mcp-1password
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| OP_MCP_ACCOUNT | No | 1Password account name or UUID, required in desktop mode | |
| OP_CONNECT_HOST | No | Connect API URL | http://127.0.0.1:8080 |
| OP_CONNECT_TOKEN | No | Connect access token, required in connect mode | |
| OP_MCP_AUTH_MODE | No | Authentication mode: desktop, service-account, or connect | desktop |
| OP_MCP_HTTP_HOST | No | HTTP bind address | 127.0.0.1 |
| OP_MCP_HTTP_PATH | No | HTTP path prefix | /mcp |
| OP_MCP_HTTP_PORT | No | HTTP port | 17337 |
| OP_MCP_LOG_LEVEL | No | Log level | info |
| OP_MCP_TRANSPORT | No | Transport type: stdio or http | stdio |
| OP_MCP_OP_CLI_PATH | No | Path to the op binary | op |
| OP_MCP_ENABLE_WRITES | No | Allow item and vault creation/update | false |
| OP_MCP_AUDIT_LOG_PATH | No | Audit log path | ~/.onepassword-mcp/audit.jsonl |
| OP_MCP_OP_CLI_AUTH_MODE | No | CLI authentication mode | auto |
| OP_MCP_HTTP_BEARER_TOKEN | No | Bearer token (minimum 16 characters) required when HTTP transport is enabled | |
| OP_MCP_HTTP_MAX_SESSIONS | No | Maximum active HTTP MCP sessions | 64 |
| OP_SERVICE_ACCOUNT_TOKEN | No | Service account token, required in service-account mode | |
| OP_MCP_HTTP_REQUIRE_BEARER | No | Require Authorization: Bearer | true |
| OP_MCP_SCRIPT_RUNNER_ROOTS | No | Trusted workspace root (repeatable, comma-separated) | |
| OP_MCP_ENABLE_SCRIPT_RUNNER | No | Allow execution of allowlisted scripts | false |
| OP_MCP_ENABLE_SECRET_REVEAL | No | Allow plaintext secret reveal | false |
| OP_MCP_HTTP_ALLOWED_ORIGINS | No | Browser origins allowed for HTTP transport (comma-separated) | |
| OP_MCP_HTTP_SESSION_IDLE_MS | No | Idle HTTP session expiry in milliseconds | 900000 |
| OP_MCP_HTTP_REQUEST_TIMEOUT_MS | No | HTTP request timeout in milliseconds | 30000 |
| OP_MCP_APPROVAL_REMEMBER_TTL_MS | No | Lifetime for remembered approvals | 86400000 |
| OP_MCP_SCRIPT_RUNNER_ALLOWLISTS | No | Absolute path to an allowlist file (repeatable, comma-separated in env) | |
| OP_MCP_UNRESTRICTED_RUNNER_ROOTS | No | Root path eligible for unrestricted execution approval (repeatable, comma-separated) | |
| OP_MCP_APPROVAL_REMEMBER_KEY_PATH | No | Local 32-byte AES key file | ~/.onepassword-mcp/approval-grants.key |
| OP_MCP_ENABLE_DESTRUCTIVE_ACTIONS | No | Allow archive and delete operations | false |
| OP_MCP_ENABLE_PERMISSION_MUTATION | No | Allow vault permission changes | false |
| OP_MCP_ENABLE_UNRESTRICTED_RUNNER | No | Allow the separate free-form shell command runner | false |
| OP_MCP_APPROVAL_REMEMBER_STORE_PATH | No | Encrypted local approval grants file | ~/.onepassword-mcp/approval-grants.enc.json |
| OP_MCP_ACKNOWLEDGE_UNRESTRICTED_RUNNER | No | Required only when disabling session approval; exact value: I_UNDERSTAND_THIS_ALLOWS_UNRESTRICTED_LOCAL_COMMAND_EXECUTION | |
| OP_MCP_ENABLE_UNRESTRICTED_SCRIPT_RUNNER | No | Enable free-form shell commands with local approval | false |
| OP_MCP_SCRIPT_RUNNER_ALLOWLIST_MANIFESTS | No | Absolute path to a manifest listing allowlist files (repeatable, comma-separated) | |
| OP_MCP_UNRESTRICTED_RUNNER_APPROVAL_HOST | No | Local approval server bind host | 127.0.0.1 |
| OP_MCP_UNRESTRICTED_RUNNER_APPROVAL_PORT | No | Local approval server port; 0 picks a free port | 0 |
| OP_MCP_UNRESTRICTED_RUNNER_APPROVAL_TTL_MS | No | In-memory approval lifetime in milliseconds | 43200000 |
| OP_MCP_UNRESTRICTED_RUNNER_COMMAND_TIMEOUT_MS | No | Free-form command timeout in milliseconds | 600000 |
| OP_MCP_UNRESTRICTED_RUNNER_REQUIRE_SESSION_APPROVAL | No | Require local approval page before commands can run | true |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": true
} |
| prompts | {
"listChanged": true
} |
| resources | {
"listChanged": true
} |
| completions | {} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| sdk_capabilitiesA | Describe the capability surface exposed by this server, including the preferred no-plaintext path for consuming secrets in scripts. |
| op_session_statusA | Show non-secret 1Password CLI session state and runtime capability gates held by this MCP process. |
| password_generateA | Generate a strong random password and return it in plaintext for immediate use. Requires a reason and generated-secret acknowledgement. |
| password_generate_memorableB | Generate a memorable passphrase-like password and return it in plaintext for immediate use. Requires a reason and generated-secret acknowledgement. |
| password_readA | Read one password field or secret reference. Returns redacted metadata by default. Plaintext reveal is disabled in this server; reveal=true will fail. If the secret only needs to be consumed by a command or local script, do not request reveal. op_script_run is not available because the script runner is also disabled here; restart the server with --enable-script-runner=true plus startup --script-runner-root and --script-runner-allowlist or --script-runner-allowlist-manifest entries to allow no-plaintext secret consumption by scripts. |
| vault_listC | List vaults visible to the authenticated 1Password integration. |
| vault_getC | Get vault details and, optionally, accessor permissions for one vault. |
| group_getB | Get one group by ID. This is the only group read endpoint exposed by the official JS SDK beta today. |
| vault_permissions_getC | Get vault accessor permissions. The JS SDK beta exposes this through vault accessors. |
| item_searchC | Search item overviews by title/tags/category. If no vault is provided, the server searches every visible vault client-side. |
| item_get_metadataA | Get item metadata with every field value redacted. Use secret_reveal only when plaintext is explicitly required. |
| environment_get_variablesA | Get 1Password Environment variables with values redacted. Supports simple client-side filtering by variable name. When a secret is needed only by a command or local script, prefer op_script_run with envSecretRefs so the secret is injected into the child process and never returned in plaintext. |
| environment_get_variableA | Get one 1Password Environment variable by exact name, with the value redacted. When a secret is needed only by a command or local script, prefer op_script_run with envSecretRefs so the secret is injected into the child process and never returned in plaintext. |
| environment_reveal_variableD | Plaintext reveal is disabled in this server; this tool will fail until the server is restarted with OP_MCP_ENABLE_SECRET_REVEAL=true or --enable-secret-reveal=true. If the secret only needs to be consumed by a command or local script, do not call this tool. op_script_run is not available because the script runner is also disabled here; restart the server with --enable-script-runner=true plus startup --script-runner-root and --script-runner-allowlist or --script-runner-allowlist-manifest entries to allow no-plaintext secret consumption by scripts. |
| secret_revealC | Plaintext reveal is disabled in this server; this tool will fail until the server is restarted with OP_MCP_ENABLE_SECRET_REVEAL=true or --enable-secret-reveal=true. If the secret only needs to be consumed by a command or local script, do not call this tool. op_script_run is not available because the script runner is also disabled here; restart the server with --enable-script-runner=true plus startup --script-runner-root and --script-runner-allowlist or --script-runner-allowlist-manifest entries to allow no-plaintext secret consumption by scripts. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
| credential-rotation | Guide a safe password rotation workflow using redacted reads first, then explicit reveal only if required. |
| vault-audit | Audit a vault using metadata and redacted item reads, without revealing secrets by default. |
| environment-inspection | Inspect a 1Password Environment in redacted mode, and reveal one variable only if there is an explicit operational reason. |
| generate-secure-password | Choose the right password helper, generate a value, and optionally store it in 1Password. |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
| 1password-config | Non-secret runtime configuration and capability summary for this server. |
| 1password-vaults | Browse the vaults visible to the active 1Password integration. |
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/kefapps/onepassword-mcp-codex'
If you have feedback or need assistance with the MCP directory API, please join our Discord server