claudetools/.claude/skills/1password/references/op_commands.md

1Password CLI (op) Command Reference

Authentication

# Sign in (interactive)
op signin

# Sign in to specific account
op signin --account team-name.1password.com

# Check who you're signed in as
op whoami

# List accounts
op account list

# Service account (CI/CD — set env var, no signin needed)
export OP_SERVICE_ACCOUNT_TOKEN="your-token"

Items

# List items
op item list
op item list --vault Dev
op item list --categories API_CREDENTIAL

# Get item details
op item get "Item Title"
op item get "Item Title" --vault Dev
op item get "Item Title" --format json

# Get a specific field
op item get "Item Title" --fields api_key
op item get "Item Title" --fields label=api_key

# Read using secret reference (most common)
op read "op://Dev/Item Title/api_key"

# Create item
op item create --category API_CREDENTIAL --title "My API Key" api_key[password]=sk-abc123
op item create --category LOGIN --title "Service Account" --vault Dev \
  username[text]=myuser password[password]=mypass

# Edit/update item
op item edit "Item Title" api_key[password]=new-value
op item edit "Item Title" --vault Dev new_field[text]=value

# Delete item
op item delete "Item Title"
op item delete "Item Title" --vault Dev

# Move item to different vault
op item move "Item Title" --current-vault Dev --destination-vault Personal

Vaults

# List vaults
op vault list
op vault list --format json

# Create vault
op vault create "New Vault"

# Get vault details
op vault get "Vault Name"

Secrets Injection

# Run command with secrets from .env template (RECOMMENDED)
op run --env-file=.env.tpl -- your-command arg1 arg2

# Inject into Docker
op run --env-file=.env.tpl -- docker compose up

# Inject a single reference via env var (op run picks up op:// values automatically)
export API_KEY="op://Dev/MyApp/api_key"
op run -- node app.js   # API_KEY is resolved at runtime

# ⚠️  AVOID: sourcing op run output into the current shell
# source <(op run --env-file=.env.tpl -- env)   ← UNSAFE
# If secret values contain $(...) or backticks, they execute as shell code.
# Use 'op run -- your-command' instead (secrets stay in subprocess only).

Password Generation

# Generate at item creation time (no standalone command)
op item create --category PASSWORD --title "Generated Secret" \
  --generate-password='letters,digits,symbols,32'

# Generate with custom recipe
op item create --category LOGIN --title "My Login" \
  --generate-password='letters,digits,20'

# Or use openssl for scripted generation
openssl rand -base64 32 | tr -d '=+/'

Document / File Management

# Store a file
op document create ./private-key.pem --title "SSH Private Key" --vault Dev

# Get a file
op document get "SSH Private Key" --output ./private-key.pem

# List documents
op document list

Service Accounts (CI/CD)

# Create service account (in 1Password UI: Settings → Developer → Service Accounts)
# Then set token as env var:
export OP_SERVICE_ACCOUNT_TOKEN="ops_eyJ..."

# No signin needed — op commands work automatically
op item list  # works with service account token
op read "op://vault/item/field"

Connect (Self-hosted, advanced)

# For teams running 1Password Connect server
export OP_CONNECT_HOST="https://your-connect-server"
export OP_CONNECT_TOKEN="your-connect-token"

# Then op commands use Connect instead of 1Password.com
op item get "Item Title"

Output Formats

Valid values: json or human-readable (default).

op item list --format=json           # Machine-readable JSON
op item get "Item" --format=json     # Full item JSON
op item list                         # Human-readable (default)
op vault list --format=json          # Vaults as JSON

Useful Patterns

# List item titles
op item list --format=json | jq -r '.[].title'

# Check if a specific item exists
op item get "My Item" &>/dev/null && echo "exists" || echo "not found"

# Get item ID (for scripting)
op item get "My Item" --format=json | jq -r '.id'