key. This is useful for passing information from one op command to another.

Examples for delete item

Move an item to the Archive:

op delete item --archive "Defunct Login"

delete user

Removes a user and all their data from the account.

op delete user <user> [flags]

delete vault

Removes a vault.

op delete vault <vault> [flags]

edit

Subcommands

  • add: Grant access to groups or vaults

edit connect

Subcommands

edit connect server

Renames a Connect server.

op edit connect server <server> [flags]

Options for edit connect server

--name name   change the servers's name

edit connect token

Renames a Connect token.

op edit connect token <jti> [flags]

Options for edit connect token

--name name       change the tokens's name
--server string   only look for tokens for this 1Password Connect server

edit document

Updates a document.

op edit document <document> <file> [flags]

Options for edit document

--filename name   set the file's name
--tags tags       add one or more tags (comma-separated) to the item
--title title     set the item's title
--vault vault     look up document in this vault

How edit document works

Replaces the file contents of a Document item with the provided file or with the information on standard input (stdin).

Update a file from standard input

To update the file contents from standard input (stdin), enter a hyphen (-) instead of a path. You can use the --filename option to change the name of the file.

edit group

Changes a group’s name or description.

op edit group <group> [flags]

Options for edit group

--description description   change the group's description
--name name                 change the group's name

edit item

Edits an item’s details.

op edit item <item> <assignment> [<assignment> ...] [flags]

Options for edit item

--generate-password[=recipe]   give the item a randomly generated password
--vault vault                  look for the item in this vault

How edit item works

Use an assignment statement to change a field’s value:

[<section>.]<field>=<value>

You can omit spaces when you specify the section or field name. You can also refer to the field by its JSON short name (name or n).

issuingcountry=Canada

The section is optional unless multiple sections have a field with the same name.

testingserver.address=db.local.1password.com
developmentserver.address=db.dev.1password.com

You can’t make a new custom section using an assignment statement.

Generate a password

Use the --generate-password option to generate and set a random password for a Login or Password item. By default, it will create a 32-character password made up of letters, numbers, and symbols.

You can customize the password with a password recipe. Specify the password length and which character types to use in a comma-separated list. Ingredients are:

  • letters for uppercase and lowercase letters
  • digits for numbers
  • symbols for special characters (!@.-_*)
  • 1-64 for password length

edit user

Changes a user’s name or Travel Mode status.

op edit user <user> [flags]

Options for edit user

--name name           set the user's name
--travelmode on|off   turn Travel Mode on or off for the user (default )

edit vault

Changes a vault’s name.

op edit vault <vault> [flags]

Options for edit vault

--name name   change the vault's name

encode

Encodes the JSON data needed to create a new item with base64url encoding. Accepts input from standard input (stdin).

op encode [flags]

Examples for encode

Encode a basic item template:

op get template login | op encode

Save the encoded contents of a file to another file:

cat my-new-login.json | op encode > my-new-login.encoded-json

forget

Removes the details for a 1Password account from this device.

op forget <account> [flags]

get

Subcommands

  • get totp: Get the one-time password for an item

get account

Gets details about your account.

op get account [flags]

get document

Downloads a document and prints the contents to standard output (stdout).

op get document <document> [flags]

Options for get document

--include-archive   include items in the Archive
--output path       save the document to the file path instead of stdout
--vault vault       look for the document in this vault

How get document works

Save to a file

Use the --output option to have op save the document. This may be useful in some shells to preserve the file’s original encoding.

The --output option won’t overwrite an existing file. The destination path must be an empty file or not exist.

Examples for get document

Save a document to a file called secret-plans.text:

op get document "Top Secret Plan B" --output secret-plans.text

get group

Gets details about a group.

op get group <group> [flags]

How get group works

Use standard input to specify objects

If you enter a hyphen (-) instead of a single object for this command, the tool will read object specifiers from standard input (stdin). Separate each specifier with a new line. For more information about how to specify objects, run op help.

You can also pass the command a list or array of JSON objects. The tool will get an item for any object that has a UUID key, ignoring line breaks. This is useful for passing information from one op command to another.

Examples for get group

Get details for all groups:

op list groups | op get group -

Get details for the groups who have access to a vault:

op list groups --vault "Production keys" | op get group -

get item

Returns details about an item.

op get item <item> [flags]

Options for get item

--fields fields     only return data from these fields
--format format     return data in this format (CSV or JSON) (use with --fields)
--include-archive   include items in the Archive
--share-link        get a shareable link for the item
--vault vault       look for the item in this vault

How get item works

By default, get item returns a complete 1Password JSON object.

Customize returned data

To only get details from specific fields, use the --fields option.

