1Password CLI 1 will be deprecated on October 1, 2024. Any scripts or integrations that use version 1 will stop working as expected. We recommend upgrading to 1Password CLI 2 as soon as possible to maintain uninterrupted access and compatibility with the latest features.
This release builds the 1Password CLI for Darwin with an updated toolchain.
Security
The CLI build for Darwin now builds with Go 1.21.8. The previous version was built using an older version, which was causing alerts for certain customers.
This release fixes a case where Password items created from the web client were not able to be deleted from the 1Password CLI. In addition, we improved the CLI's security by restricting sign in addresses to 1Password domains.
Fixed
Password items created on the web client no longer fails item validation in the CLI. {1451}
Security
Allowed sign in domains are restricted to public 1Password servers. Credits to Cure53. {1465}
This release introduces the Archive, replacing the Trash. It's useful for items you need to store long-term, but don't want to appear in the browser as filling suggestions.
Learn more about it at https://blog.1password.com/introducing-archive/.
Try it out with op delete item --archive "Defunct Login"
New
An item or document can now be deleted directly or optionally archived. {11613}
Fixed
Tokens can now be created for Connect instances you only have the "issue token" permission for. {1361}
This release fixes an issue with the "update" command that would attempt to update the command-line tool even when on the latest version.
Also in this release, getting a custom template will now show the correct field and section names.
Fixed
The help text of "signin" now shows PowerShell commands when run in PowerShell. {1254}
Getting a custom template now correctly outputs the template's section and field titles. {1192}
The "update" command will no longer attempt to update while on the latest version. {1330}
This release introduces support for 1Password Secrets Automation. Learn more about it at https://1password.com/secrets/.
You can set up and get credentials for 1Password Connect servers, and issue tokens for them. Use "op create connect server" and "op create connect token". Grant and revoke a server's access to vaults with "op add connect" and "op remove connect". With 1Password Business, you can manage group access to Secrets Automation with "op manage connect add" and "op manage connect remove".
This release also includes the ability to change character encoding processing from UTF-8 to Shift-JIS or GBK with the "--encoding" option. You can also now confirm guest users and macOS 11 "Big Sur" users can now verify the package signature in the installer.
New
Set up and manage 1Password Secrets Automation with 1Password Connect servers and tokens. {1278}
Use the "--deauthorize-devices" option with "op suspend" to deauthorize a user's devices during suspension. {b5#7558}
You can now confirm Guest users.
Use a character encoding other than UTF-8 with the "--encoding" option. Supported encodings: "shift-jis" and "gbk". {762}
Improvements
Added "Password" and "Document" to the list of categories in "op get template --help" and "op list items --help".
Fixed
Retrieving items with additional attributes no longer causes an error. {1017}
Changed Darwin package signing to work in the installer on macOS 11 "Big Sur". {1105}
An item's password strength is now computed and uploaded when creating or editing a password field instead of defaulting to 1. {1099}
Password generation adheres to the password recipe as strict requirements. {1219}
"op forget" prints a newline after its output. {1291}
Cache information, speed up commands. When you use the "--cache" option on Linux, UNIX, and macOS systems the "op" daemon caches information to get it to you faster.
The tool now follows the XDG standard more closely and stores your configuration files in "${XDG_CONFIG_HOME}/op/" (usually "~/.config/op/").
Your configuration in "~/.op/" will still work or you can move it to the new location. If you want to use a custom location, use the "--config" option with each command.
New
Use the "--cache" flag with commands to use client-side caching for keysets, vaults and item information.
Use a custom configuration location with the "--config" option.
Good news for scripters: You can now provide a session token to the 'signin' command. In scripts, this can provide a way to test whether a session is still active or to reuse a session. If it's active, the tool returns the same token and you don't have to sign in again.
You can now get a user's role in a group when you use 'op list users' with the '--group' option.
New
'op signin' can reuse an existing session.
Improvements
Increased performance of 'get item' when fetching an item by UUID without a vault query.
The output of 'op list users --group ...' includes the user's membership role.
Reworked some help text examples to cover more use cases.
We've got a housekeeping release of the 1Password command-line tool for you this time. The tool now starts a daemon to clean up expired session files automatically on supported systems. Updating is easier, too: the "update" command can now download updates for you.
