Developer Resources

1Password command-line tool: Full documentation

A complete list of every command and option in the 1Password command-line tool.

Tip

If you’re new to the command-line tool, learn how to set it up and get started.

Sign in or out

To sign in to an account and get a session token.

op signin <sign_in_address> <email_address> <secret_key> [--raw]

After you sign in the first time, you can sign in again using only the subdomain for your account:

op signin <subdomain> [--raw]

Hyphens (-) in a subdomain will be changed to an underscore (_).

See also Appendix: Session management.

Sign out

Sessions automatically expire after 30 minutes of inactivity. You can sign out manually using the signout command:

op signout

See also Appendix: Session management.

List objects

To list objects in a 1Password account:

op list (users | groups | vaults | items | documents | templates) [--vault <vault> | --group <group>]

To list users or groups with access to a vault:

op list (users | groups) --vault <vault>

To list users in a group:

op list users --group <group>

To list items in a vault:

op list items --vault <vault>

To include items or documents in the Trash:

op list (items | documents) [--vault <vault>] --include-trash

List Activity Log events

To list events from the Activity Log:

op list events [--eventid <event_ID>] [--older]

The 100 most recent events will be listed.

List events after a specific log entry

You can provide an event ID (eid) as a starting point for listing entries by using the --eventid option. A maximum of 100 events will be returned, starting after, but not including, the provided event.

$ op list events --eventid 319458129

List events before a specific log entry

The --older option can be used with the --eventid option to list entries that occurred before the provided event ID.

$ op list events --older --eventid 319179570

A maximum of 100 events will be returned, starting with the event before, not including, the provided event.

Manage objects

Get details

To get details about an object:

op get (account | group | vault | item | totp) [<item>] [--vault <vault>] [--include-trash]

The --include-trash option will allow for items in the Trash to be returned.

To get the UUID of an object, look it up by name, email address, or domain. See also Appendix: Specifying objects.

Create an item

  1. Get the template for the category of item you want to create. See Appendix: Categories for a list of categories.

    op get template <category>
    
  2. Edit the JSON template with the values for the item.

  3. Encode the JSON for your item:

    echo <itemJSON> | op encode
    
  4. Save the item:

    op create item <category> <encoded_item> [--title <title>] [--url <url>] [--vault <vault>] [--tags <tags>]
    

When you create an item, its UUID is returned.

Delete an item

To move an item to the Trash:

op delete item <item> [--vault <vault>]

See also Appendix: Specifying objects.

Create or remove a vault

To create a vault:

op create vault <name> [--allow-admins-to-manage <true|false>] [--description <description>]

When you create a vault, its UUID is returned. Use the --allow-admins-to-manage option to specify whether administrators can manage the vault or not. If not provided, the default policy for the account applies.

To remove a vault:

op delete vault <vault>

See also Appendix: Specifying objects.

Work with documents

To create a document:

op create document <file_name> [--title <title>] [--vault <vault>] [--tags <tags>]

When you create a document, its UUID is returned.

To download a document and save it to a file:

op get document <document> [--vault <vault>] [--output <file_path>]

The document’s contents are sent to standard output (stdout) by default. Use the --output option to save the document to a file directly. It won’t overwrite an existing file unless it’s empty.

To delete a document:

op delete document <document> [--vault <vault>]

See also Appendix: Specifying objects.

Manage users and groups

Invite and confirm users

To create and invite a new user:

op create user <email_address> <name>

Users are invited by email and then must be confirmed using their email address or UUID:

op confirm [<user> | --all]

The --all option confirms all users pending confirmation.

Get user details

To get details about a user:

op get user <user> [--publickey | --fingerprint]

If the --publickey or --fingerprint options are used, only the user’s public key or public key fingerprint is returned.

Edit users and groups

To edit a user’s name:

op edit user <user> [--name <name>]

To turn Travel Mode on or off for a user:

op edit user <user> --travelmode <on | off>

To edit the name or description of a group:

op edit group <group> [--name <name>] [--description <description>]

Suspend or reactivate a user

To suspend or reactivate a user:

op (suspend | reactivate) <user>

See also Appendix: Specifying objects.

Remove a user

To completely remove a user:

op delete user <user>

See also Appendix: Specifying objects.

Manage individual access

To grant a user access to a vault or group:

op add user <user> [<vault> | <group>]

To revoke a user’s access to a vault or group:

op remove user <user> [<vault> | <group>]

See also Appendix: Specifying objects.

Manage group access

To grant a group access to a vault:

op add group <vault>

To revoke a group’s access to a vault:

op remove group <vault>

See also Appendix: Specifying objects.

Create or remove a group

To create a group:

op create group <name>

When you create a group, its UUID is returned.

To remove a group:

op delete group <group>

See also Appendix: Specifying objects.

Appendix: Checking for updates

To check for updates to the 1Password command-line tool:

op update

If a newer version is available, a link to download the latest version is returned.

Appendix: Specifying objects

Every object can be specified by UUID or name. Users and items can also be specified by email address and domain, respectively.

Object UUID Name Email
address
Domain
Group
User
Vault
Item
Document

When specifying by UUID, the item or its details will be returned, even if the item is in the Trash. You don’t need to specify --include-trash.

Appendix: Categories

  • Login
  • Secure Note
  • Credit Card
  • Identity
  • Bank Account
  • Database
  • Driver License
  • Email Account
  • Membership
  • Outdoor License
  • Passport
  • Reward Program
  • Server
  • Social Security Number
  • Software License
  • Wireless Router

Appendix: Session management

op signin will prompt you for your Master Password and output a command that can save your session token to an environment variable:

$ op signin <subdomain>

export OP_SESSION_<subdomain>="EXAMPLEeSHByBqEXAMPLEfdMVLLdEXAMPLEUrNMuRXQ"

To set the environment variable, run the export command manually, or use eval to set it automatically:

eval $(op signin <subdomain>)

You can sign in to multiple accounts at once.

Use with multiple accounts

Commands that you run will use the account you signed in to most recently. To run a command using a specific account, use --account <subdomain>:

op list items --account <subdomain>

You can also pass the session token using standard input (stdin). Use --raw to output only the session token, which can be piped into any other command:

$ op signin <subdomain> --raw

XLC6cHkeSHByBqrikXt36fdMVLLdHuoACNFUrNMuRXQ

$ op signin <subdomain> --raw | op list items

To pass a session token as a command-line flag, use --session <sessiontoken> with any command:

op list items --session <session_token>

Remove account details from your computer

You can remove account details from your computer at any time.

To sign out of an account and remove its details from your computer:

op signout --forget

If you’re already signed out, you can specify an account by subdomain:

op forget <subdomain>
Published: