1Password Connect API
Self-hosted REST API server that exposes 1Password vaults to automated systems, CI/CD pipelines, and AI agents without sharing master credentials. Supports reading, creating, and updating vault items (passwords, secure notes, API keys, etc.), browsing vault structure, and retrieving individual fields. Requires running the 1Password Connect Server Docker container in your infrastructure.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Purpose-built for secrets management with strong security posture. Vault-scoped tokens reduce blast radius. Self-hosted model means secrets never leave your network perimeter. SOC2 Type II, ISO 27001 certified. All vault data is end-to-end encrypted — Connect Server only decrypts in memory for the requesting process. Strongly recommend TLS between agent and Connect Server even on internal networks.
⚡ Reliability
Best When
Your team already uses 1Password Business/Teams and you want to extend vault access to automated systems, agents, or CI/CD without distributing master credentials.
Avoid When
You cannot run Docker, you don't have 1Password Business/Teams, you need dynamic secret generation (TTL-based credentials), or you need a fully managed cloud-hosted secrets API.
Use Cases
- • Inject secrets into CI/CD pipelines without hardcoding credentials in environment variables or config files
- • Allow AI agents to retrieve API keys or credentials from a centralized vault on-demand
- • Sync secrets from 1Password to Kubernetes secrets or cloud secret managers
- • Build internal developer tooling that retrieves credentials from 1Password without exposing master account
- • Rotate secrets stored in 1Password from automated scripts with audit trail
Not For
- • End-user password management (1Password Connect is for machine-to-machine access only)
- • Environments where you cannot run a Docker container (requires self-hosted Connect Server)
- • Replacing a dedicated secrets manager like HashiCorp Vault for high-scale dynamic secret generation
Interface
Authentication
Bearer token (Connect Server access token) generated per Connect Server instance from the 1Password admin console. Tokens can be scoped to specific vaults (read, read+write). Tokens are long-lived; rotation requires regenerating from the admin console.
Pricing
API usage itself is unlimited once you have a qualifying 1Password plan. The main cost is the 1Password subscription. Self-hosting the Connect Server requires your own Docker infrastructure.
Agent Metadata
Known Gotchas
- ⚠ Connect Server must be self-hosted in Docker — agents in cloud environments need to ensure network connectivity to the Connect Server, which is often inside a private network
- ⚠ Access tokens are long-lived with no automatic expiry — a leaked token provides indefinite vault access until manually revoked
- ⚠ Items are retrieved by UUID, not by name — agents need to search by title first, which involves an extra API call
- ⚠ Vault access tokens are scoped at provisioning time; if an agent needs access to a new vault, a human must update the token scopes in the 1Password admin console
- ⚠ The Connect Server is stateless but writes propagate to 1Password cloud asynchronously — read-after-write may briefly return stale data
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for 1Password Connect API.
Scores are editorial opinions as of 2026-03-06.