Specify fields in a comma-separated list. You can omit spaces when you specify the section or field name. You can also refer to the field by its JSON short name (name or n).

When you specify one field, its data is returned as a simple string. If you specify more than one field, the data is returned in a simple key-value pair JSON object. If a field doesn’t exist, an empty value is returned.

Use the --format option to change the output format to JSON or CSV.

Specify items on standard input

The command treats each line of information on standard input (stdin) as an object specifier. Run op help to learn more about how to specify objects.

The input can also be a list or array of JSON objects. The command will get an item for any object that has a UUID key. This is useful for passing information from one op command to another.

Items in the Archive

Items in the Archive are ignored by default. To get details for an item in the Archive, specify the item by UUID or use the --include-archive option.

Examples for get item

Get details for all items with a specified tag:

op list items --tags documentation | op get item -

Get a CSV list of the website, username, and password for all logins in a vault:

op list items --categories Login --vault Staging | op get item - --fields website,username,password --format CSV

get template

Returns a template for an item type.

op get template <category> [flags]

How get template works

You can create a new item with a template. Run op create item --help for more information.

Categories are:

  • Bank Account
  • Credit Card
  • Database
  • Document
  • Driver License
  • Email Account
  • Identity
  • Login
  • Membership
  • Outdoor License
  • Passport
  • Password
  • Reward Program
  • Secure Note
  • Server
  • Social Security Number
  • Software License
  • Wireless Router

get totp

Gets an item’s current time-based one-time password (TOTP).

op get totp <item> [flags]

Options for get totp

--vault vault   look for the item in this vault

How get totp works

Items in the Archive

Items in the Archive are ignored by default. To get the TOTP for an item in the Archive, specify the item by UUID.

get user

Gets details about a user.

op get user <user> [flags]

Options for get user

--fingerprint   get the user's public key fingerprint
--publickey     get the user's public key

How get user works

Use standard input to specify objects

If you enter a hyphen (-) instead of a single object for this command, the tool will read object specifiers from standard input (stdin). Separate each specifier with a new line. For more information about how to specify objects, run op help.

You can also pass the command a list or array of JSON objects. The tool will get an item for any object that has a UUID key, ignoring line breaks. This is useful for passing information from one op command to another.

Examples for get user

Get details for all users:

op list users | op get user -

Get the public key for all users in a group:

op list users --group "Frontend Developers" | op get user - --publickey

Get details for all users who have access to a vault:

op list users --vault Staging | op get user -

get vault

Gets details about a vault.

op get vault <vault> [flags]

How get vault works

Use standard input to specify objects

If you enter a hyphen (-) instead of a single object for this command, the tool will read object specifiers from standard input (stdin). Separate each specifier with a new line. For more information about how to specify objects, run op help.

You can also pass the command a list or array of JSON objects. The tool will get an item for any object that has a UUID key, ignoring line breaks. This is useful for passing information from one op command to another.

Examples for get vault

Get details for all vaults:

op list vaults | op get vault -

Get details for the vaults that a group has access to:

op list vaults --group security | op get vault -

list

Subcommands

list connect

Subcommands

list connect servers

Lists 1Password Connect servers.

op list connect servers [flags]

list connect tokens

Lists tokens for Connect servers.

op list connect tokens [flags]

Options for list connect tokens

--server server   only list tokens for this Connect server

How list connect tokens works

Both active (A) and revoked (R) tokens are returned.

The integrationUuid is the UUID for the Connect server the token belongs to.

list documents

Lists documents.

op list documents [flags]

Options for list documents

--include-archive   include items in the Archive
--vault vault       only list documents in this vault

How list documents works

Returns a list of all documents the account has read access to by default. Excludes items in the Archive by default.

list events

Lists events from the Activity Log.

op list events [flags]

Options for list events

--eventid eid   start listing from event with ID eid
--older         list events from before the specified event

How list events works

Returns the 100 most recent events by default.

The Activity Log is only available for 1Password Business accounts.

Examples for list events

List events after a specific log entry:

op list events --eventid 319458129

List events before a specific log entry:

op list events --older --eventid 319179570

list groups

Lists groups.

op list groups [flags]

Options for list groups

--user user     list groups that a user belongs to
--vault vault   list groups that have direct access to a vault

How list groups works

Returns all groups in an account by default.

Examples for list groups

Get details for all groups:

op list groups | op get group -

Get details for the groups who have access to a vault:

op list groups --vault Staging | op get group -

Get details for the groups that a user is part of:

op list groups --user wendy_appleseed@1password.com | op get group -

list items

Lists items.

op list items [flags]

Options for list items

--categories categories   only list items in these categories (comma-separated)
--include-archive         include items in the Archive
--tags tags               only list items with these tags (comma-separated)
--vault vault             only list items in this vault

How list items works

Returns a list of all items the account has read access to by default. Excludes items in the Archive by default.

