mcp-1password
The mcp-1password server provides read-only, opaque-by-default access to 1Password vaults, items, secrets, and environments, with strong emphasis on secret redaction and explicit consent for sensitive operations.
Core (Always Available) Tools:
sdk_capabilities— Describe the server's capability surface and preferred no-plaintext paths.op_session_status— View 1Password CLI session state and active capability gates.vault_list— List all visible vaults.vault_get/vault_permissions_get— Get vault details and accessor permissions.group_get— Get group details, optionally including vault permissions.item_search— Search items by title, tags, or category.item_get_metadata— Get item metadata with all field values redacted.environment_get_variables/environment_get_variable— List or get 1Password Environment variables, values redacted.password_generate/password_generate_memorable— Generate random passwords or passphrases in plaintext (requires a reason and explicit acknowledgement:I_UNDERSTAND_THIS_RETURNS_GENERATED_SECRET_PLAINTEXT).
Disabled by Default (Require Opt-in & Explicit Acknowledgement):
secret_reveal/environment_reveal_variable— Reveal plaintext secrets; requires--enable-secret-reveal=trueand per-call acknowledgement (I_UNDERSTAND_THIS_RETURNS_SECRET_PLAINTEXT).Write/update/delete operations on items or vaults — requires
--enable-writes=true/--enable-destructive-actions=true.Vault permission mutations — requires
--enable-permission-mutation=true.Script execution with injected secrets — requires
--enable-script-runner=true.Unrestricted shell commands — requires
--enable-unrestricted-runner=true.
Security & Audit:
All sensitive actions are automatically logged to a JSONL audit file.
Secrets are opaque by default; plaintext is never returned unless explicitly enabled and acknowledged.
Supports
desktop,service-account, andconnectauthentication modes, and operates overstdio(default) orhttp(bearer token protected).
Provides integration with 1Password for managing vaults and items (create, read, update, archive, delete) with opaque-by-default secret handling, plus a script runner that injects 1Password CLI authentication for pre-approved or unrestricted shell commands.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@mcp-1passwordlist my vaults in 1Password"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
mcp-1password
Status: Public Beta
This package is under active development (v0.x). The API and CLI flags may change between minor versions. The underlying
@1password/sdkdependency is also a beta release. Pin an exact version (mcp-1password@x.y.z) in production-like environments.
A Model Context Protocol server that exposes 1Password to AI agents with opaque-by-default secret handling. Secrets are never revealed unless you explicitly opt in.
Features
Read and search vaults, items, and environments with secrets redacted by default.
Create tracked item requests, then update, archive, and delete items and vaults when write/destructive capabilities are enabled.
Manage group permissions on vaults when permission mutation is enabled.
Reveal plaintext secrets only on explicit request with a per-call acknowledgement.
Generate plaintext passwords only with a reason and explicit acknowledgement.
Run pre-approved scripts with injected 1Password-backed environment values.
Optionally run unrestricted local shell commands under explicitly approved workspace roots, after local browser confirmation.
Use stdio by default, or a local/single-user HTTP transport protected by a bearer token.
Write a JSONL audit log for sensitive actions at
~/.onepassword-mcp/audit.jsonl.
Related MCP server: op-mcp
Requirements
Node.js >= 20.10
1Password desktop app for
--auth-mode=desktop; this requires the 1Password beta channel with SDK integration enabled.1Password Connect for
--auth-mode=connect; the POC only accepts a localhost Connect host.1Password CLI (
op) only when scripts need CLI authentication or you configure script runner CLI auth; Connect-backedenvSecretRefsdo not requireop.
Enable Desktop Integration
Desktop auth requires the 1Password beta channel and SDK integration:
In 1Password, switch to the beta channel: Settings -> Updates -> Beta channel.
Enable SDK integration: Settings -> Developer -> Connect with 1Password SDKs.
Installation
# Public beta install
npm install -g mcp-1password@beta
# Connect-only binary after global install
OP_CONNECT_TOKEN="<connect-token>" \
mcp-1password-connect --connect-host=http://127.0.0.1:8090
# Run on demand without a global install
npx -y mcp-1password@beta --auth-mode=desktop --account="My Account"During beta, prefer mcp-1password@beta or an exact version instead of relying on the default npm tag.
