op

Sign in to a 1Password account

$ op signin

$ op vault list

$ op item get [item_name] --format json

$ op item create --category [category_name]

$ op read [secret_reference]

$ op run -- [command]

$ op run --env-file [path/to/env_file.env] -- [command]

$ op inject --in-file [path/to/input_file] --out-file [path/to/output_file]

op [GLOBAL_OPTIONS] COMMAND [COMMAND_OPTIONS] [ARGUMENTS...]

--help
    Displays help information for the op command or a specific subcommand.

--version
    Prints the version of the op CLI tool.

--format <format>
    Specifies the output format for commands that return structured data (e.g., json, text). Defaults to text for human-readable output.

--account <shorthand>
    Specifies the 1Password account to use when multiple accounts are configured. Uses the shorthand configured during sign-in.

--vault <vault-name-or-UUID>
    Used with subcommands like item create or item list to specify the target vault. (Note: Most options are specific to subcommands, not global.)

The op command-line tool is the official interface for interacting with 1Password accounts from the terminal. It enables users to securely manage and access their 1Password data, including logins, secure notes, credit cards, and more, directly from the command line.

Primarily, op is used for automation, scripting, and integrating 1Password into development workflows, CI/CD pipelines, and server environments. It allows retrieval of secrets, creation/updating of items, and management of vaults, users, and groups without requiring the graphical 1Password application. It supports various authentication methods, including session tokens and service account tokens, ensuring secure access to sensitive information.

While not a standard Linux utility, it is widely adopted in environments where secure secret management and programmatic access to 1Password are crucial.

The op command is the 1Password CLI tool and is not part of a standard Linux distribution; it must be installed separately. It requires an active 1Password account and subscription to function. Proper authentication (e.g., via op signin) is necessary to interact with your 1Password data. For security, it's crucial to manage session tokens carefully and avoid hardcoding them directly in scripts, especially in production environments.

The op command operates using a subcommand structure, where the main command is followed by a specific action. Examples include:
op signin: Authenticates with your 1Password account.
op item get: Retrieves an item from 1Password.
op item create: Creates a new item.
op vault list: Lists all vaults you have access to.
op read: A convenient command to read specific fields from items or even entire documents.
Each subcommand has its own set of options and arguments, which can be viewed using op <subcommand> --help.

op is frequently used for:
- Retrieving API keys or database credentials in scripts.
- Injecting secrets into environment variables for applications.
- Automating the provisioning of new login items or secure notes.
- Managing 1Password users and groups programmatically.
- Integrating with CI/CD systems to securely access secrets during build and deployment processes.

The op command-line tool has been developed by AgileBits (now 1Password) to provide programmatic access to 1Password. It has evolved significantly over the years, with early versions primarily focused on item retrieval, and later versions expanding to full item management, vault management, and integration with 1Password Connect and Service Accounts for more robust automation and CI/CD use cases. Its development reflects the growing need for secure secret management in automated workflows.

pass(1), gopass(1), vault(1), keyctl(1)