When you use 1Password Secrets Automation, you can share information from 1Password with your applications, tools, and pipelines through a REST API provided by the Connect server.
A 1Password Connect server can provide access to only the information you choose
When you set up a Connect server, you choose which vaults it has access to. The server can only get information from those vaults. Tokens that you create for a server can only access the information in the vaults the server has access to.
Only authorized clients can get information from a 1Password Connect server
When a client application, service, or API requests information from a Connect server, the HTTP request must have an Authorization header containing an authorization token.
Authorization tokens are only valid for the Connect server they’re created for. They’re signed by the key for the 1Password account that the Connect server uses, using the ES256 signing algorithm.
If you discover a vulnerability
If you discover a vulnerability in 1Password, submit a report on Bugcrowd.