Secure Secret Management with 1Password CLI

By Thoriq Firdaus. in Desktop. Updated on May 12, 2025.

As developers, we often deal with sensitive data like API keys, SSH credentials, database passwords, and other secrets. Keeping them secure while ensuring easy access across different projects can be a challenge.

This is where 1Password‘s’ CLI comes in.

1Password CLI terminal interface for managing secrets

1Password CLI is a command-line tool that allows you to securely access and manage your 1Password vault without leaving the terminal. Instead of manually copying and pasting secrets, which can be tedious and risky, you can fetch credentials programmatically, automate authentication workflows, and integrate secrets management into your development processes.

In this article, we’ll explore how to install, configure, and use 1Password CLI to streamline your workflow while keeping your credentials secure.

Getting Started

If you’re on macOS or Linux, the easiest way to install 1Password CLI is using Homebrew:

brew install 1password-cli

If you’re on Windows, I recommend referring to the official 1Password CLI documentation for installation instructions.

For Windows and Linux, follow the official 1Password CLI installation guide to get the appropriate setup for your system.

Once installed, go to Settings… > Developer in the 1Password app, and check Integrate with 1Password CLI.

Enable 1Password CLI integration in app settings

Then, sign in through the Terminal with the following command and select the 1Password account you want to sign in to:

op signin

Now, you’re ready to securely access and manage secrets without exposing them in plain text.

Command-Line Secret Management

When running commands that require authentication, manually copying and pasting credentials can be both tedious and insecure. With 1Password CLI, you can retrieve secrets dynamically using the op read command and the Secret References.

To get the Secret Reference, you can click on the dropdown arrow of the value within the item you’d like to refer to in 1Password.

Copy secret reference from 1Password item menu

Then pass it in the command that requires the secrets. For example, to authenticate with doctl using the DigitalOcean API token, you can run:

doctl auth init --access-token $(op read op://Internet/d439ada/token)

Environment Variables Integration

Another way you can use 1Password CLI is by setting the secrets as environment variables. This is useful when working with multiple secrets or when you need to pass them to a script or a program.

If you’re using Chromatic to test your UI components, you can set the CHROMATIC_PROJECT_TOKEN as an environment variable using the op read command:

#!/bin/bash
export NPM_TOKEN=$(op read op://Internet/d439ada/npm_token)
export CHROMATIC_PROJECT_TOKEN=$(op read op://Internet/d439ada/chromatic_token)

// Install the dependencies, including the private ones that require NPM_TOKEN.
npm install

// Chormatic will automatically use the CHROMATIC_PROJECT_TOKEN.
// @see https://www.chromatic.com/docs/cli/#continuous-integration
npx chromatic

Then, you can run the script using the op run command, as follows:

op run -- bash chormatic.sh

Shell Plugin Extensions

To make it even more seamless, you can use the Shell Plugins to integrate 1Password with popular third-party apps such as Github CLI, Docker, DigitalOcean CLI, AWS, HuggingFace, OpenAI, and many more.

In this example, we are going to try to integrate it with the Github CLI. To do so, we can run:

op plugin init gh

You’ll be prompted to import your GitHub credentials into 1Password or select an existing 1Password item where your credentials are saved. In this case, since we’ve already saved the GitHub credentials in 1Password, we can select the existing item.

Initialize GitHub CLI plugin with 1Password integration

Then, it will ask you the scope where the selected credentials can be used. In this case, we’d select it to use it globally so that we can use it across different repositories.

Configure GitHub CLI plugin scope in 1Password

If this is your first time installing a shell plugin, you’ll need to add the source command to your RC file or shell profile to persist the plugin beyond the current terminal session. For example:

echo "source /Users/jondoe/.config/op/plugins.sh" >> ~/.zshrc && source ~/.zshrc

That’s it for the setup! Now, you can use the gh command to interact with GitHub without exposing your credentials in plain text. To test it out you can run the gh auth status.

GitHub CLI authentication status with 1Password integration

Conclusion

1Password CLI is a powerful tool that allows you to securely access and manage your secrets from the Terminal. With a little bit of setup, you can streamline your workflow and integrate secrets management into your development processes with other apps without exposing your credentials in plain text. If you haven’t tried it yet, I recommend giving it a try to make your development workflow more secure and efficient.