Quick Start
Connect-Only Binary
Use mcp-1password-connect when you want a path where Connect is the only possible 1Password backend. This binary forces --auth-mode=connect, rejects Desktop/service-account auth, rejects non-Connect op CLI auth modes, and never instantiates the Desktop SDK service.
# From the project root, create/update the trust file and manifest first.
mcp-1password-connect trust-workspace
OP_CONNECT_TOKEN="<connect-token>" \
mcp-1password-connect \
--connect-host=http://127.0.0.1:8090 \
--enable-script-runner=true \
--script-runner-allowlist-manifest="$HOME/.onepassword-mcp/workspace-trust.json"For each new project that should be trusted for Connect workspace commands:
mcp-1password-connect trust-workspaceThen call workspace_trust_reload in the running MCP session.
Claude Desktop (stdio Transport)
Edit ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"1password": {
"command": "npx",
"args": [
"-y", "mcp-1password@beta",
"--auth-mode=desktop",
"--account=1Password account name or UUID"
]
}
}
}Service Account (CI / Headless)
{
"mcpServers": {
"1password": {
"command": "npx",
"args": ["-y", "mcp-1password@beta", "--auth-mode=service-account"],
"env": {
"OP_SERVICE_ACCOUNT_TOKEN": "<service-account-token>"
}
}
}
}Local 1Password Connect POC
Run the local Connect containers from docker-compose.connect.example.yml, then start the MCP without Desktop auth:
OP_CONNECT_TOKEN="<connect-token>" \
mcp-1password \
--auth-mode=connect \
--connect-host=http://127.0.0.1:8090Connect mode supports vault/item reads, tracked placeholder creation through item_request_create, managed-item review through item_request_list, item update/delete, password_update, password_read, and secret_reveal. It does not expose generic password_create or item_create, vault mutation, group permissions, 1Password Environments, files, or item archive. See docs/connect-local-poc.md.
HTTP Transport (Remote Agents)
OP_MCP_HTTP_BEARER_TOKEN="$(openssl rand -base64 32)" \
mcp-1password \
--auth-mode=desktop \
--account="My Account" \
--transport=httpHTTP security: The HTTP transport is designed for local/single-user use. The bearer token must be at least 16 characters, and
--http-require-bearer=falseis only allowed on localhost. If you bind the server to any interface other than127.0.0.1, put it behind a reverse proxy with TLS termination (nginx, Caddy, Traefik). For multi-user or public deployments, add a real upstream authorization layer such as OIDC/OAuth with client identity, scopes, and expiry.
Configuration Reference
Every flag can also be set through an environment variable.
Flag | Environment variable | Default | Description |
|
|
|
|
|
| - | Account name or UUID, required in desktop mode |
|
| - | Token, required in service-account mode |
|
|
| Localhost Connect API URL, required to stay on localhost for this POC |
|
| - | Connect access token, required in connect mode |
|
|
| Connect request timeout |
|
|
| Allow plaintext secret reveal |
|
|
| Allow tracked item requests plus item/vault updates and vault creation |
|
|
| Allow archive and delete operations |
|
|
| Allow vault permission changes |
|
|
| Allow execution of allowlisted scripts |
|
|
| Enable |
|
| - | Absolute path to an allowlist file; repeatable |
|
| - | Absolute path to a manifest listing allowlist files; repeatable |
|
| - | Trusted workspace root; repeatable |
|
|
| Allow the separate free-form shell command runner |
|
| - | Root path eligible for unrestricted execution approval; repeatable |
|
|
| Require local approval page before commands can run |
|
|
| Local approval server bind host; localhost only |
|
|
| Local approval server port; |
|
|
| In-memory approval lifetime |
|
|
| Free-form command timeout |
|
|
| Encrypted local approval grants file for the approval page's 24h remember checkbox |
|
|
| Local 32-byte AES key file used to encrypt remembered approval grants |
|
|
| Lifetime for approvals remembered across MCP sessions |
|
| - | Required only when disabling session approval; exact value: |
|
|
| Path to the |
|
|
|
|
|
|
|
|
|
|
| HTTP bind address |
|
|
| HTTP port |
|
|
| HTTP path prefix |
|
|
| Require |
- |
| - | Bearer token required by default with |
|
| Localhost origins for the current port | Browser origins allowed for HTTP transport; strict |
|
|
| Maximum active HTTP MCP sessions |
|
|
| Idle HTTP session expiry |
|
|
| HTTP request timeout |
|
|
| Audit log path |
|
|
|
|
Script Runner
The script runner lets agents invoke pre-approved shell commands with 1Password-backed environment injection. In --auth-mode=connect, the MCP exposes workspace_trust_list, workspace_command_run, and workspace_trust_reload; envSecretRefs are resolved through Connect and injected directly into the child process without the op binary, OP_SESSION, or Desktop SDK auth. With Desktop or service-account auth, the MCP exposes the older op_script_list, op_script_run, and op_script_reload_allowlists tools, and the runner can also inject CLI authentication for commands that call op. By default, only startup-configured commandId entries can run. In Connect mode, workspace_trust_list resolves the requested workspaceRoot against startup-configured workspace trust entries and returns workspaceCommandResolution; when that resolution reports freeformCommands: true, workspace_command_run may accept a free-form command rooted in that workspace or its subdirectories. The startup command catalog and workspace trust files can be reloaded on demand with the reload tool.
For a new Connect-mode project, run this from the project root:
mcp-1password trust-workspaceThis creates or updates .onepassword-mcp.json in the project, enables workspace commands for that project, and adds the file to ~/.onepassword-mcp/workspace-trust.json. Start the MCP with that manifest configured once:
mcp-1password \
--auth-mode=connect \
--enable-script-runner=true \
--script-runner-allowlist-manifest="$HOME/.onepassword-mcp/workspace-trust.json"If the MCP is already running with that manifest, call workspace_trust_reload after trusting a new project.
For local single-user sessions where preapproving every command is too expensive, start the server with:
mcp-1password \
--auth-mode=desktop \
--account="My Account" \
--enable-unrestricted-script-runner=true \
--op-cli-path=/absolute/path/to/opWith --enable-unrestricted-script-runner=true, op_script_run ignores --script-runner-root, --script-runner-allowlist, and --script-runner-allowlist-manifest. The first free-form op_script_run call returns an approvalUrl; open it locally, tick the checkbox, and type:
I_UNDERSTAND_THIS_ALLOWS_UNRESTRICTED_LOCAL_COMMAND_EXECUTIONBy default, that approval is in memory only and applies once per MCP server process. If you tick Remember this approval for 24 hours on this machine, the server writes an encrypted local grant containing only the approval scope and expiration timestamp. After approval, op_script_run accepts command instead of commandId, runs it through a non-login /bin/sh -c shell in the requested workspace, and still supports envSecretRefs so secrets are injected into the child process without being returned to the model. When the remembered grant expires, the approval page is required again.
Command Catalog And Workspace Trust Format
Create a .onepassword-mcp.json file at the root of your project:
{
"version": 1,
"workspaceRoot": ".",
"allowWorkspaceCommands": false,
"commands": {
"deploy-staging": {
"description": "Deploy to staging",
"command": "/usr/local/bin/deploy.sh",
"args": ["--env", "staging"],
"cwd": ".",
"timeoutMs": 120000,
"sensitiveOutput": false
}
}
}commandmust be an absolute path to an executable.The directory containing
commandis not automatically prepended toPATH. Use absolute paths in scripts, or configure--op-cli-pathso the directory containingopcan be injected.In
--auth-mode=connect,allowWorkspaceCommands: truemarks the matchingworkspaceRoot,workspaceRoots, orworkspaceRootPrefixesas a trusted workspace command scope.workspace_trust_listexposes the decision asworkspaceCommandResolution.freeformCommands; when it istrue,workspace_command_runaccepts a free-formcommandfor that resolved workspace or its subdirectories. Secrets passed withenvSecretRefsare resolved through Connect only, injected only into the child process, and are not returned to the model. This is an explicit trust decision for local worktrees you control.sensitiveOutput: truewithholds stdout/stderr from the agent unlessreturnOutput=trueis explicitly requested with reveal acknowledgement.workspace_command_runin Connect mode andop_script_runin Desktop/service-account mode accept an optionalenvSecretRefsobject that maps environment variable names toop://references. The server resolves those references, injects only the values into the child process environment, and never returns or audits the plaintext values.returnOutput=truedoes not require startup secret reveal for ordinary output. WhenenvSecretRefsis provided or the command hassensitiveOutput: true, stdout/stderr/error messages are returned only withacknowledgePlaintext: "I_UNDERSTAND_THIS_RETURNS_SECRET_PLAINTEXT"; without that acknowledgement, execution is skipped withexecutionSkipped: trueandoutputState: "skipped_ack_missing". Returned stdout/stderr/error messages are redacted by exact secret value.After editing a startup-configured command catalog or workspace trust file, call
workspace_trust_reloadin Connect mode orop_script_reload_allowlistsin Desktop/service-account mode with a reason. If the edited file is invalid, the reload fails and the previous in-memory configuration remains active.
Startup Manifest Format
Use --script-runner-allowlist-manifest=/absolute/path/to/workspace-trust.json when you want to add or remove workspace trust or command catalog files without restarting the MCP process. Manifest entries may be absolute paths or paths relative to the manifest file:
{
"version": 1,
"allowlists": [
"/absolute/path/to/project-a/.onepassword-mcp.json",
"../project-b/.onepassword-mcp.json"
]
}After editing the manifest, call workspace_trust_reload in Connect mode or op_script_reload_allowlists in Desktop/service-account mode with a reason. Any new workspace roots are still checked against startup-configured --script-runner-root values when roots are provided.
Agent Routing Guidance
When an agent needs a secret only to run a local command, it should not call password_read with reveal=true or secret_reveal first. Prefer this flow:
In Connect mode, call
workspace_trust_listfor the current workspace; in Desktop/service-account mode, callop_script_list.In Connect mode, inspect
workspaceCommandResolution: iffreeformCommands=true, callworkspace_command_runwithcommand; otherwise pick a listedcommandIdthat performs the operation.Call
workspace_command_runin Connect mode orop_script_runin Desktop/service-account mode withenvSecretRefs, mapping environment variable names toop://references.Leave
returnOutput=falseunless command output is required.
This keeps the plaintext secret out of the model transcript while still letting the command receive it.
Tracked Secret Requests
When an agent needs a new credential to exist in 1Password, prefer item_request_create over asking the user to paste the value. The tool creates a managed item with:
credential fields initialized to the
__FILL_ME__placeholder;provenance fields for
project,justification, and optional Linear ticket details;managed tags such as
mcp-managed,awaiting-fill, andproject:<slug>;op://references that the agent can wire into configs or scripts.
The user fills the returned references in 1Password. Later, item_request_list reports which managed items are still awaiting fill, without returning the credential values.
Unrestricted Runner
The unrestricted runner is a separate, dangerous escape hatch for trusted local worktrees where allowlisting every command is too expensive. Enable it only for roots you are willing to approve for arbitrary command execution:
mcp-1password \
--auth-mode=desktop \
--account="My Account" \
--enable-unrestricted-runner=true \
--unrestricted-runner-root=/absolute/path/to/trusted/worktreeWhen an MCP client first calls op_unrestricted_run for a configured root, the tool returns authorizationRequired: true and a local approvalUrl. Open that URL on the same machine, tick the risk checkbox, and type:
I_UNDERSTAND_THIS_ALLOWS_UNRESTRICTED_LOCAL_COMMAND_EXECUTIONThat approval is in memory only and expires after --unrestricted-runner-approval-ttl-ms. It is not written to config. The configured root is an approval scope, not an operating-system sandbox: approved commands run with your normal OS permissions and can still cd, read, write, or execute outside that path if the OS allows it.
op_unrestricted_run starts the command in the requested workspace root through /bin/sh -c on Unix-like systems, with a minimal inherited environment and no 1Password secret injection. The shell is intentionally non-login so local profile hooks such as RVM do not run before the requested command. Use op_script_run when a command needs 1Password values injected safely. As with script output, returnOutput=true without acknowledgePlaintext: "I_UNDERSTAND_THIS_RETURNS_SECRET_PLAINTEXT" skips execution and returns the required acknowledgement.
You can disable the browser approval page only with an explicit startup acknowledgement:
mcp-1password \
--auth-mode=desktop \
--account="My Account" \
--enable-unrestricted-runner=true \
--unrestricted-runner-root=/absolute/path/to/trusted/worktree \
--unrestricted-runner-require-session-approval=false \
--acknowledge-unrestricted-runner=I_UNDERSTAND_THIS_ALLOWS_UNRESTRICTED_LOCAL_COMMAND_EXECUTIONSecurity Model
Secrets are opaque by default. Item fields are returned with
valueState: "redacted"unless--enable-secret-reveal=trueis passed.Plaintext reveal requires explicit consent. Tools that return secrets require
acknowledgePlaintext: "I_UNDERSTAND_THIS_RETURNS_SECRET_PLAINTEXT".Password generators return a new plaintext secret. They require
reasonandacknowledgePlaintext: "I_UNDERSTAND_THIS_RETURNS_GENERATED_SECRET_PLAINTEXT", and audit the action without logging the secret.Destructive actions and permission mutations require per-call acknowledgement. Use
acknowledgeDestructive: "I_UNDERSTAND_THIS_CAN_DELETE_1PASSWORD_DATA"for archive/delete operations andacknowledgePermissionMutation: "I_UNDERSTAND_THIS_CAN_CHANGE_1PASSWORD_PERMISSIONS"for permissions.Dangerous capabilities are opt-in and disabled by default, including writes, destructive actions, permission mutation, secret reveal, the script runner, the unrestricted script runner, and the unrestricted runner.
Every sensitive action is audited to a JSONL file. Secret references and auth tokens are automatically redacted from logs.
The default script runner uses
spawnwithshell: false, so shell injection is not available forcommandIdentries. Connect-mode workspace command resolution is intentionally broader: whenworkspaceCommandResolution.freeformCommands=true, the requested command runs through a non-login shell scoped by the resolved trusted workspace.The unrestricted script runner is session-approved and intentionally broad. When enabled,
op_script_runignores startup command catalogs and workspace trust files, then runs free-form shell commands after a local browser approval once per MCP process. Use it only for single-user local sessions you already trust.Remembered approvals are local, encrypted, and expiry-bound. The approval page can remember a grant for 24 hours by writing an AES-256-GCM encrypted file under
~/.onepassword-mcp; the file contains approval scope names and expiration timestamps, not 1Password secrets.Configuration reloads are bounded and audited.
workspace_trust_reloadin Connect mode andop_script_reload_allowlistsin Desktop/service-account mode only reload direct startup configuration paths and manifest trust anchors configured at startup, record the reload reason, and keep the previous in-memory configuration if validation fails.Script secret injection is run-only.
envSecretRefsvalues are resolved in memory, injected into the child process, redacted from returned output, and audited only by env var name, reference scheme, and reference hash.Unrestricted runner approval is local and in-memory.
op_unrestricted_runrequires a configured root plus browser approval by default. Audit entries store command hashes and lengths rather than the raw free-form command.Unrestricted runner roots are not a sandbox. The root limits which worktrees can request approval; it does not prevent an approved command from touching other paths allowed by the operating system.
Bearer token comparison uses
crypto.timingSafeEqualto reduce timing attack risk.HTTP binds to localhost (
127.0.0.1) by default. It validates theOriginheader, caps active sessions, expires idle sessions, and returns generic messages for server errors.Resources and capabilities avoid sensitive local metadata. Local paths, 1Password account names, HTTP host/port, and the
opbinary path are not exposed to MCP clients.errorMessagefor scripts withsensitiveOutput: trueis withheld unless output is explicitly requested with plaintext acknowledgement.
MCP Resource Notes
Resource URIs use the onepassword:// scheme instead of 1password://. Node.js URL parsing rejects schemes that start with a number, which breaks resource reads in practice.
Development
npm run lint # TypeScript type checking
npm test # Test suite
npm run build # Compile to dist/Commits must follow Conventional Commits. This project uses release-please to automate CHANGELOG generation and version bumps.
npm Publication
The publish.yml workflow uses npm Trusted Publishing through OIDC. It does not use a long-lived npm token (NPM_TOKEN, NODE_AUTH_TOKEN, or a 1Password secret) for publication.
npm-side prerequisites:
package
mcp-1passwordexists on npm and is associated withkefapps/onepassword-mcp-codexa GitHub Actions trusted publisher is configured for repository
kefapps/onepassword-mcp-codexworkflow filename:
publish.yml
The GitHub workflow uses Node.js 24 and has the id-token: write permission required by npm to exchange the job OIDC identity for a short-lived publishing token. npm automatically generates provenance attestations when the package and GitHub repository are public.
Changelog
See CHANGELOG.md.
Contributing
Issues and pull requests are welcome. See CONTRIBUTING.md before opening a pull request.
Please report vulnerabilities privately instead of opening a public issue. See SECURITY.md.
License
MIT
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/kefapps/onepassword-mcp-codex'
If you have feedback or need assistance with the MCP directory API, please join our Discord server