Developer Resources

Use the 1Password command-line tool

Learn how to use the 1Password command-line tool to work with users, groups, vaults, and items in a 1Password account.

Tip

If you’re new to the command-line tool, learn how to set it up and get started.

Sign in or out

To sign in to an account and get a session token:

op signin <sign_in_address> <email_address> <secret_key> [--raw]

After you sign in the first time, you can sign in again using only the shorthand for your account:

op signin <shorthand> [--raw]

By default, the shorthand is your account’s subdomain. You can change it the first time you sign in by using the --shorthand option.

Hyphens (-) in a subdomain will be changed to an underscore (_).

See also Appendix: Session management.

Sign out

Sessions automatically expire after 30 minutes of inactivity. You can sign out manually using the signout command:

op signout

See also Appendix: Session management.

List objects

To list objects in a 1Password account:

op list (users | groups | vaults | items | documents | templates) [--vault <vault> | --group <group>]

To list users or groups with access to a vault:

op list (users | groups) --vault <vault>

To list users in a group:

op list users --group <group>

To list items in a vault:

op list items --vault <vault>

To include items or documents in the Trash:

op list (items | documents) [--vault <vault>] --include-trash

List Activity Log events

To list events from the Activity Log:

op list events [--eventid <event_ID>] [--older]

The 100 most recent events will be listed.

List events after a specific log entry

You can provide an event ID (eid) as a starting point for listing entries by using the --eventid option. A maximum of 100 events will be returned, starting after, but not including, the provided event.

$ op list events --eventid 319458129

List events before a specific log entry

The --older option can be used with the --eventid option to list entries that occurred before the provided event ID.

$ op list events --older --eventid 319179570

A maximum of 100 events will be returned, starting with the event before, not including, the provided event.

Manage objects

Get details

To get details about an object:

op get (account | group | vault | item | totp) [<item>] [--vault <vault>] [--include-trash]

The --include-trash option will allow for items in the Trash to be returned.

To get the UUID of an object, look it up by name, email address, or domain. See also Appendix: Specifying objects.

Get details of an item

By default, op get item gets details of all fields. You can get details of just the fields you want instead. For one field, the tool returns a simple string:

$ op get item nqikpd2bdjae3lmizdajy2rf6e --fields password
5ra3jOwnUsXVjx5GL@FX2d7iZClrrQDc

For multiple fields, specify them in a comma-separated list. The tool returns a JSON object:

$ op get item nqikpd2bdjae3lmizdajy2rf6e --fields username,password
{"username": "wendy_appleseed", "password": "5ra3jOwnUsXVjx5GL@FX2d7iZClrrQDc"}

You can change the output to CSV or to always use JSON with the --format option.

Create or edit an item

To create an item:

op create item <category> [<assignment> ...]

To edit an item:

op edit item <item> <assignment> [<assignment> ...]

Assignment statements follow this syntax:

[<section>.]<field>=<value>

You can omit spaces when you specify the section or field name. You can also refer to a field by its JSON short name (name or n).

issuingcountry=Canada

The section is optional unless multiple sections have a field with the same name.

testingserver.address=db.local.1password.com
developmentserver.address=db.dev.1password.com

You can't make a new custom section using an assignment statement.

You can generate a password for the item with the --generate-password option. By default, it will create a 32-character password made up of letters, numbers, and symbols.

See also Appendix: Categories for a list of categories.

See also Appendix: Specifying objects.

When you create an item, its UUID is returned.

Delete an item

To move an item to the Trash:

op delete item <item> [--vault <vault>]

See also Appendix: Specifying objects.

Create or remove a vault

To create a vault:

op create vault <name> [--allow-admins-to-manage <true|false>] [--description <description>]

When you create a vault, its UUID is returned. Use the --allow-admins-to-manage option to specify whether administrators can manage access to the vault or not. If not provided, the default policy for the account applies.

To remove a vault:

op delete vault <vault>

See also Appendix: Specifying objects.

Work with documents

To create a document:

op create document <file_name> [--title <title>] [--vault <vault>] [--tags <tags>]

When you create a document, its UUID is returned.

To download a document and save it to a file:

op get document <document> [--vault <vault>] [--output <file_path>]

The document’s contents are sent to standard output (stdout) by default. Use the --output option to save the document to a file directly. It won’t overwrite an existing file unless it’s empty.

To delete a document:

op delete document <document> [--vault <vault>]

See also Appendix: Specifying objects.

Manage users and groups

Invite and confirm users

To create and invite a new user:

op create user <email_address> <name>

Users are invited by email and then must be confirmed using their email address or UUID:

op confirm [<user> | --all]

The --all option confirms all users pending confirmation.

Get user details

To get details about a user:

op get user <user> [--publickey | --fingerprint]

If the --publickey or --fingerprint options are used, only the user’s public key or public key fingerprint is returned.

Edit users and groups

To edit a user’s name:

op edit user <user> [--name <name>]

To turn Travel Mode on or off for a user:

op edit user <user> --travelmode <on | off>

To edit the name or description of a group:

op edit group <group> [--name <name>] [--description <description>]

Suspend or reactivate a user

To suspend or reactivate a user:

op (suspend | reactivate) <user>

See also Appendix: Specifying objects.

Remove a user

To completely remove a user:

op delete user <user>

See also Appendix: Specifying objects.

Manage individual access

To grant a user access to a vault or group:

op add user <user> [<vault> | <group>]

To revoke a user’s access to a vault or group:

op remove user <user> [<vault> | <group>]

See also Appendix: Specifying objects.

Manage group access

To grant a group access to a vault:

op add group <vault>

To revoke a group’s access to a vault:

op remove group <vault>

See also Appendix: Specifying objects.

Create or remove a group

To create a group:

op create group <name>

When you create a group, its UUID is returned.

To remove a group:

op delete group <group>

See also Appendix: Specifying objects.

Appendix: Checking for updates

To check for updates to the 1Password command-line tool:

op update

If a newer version is available, a link to download the latest version is returned.

Appendix: Specifying objects

Every object can be specified by UUID or name. Users and items can also be specified by email address and domain, respectively.

ObjectUUIDNameEmail
address
Domain
Group
User
Vault
Item
Document

When specifying by UUID, the item or its details will be returned, even if the item is in the Trash. You don’t need to specify --include-trash.

Appendix: Categories

  • Login
  • Secure Note
  • Credit Card
  • Identity
  • Bank Account
  • Database
  • Driver License
  • Email Account
  • Membership
  • Outdoor License
  • Passport
  • Reward Program
  • Server
  • Social Security Number
  • Software License
  • Wireless Router

Appendix: Session management

op signin will prompt you for your Master Password and output a command that can save your session token to an environment variable:

$ op signin <shorthand>

export OP_SESSION_<shorthand>="EXAMPLEeSHByBqEXAMPLEfdMVLLdEXAMPLEUrNMuRXQ"

To set the environment variable, run the export command manually, or use eval to set it automatically:

eval $(op signin <shorthand>)

You can sign in to multiple accounts at once.

Use with multiple accounts

Commands that you run will use the account you signed in to most recently. To run a command using a specific account, use --account <shorthand>:

op list items --account <shorthand>

To authenticate with a session token, sign in with the --raw option to get the token. Then use --session <session_token> with any command:

op signin <shorthand> --raw

op list items --session <session_token>

Remove account details from your computer

You can remove account details from your computer at any time.

To sign out of an account and remove its details from your computer:

op signout --forget

If you’re already signed out, you can specify an account by its shorthand:

op forget <shorthand>

Learn more