In addition, to help with your own housekeeping, you can now list the vaults or groups a user has access to. Use the new "--user" option for "list vaults" and "list groups".
New
A daemon is automatically started to periodically remove expired session files. The daemon stops when there are no more session files. (Not available on Windows.)
The "list groups" and "list vaults" commands now support a "--user" option to list the vaults and groups a user has access to.
Improvements
The "update" command can now download updates for you. Use the "--directory" option to set the download location manually.
This release brings a time-saving new feature for owners and administrators: you no longer have to be a group member before you can add people to a group.
New
Rename vaults with the new "edit vault" command.
Improvements
Owners and administrators can add people to a group without being a group member themselves.
This release adds support for reading object specifiers from standard input to "get item", "get totp", "get vault", "get user", and "get group". This makes it possible to process multiple objects more efficiently.
To make the command-line tool easier to use in containerized environments, you can use the "OP_CONFIG_DIR" environment variable to specify the directory for your configuration files. ("~/.op/" by default).
New
Customize the location for the configuration directory with the "OP_CONFIG_DIR" environment variable.
"get item", "get totp", "get vault", "get user", and "get group" can process JSON objects and object specifiers on standard input.
Improvements
Made wording for "op update" more consistent.
Updated in-app help: clarified creating items with a template, and simplified instructions for generating completion information.
This release adds three features to make it easier to work with the 1Password command-line tool. You can now generate shell completion information, filter output from "list items" by tag and category, and use standard input (stdin) when you create a Document item.
New
The "completion" command generates a script to add shell completion support for bash and zsh. See "op help completion" for more information.
Improvements
"op create document" can now add a file with information passed on standard input (stdin). Use a hyphen (-) instead of specifying a file path.
You can filter output from "op list items" with the new "--tags" and "--categories" options.
You can now specify a device UUID in an environment variable. This should make it easier to use the command-line tool in an automated environment with containers.
New
The device UUID can be set in an environment variable (OP_DEVICE).
Device UUIDs are now stored in the config file instead of a separate file. The first time you use this version, your existing device UUID is moved to the config file and the device file is deleted.
Improvements
You can now change the role for a group member from "manager" to "member".
Attempting to add a user to a group that they're already in will no longer return an error.
Tweaked how request IDs are generated to improve running multiple processes of the tool at the same time.
The tool now properly generates the subtitle (ainfo field) for all item types.
"op signin" will always use https:// for the sign-in address.
The tool makes it clear when waiting for the user to enter their Secret Key.
Improved the output and error messages of various commands.
Fixed
"op edit item" can now always change username and password fields for Login items, even if those fields don't exist in an item.
Custom icons for items are now preserved after editing an item with the command-line tool.
The password strength is now correctly computed for generated passwords.
We are excited to release version 1.0 of the 1Password command-line tool!
In this release, we add the ability to choose which fields are returned by "get item". When a single field is requested, its data is returned as a simple string. For multiple fields, data is returned in a JSON object or in CSV format.
New
You can specify which fields are returned by "get item" with the "--fields" and "--format" flags.
You can customize the "--generate-password" option for "create/edit item". Use a password recipe to specify the length and characters included.
Improvements
Using "reactivate" on an active user no longer returns an error.
Various error messages have been clarified.
Fixed
Fixed a panic caused by using "--shorthand" when signing in after the first time.
Fixed problem where session files could become corrupted when running multiple "op" commands concurrently.
This release introduces new features for working with items. The new "edit item" command uses a new value-assignment syntax, which can also be used with "create item".
Documentation and help text have been improved. There’s a new command-line tool reference page, which shows the descriptions and help text for all commands and options.
New
"op edit item" allows you to update the existing fields of an item via a simple assignment syntax. See "op edit item --help" for more information.
"op create item" was updated to accept the same assignment arguments as "op edit item", greatly simplifying the process of creating new items. You don't have to use JSON templates anymore (but you can).
The "--generate-password" flag was added to "op create item" to set a random password for a new Login or Password item. See "op create item --help" for more information.
Creating a new vault now assigns a random icon to the vault from our collection of default vault icons.
Improvements
Help text and error messages have been updated to be clearer and more useful.
