Skip to main content

plugin

You can use shell plugins to securely authenticate third-party CLIs with 1Password, rather than storing your CLI credentials in plaintext. After you configure a plugin, 1Password CLI will prompt you to authenticate the third-party CLI with your fingerprint or other system authentication option.

Learn more about shell plugins.

Subcommands

plugin clear

Clear an existing shell plugin configuration.

Flags

You can clear one configuration at a time, in this order of precedence:

  • Terminal session default
  • Directory default, from the current directory to $HOME
  • Global default

For example, if you're in the directory $HOME/projects/awesomeProject and you have a terminal session default, directory defaults for $HOME and $HOME/projects/awesomeProject, and a global default credential configured, you would need to run op plugin clear aws four times to clear all of your defaults.

To clear your global default credentials, terminal session default, and the defaults for your current directory at the same time, run op plugin clear aws --all.

plugin init

Choose a shell plugin to install and configure your default credentials. Bash, Zsh, and fish shells are supported.

Shell plugins require the 1Password desktop app integration.

To see all available plugins, run op plugin list.

Configure your default credentials

1Password CLI prompts you to select or import the credentials you want to use with the third-party CLI, then returns a command to source your plugins.sh file and make the plugin alias usable.

To use the plugin beyond the current terminal session, make sure to add the source command to your RC file or shell profile (e.g. ~/.bashrc, ~/.zshrc, ~/.config/fish/config.fish). For example:

Configuration options

You can choose whether 1Password CLI remembers your configuration. With any option, your credentials never leave your 1Password account.

  • "Prompt me for each new terminal session" only configures the credentials for the current terminal session. Once you exit the terminal, your default is removed.
  • "Use automatically when in this directory or subdirectories" makes your credentials the default in the current directory and all its subdirectories, as long as no other directory-specific defaults are set in them. A terminal-session default takes precedence over a directory-specific one.
  • "Use as global default on my system" sets the credentials as the default in all terminal sessions and directories. A directory-specific default takes precedence over a global one.

plugin inspect

Inspect your existing shell plugin configurations.

You can run op plugin inspect to select a plugin from the list of all available plugins, or op plugin inspect <plugin-executable> to inspect a specific plugin.

1Password CLI returns a list of the credentials you've configured to use with the plugin and their default scopes, as well as configured alias details.

plugin list

Lists all available shell plugins, their usage, name, and required fields.

To get started with a shell plugin, run op plugin init <plugin-usage>.

plugin run

Provision credentials from 1Password and run this command.

op plugin run passes your credentials saved in 1Password to the underlying CLI and runs the provided command. If you haven't configured your default credentials, 1Password CLI will prompt you to select an item that contains your credentials.

After this, you will be automagically authenticated with this CLI, and your selection will be recorded for future calls to this plugin in the current terminal session.

To configure a default credential, see op plugin init --help.

Was this page helpful?