About 1Password Connect Server security
You can deploy one or more 1Password Connect servers in your infrastructure to act as a bridge between your applications and the 1Password service. Connect servers allow you to securely share information from 1Password with your applications, tools, and pipelines through the Connect REST API. Review the sections on the page to learn more about Connect server security. For information about 1Password security practices, visit the 1Password Security homepage.
Access control
When you create a Connect server, you select the vaults the it can access. Connect servers can only access the vaults you explicitly allow them to access through a Connect server token.
Authorization
Only authorized clients can get information from a Connect server.
When a client application, service, or API requests information from a Connect server, the HTTP request must have an Authorization
header containing an authorization token. Otherwise, the Connect server rejects the request.
Authorization tokens are only valid for the Connect server they're created for. They're signed by the key for the 1Password account the Connect server uses, using the ES256 signing algorithm .
Connect server tokens
A Connect server token is an authentication string that allows the Connect server to authenticate with 1Password.
Each Connect server can have one or more Connect server tokens, which allows for more fine tuned access control. Connect server tokens can only access information in the vaults you granted them access to. This allows you more granular control over the vaults a Connect server deployment can access. For example, you can grant a Connect server token access to a specific subset of the vaults the Connect server has access to.
Token rotation
You can't change or update Connect server tokens. If a Connect server token becomes compromised, you must create a new token.
To rotate a Connect server token:
- Create a new Connect server token.
- Update all references to the old Connect server token.
- Revoke access to the old Connect server token.
Security model
The Connect server security model has the following guarantees:
- A connect token can only read items from vaults you've explicitly given it
READ
access to. - A connect token can only update, delete, and create items for vaults it has you've given it
WRITE
access to. - You can only give a connect server token access to vaults that you have access to.
- A connect server token associated with a deleted account can't authenticate.
- You can't use a connect server token to create another connect server token.
Credentials file
Creating a Connect server generates a credentials file named 1password-credentials.json
. This file has the following components:
Component | Description |
---|---|
verifier | Connect servers use the verifier as part of an additional authentication of the bearer token. |
encCredentials | The encCredentials contains the encrypted credentials necessary for the associated service account. |
uniqueKey | The uniqueKey identifies the Connect server between its two running processes: the client-facing service and the synchronization service. |
version | The version indicates the Connect server version number. |
deviceUuid | The deviceUuid contains the UUID of the device. |
Responsible disclosure
1Password requests you practice responsible disclosure if you discover a vulnerability. If you find a vulnerability, file a request through BugCrowd.