Categories are:

  • Bank Account
  • Credit Card
  • Database
  • Document
  • Driver License
  • Email Account
  • Identity
  • Login
  • Membership
  • Outdoor License
  • Passport
  • Password
  • Reward Program
  • Secure Note
  • Server
  • Social Security Number
  • Software License
  • Wireless Router

Examples for list items

Get details for all items with a specified tag:

op list items --tags documentation | op get item -

Get a CSV list of the website, username, and password for all logins in a vault:

op list items --categories Login --vault Staging | op get item - --fields website,username,password --format CSV

list templates

Lists available item type templates.

op list templates [flags]

How list templates works

Use op get template to get a template to use to create a new item.

list users

Lists users.

op list users [flags]

Options for list users

--group group   list users who belong to a group
--vault vault   list users who have direct access to vault

How list users works

Returns all users in an account by default.

When you use the --group option, the output includes the user’s role in the group.

Examples for list users

Get details for all users:

op list users | op get user -

Get the public key for all users in a group:

op list users --group "Frontend Developers" | op get user - --publickey

Get details for all users who have access to a vault:

op list users --vault Staging | op get user -

list vaults

Lists vaults.

op list vaults [flags]

Options for list vaults

--group group   list vaults a group has access to
--user user     list vaults a user has access to

How list vaults works

Returns all vaults the account has access to by default.

Examples for list vaults

Get details for all vaults:

op list vaults | op get vault -

Get details for vaults that a group has access to:

op list vaults --group Security | op get vault -

Get details for vaults that a user has access to:

op list vaults --user wendy_appleseed@1password.com | op get vault -

manage

Subcommands

manage connect

Subcommands

manage connect add

Grants a group access to manage Secrets Automation.

op manage connect add <group> <server> [flags]

How manage connect add works

If you don’t specify a server, it adds the group to the list of Secrets Automation managers.

manage connect remove

Revokes access from a group to manage Secrets Automation.

op manage connect remove <group> <server> [flags]

reactivate

Reactivates a suspended user.

op reactivate <user> [flags]

remove

Subcommands

  • add: Grant access to groups or vaults

remove connect

Subcommands

remove connect server

Revokes access to a vault from a Connect server.

op remove connect server <server> <vault> [flags]

remove group

Revokes a group’s access to a vault.

op remove group <group> <vault> [flags]

remove user

Revokes a user’s access to a vault or group.

op remove user <user> [<vault> | <group>] [flags]

signin

Signs in to a 1Password account and returns a session token.

op signin [<sign_in_address> [<email_address> [<secret_key>]]] [flags]

Options for signin

-l, --list             list accounts set up on this device
-r, --raw              only return the session token
    --shorthand name   set the short account name

How signin works

Sign in to an account

To sign in to an account the first time, use your sign-in address and email address:

op signin example.1password.com wendy_appleseed@1password.com

After you sign in the first time, you can sign in again using only the shorthand for the account:

op signin example

Use session tokens

The tool uses a session token to authenticate commands with 1Password.com. Sessions expire after 30 minutes of inactivity. You can save the session token in an environment variable for the tool to use automatically or provide a token with each command using the --session option.

To use the environment variable, run the export command that the tool provides after you sign in. When you run a command, the tool uses it automatically.

To provide a session token each time you run a command, sign in using the --raw option to get a token. Then use the --session option with each command.

Reuse a session token

You can use the --session option with the signin command to reuse an active token or to test whether a session has expired. This may be useful when writing scripts that use the command-line tool. If the session is active, the tool will use it and return the same token. If the session is expired, you’ll have to sign in again.

Work with multiple accounts

You can sign in to more than one account at a time. If you store the session token in an environment variable, the tool will use the account you most recently signed in to by default. Use the --account option to specify a different account. By default, the shorthand is your account’s subdomain. You can change it the first time you sign in by using the --shorthand option, or in the configuration file. Hyphens (-) are converted to underscores (_) for system compatibility.

Examples for signin

Sign in and set the environment variable in one step:

eval $(op signin example)
  • signout: Sign out of a 1Password account

signout

Signs out of a 1Password account.

op signout [flags]

Options for signout

--forget   remove the details for a 1Password account from this device

How signout works

Signs out of the most recently used account by default.

  • signin: Sign in to a 1Password account

suspend

Suspends a user.

op suspend <user> [flags]

Options for suspend

--deauthorize-devices seconds[=0]   deauthorize the user's devices after a time in seconds

update

Checks for updates to op. Downloads an updated version, if available.

op update [flags]

Options for update

--directory path   download the update to this path
Published: