azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d95251d880bf7146b29a3bfcda9121652543b48e
claudetools/.claude/skills/1password/references/integrations.md
Mike Swanson d95251d880 Session log: 1Password skill setup, Lonestar MDM fix, credentials migration planning 
- Activated 1Password skill for Claude Code (extracted from .skill ZIP)
- Resolved Lonestar Electrical MDM issue: ManageEngine was configured as
  third-party EMM in Google Workspace, causing persistent enrollment prompts
  on joser's personal phone
- Scoped credentials.md migration to 1Password (op:// refs + MSP vaults)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 13:06:56 -07:00

5.2 KiB
Raw Blame History

1Password Integration Patterns

Common patterns for integrating 1Password with developer tools and AI workflows.

Claude Code / Claude Desktop

Claude Desktop MCP Config

Store API keys securely and reference them in claude_desktop_config.json:

# Store the key
op item create --category API_CREDENTIAL --title "My MCP Server" \
  --vault Dev api_key[password]=your-key-here

# Get the secret reference
# op://Dev/My MCP Server/api_key

{
  "mcpServers": {
    "my-server": {
      "command": "op",
      "args": ["run", "--", "node", "/path/to/server.js"],
      "env": {
        "API_KEY": "op://Dev/My MCP Server/api_key"
      }
    }
  }
}

Claude Code Shell Environment

# .env.tpl (safe to commit — no real secrets)
ANTHROPIC_API_KEY=op://Dev/Anthropic/api_key
OPENAI_API_KEY=op://Dev/OpenAI/api_key

# ✅ Wrap claude with op run — secrets injected into subprocess only
op run --env-file=.env.tpl -- claude

# ✅ Or export individually for interactive shell use
export ANTHROPIC_API_KEY=$(op read "op://Dev/Anthropic/api_key")
claude

In CLAUDE.md (project secrets reference)

## Secrets Setup
Secrets are managed via 1Password. Run before working:
```bash
op run --env-file=.env.tpl -- claude

Do NOT commit .env — commit .env.tpl only.


## n8n

### Environment Injection at Startup

```bash
# n8n.env.tpl (commit this)
N8N_ENCRYPTION_KEY=op://Dev/n8n/encryption_key
DB_POSTGRESDB_PASSWORD=op://Dev/n8n-postgres/password
N8N_BASIC_AUTH_PASSWORD=op://Dev/n8n/basic_auth_password

# docker-compose.yml startup
op run --env-file=n8n.env.tpl -- docker compose up -d n8n

n8n Credential Storage via API

Use n8n's credential API to push secrets from 1Password into n8n:

# Get secret from 1Password
API_KEY=$(op read "op://Dev/Some Service/api_key")

# Push to n8n credential (HTTP Request)
curl -s -X POST "https://n8n.example.com/api/v1/credentials" \
  -H "X-N8N-API-KEY: $(op read 'op://Dev/n8n/api_key')" \
  -H "Content-Type: application/json" \
  -d "{\"name\": \"Service Credential\", \"type\": \"httpHeaderAuth\", \"data\": {\"name\": \"Authorization\", \"value\": \"Bearer $API_KEY\"}}"

Docker / Docker Compose

# docker-compose.yml
services:
  app:
    image: myapp:latest
    environment:
      DATABASE_URL: ${DATABASE_URL}
      API_KEY: ${API_KEY}

# .env.tpl
DATABASE_URL=op://Dev/Postgres/connection_string
API_KEY=op://Dev/MyApp/api_key

# Start with injection
op run --env-file=.env.tpl -- docker compose up

Python Scripts

import subprocess

def get_secret(reference: str) -> str:
    """Read a secret from 1Password using a secret reference."""
    result = subprocess.run(
        ["op", "read", reference],
        capture_output=True, text=True, check=True
    )
    return result.stdout.strip()

# Usage
api_key = get_secret("op://Dev/Anthropic/api_key")

Or using the 1Password Python SDK (if available):

pip install onepassword-sdk

import asyncio
import onepassword

async def main():
    client = await onepassword.Client.authenticate(
        auth=os.environ["OP_SERVICE_ACCOUNT_TOKEN"],
        integration_name="My Script",
        integration_version="1.0.0",
    )
    secret = await client.secrets.resolve("op://Dev/Anthropic/api_key")

GitHub Actions / CI

# .github/workflows/deploy.yml
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: 1password/load-secrets-action@v2
        with:
          export-env: true
        env:
          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
          ANTHROPIC_API_KEY: op://Dev/Anthropic/api_key
          DEPLOY_KEY: op://Dev/Deploy/private_key

      - run: deploy-script.sh  # ANTHROPIC_API_KEY is available

Shell / .zshrc Auto-Load

# ~/.zshrc
# Auto-load common dev secrets on shell start (optional — only if you trust your machine)
load_dev_secrets() {
  if command -v op &>/dev/null && op whoami &>/dev/null 2>&1; then
    source <(op run --env-file=~/.config/dev.env.tpl -- env 2>/dev/null) && \
      echo "✅ Dev secrets loaded from 1Password"
  fi
}

# Call explicitly when needed:
alias load-secrets='load_dev_secrets'

Supabase

# Store Supabase credentials
op item create --category API_CREDENTIAL --title "Supabase - My Project" \
  --vault Dev \
  url[text]=https://myproject.supabase.co \
  anon_key[password]=eyJ... \
  service_key[password]=eyJ...

# Use in scripts
SUPABASE_URL=$(op read "op://Dev/Supabase - My Project/url")
SUPABASE_KEY=$(op read "op://Dev/Supabase - My Project/service_key")

Replit

Replit has its own Secrets manager, but for local dev before deploying:

# Generate a .env from 1Password, then paste values into Replit Secrets UI
op run --env-file=.env.tpl -- env | grep -E "^(ANTHROPIC|SUPABASE|N8N)"
# Copy output values → paste into Replit Secrets one by one

Rotation Workflow

When rotating a credential:

# 1. Update in the service (get new key)
NEW_KEY="new-key-from-service"

# 2. Update in 1Password
op item edit "Service Name" api_key[password]="$NEW_KEY"

# 3. Verify
op read "op://Dev/Service Name/api_key"

# 4. Re-inject wherever used
source <(op run --env-file=.env.tpl -- env)
# Or restart services that use the key
Reference in New Issue View Git Blame Copy Permalink