Fixed
The "op help" command correctly outputs the help for a command
This release contains a security improvement and several smaller improvements to user
input validation and corresponding error messages.
New
You can now link directly to items within your 1Password vaults! Share these links with team and family members to point them right to items in shared vaults. Use "get item --share-link" to generate a link. "get item" was also updated to understand share links as input.
Improvements
"edit user" returns a better error message when an empty user is passed.
"create item" retries once to create the item if a conflict was encountered.
"signin" validates the URL before asking for Secret Key or Master Password.
"get item" should perform better when searching for an item in all vaults.
"create item" returns a useful error when empty title, tags, url or vault are passed.
Passing a non-existing account to "--account" returns a useful error.
Better user experience when signing into a recovered account for the first time.
Fixed
Items of certain types can now be created even if certain fields are not filled.
In rare situations listing or searching for items could result in an error if a vault was deleted while running the command.
The values for the "--account" and "--session" flags can now be specified without a "=".
Security
Increased validation of config and session directories before reading from or writing to them. Credit: Cure53.
This release replaces the command-line tool's underlying library to provide better handling of inputs and outputs, as well as more informative and up-to-date help text and errors. It also includes some new functionality, check out all the changes below!
New
"add" and "remove" commands have been removed in favor of the following commands:
"add user" allows adding users to groups or vaults.
"add group" allows adding groups to vaults.
"remove user" allows removing users from groups or vaults.
"remove group" allows removing groups from vaults.
The "help" command can now be used in addition to the "--help" flag.
The new "--output" flag on the "get document" command allows writing directly to a file.
Improvements
Flag values can now be provided without "=". "--vault someVault" and "--vault=someVault" are both valid.
"create user" now accepts "<name> instead of "<firstname>" and "<lastname>".
"edit user" now accepts "--name" instead of "--firstname" and "--lastname".
Various help and error messages have been improved.
Updated to Go 1.13.5.
Fixed
"get totp" ignores items in the Trash.
"forget account" will return an error if an empty account name is passed.
"forget account" will not fatal if a non-existing account is passed.
Creating groups with empty of white-space only names is disallowed.
Creating vaults with empty of white-space only names is disallowed.
Creating empty or white-space only item tags is disallowed.
This release adds more commands and options to manage users. In particular, "create user" allows you to invite a user, "confirm --all" allows you to confirm all pending accepted invitations.
This is also the first release that notarizes Mac OS binaries for Catalina.
New
"create user" allows admins to invite new users.
"confirm --all" allows admins to confirm all pending accepted invitations.
"forget " and "signout --forget" will remove locally stored information of the account from the device.
This release introduces the ability to manage and query all of the different types of access in your account. You can now query users by vaults and groups ("op list users --vault" and "op list users --group"). You can now list vaults in terms of what groups can access them and vice versa! ("op list vaults --group" and "op list groups --vault"). See below for all of the access-related improvements.
In addition to all of that, we have made some changes to help op work better in scripts, and added the ability to confirm invited user's accounts!
New
When using "op create vault", you can now pass the "--allow-admins-to-manage" flag to configure admin access.
Added the ability to confirm invited users using the "op confirm" command.
Added the --vault flag to "op list users" to allow listing all users who can directly access a vault.
Added the --group flag to "op list users" to allow listing all users who belong to a group.
Added the --group flag to "op list vaults" to list all vaults that a group has access to.
Added the --vault flag to "op list groups" to list all groups that have access to a vault.
[IMPROVED] The [eventID] and [direction] arguments in the "op list events" command are now optional flags.
Improvements
op will now handle input passed through stdin properly in most cases.
After the 0.6 release last week, we found an issue that would prevent you from signing in to more than one account from the same team or family. This has been fixed!
Fixed
Signing in to more than one account from the same team or family now works again as expected.
This update brings some improvements to make working with the command-line tool faster and easier! When two-factor authentication is enabled on your account, you will no longer need to enter your 6-digit code on each sign-in. We have made some some speed improvements when working with items, and you will now be warned when attempting to create an item with invalid JSON structure. We hope you'll leave your feedback in our discussion forums, and hope to continue making the command-line tool as useful as possible!
Improvements
When 2FA codes are enabled on your account, you will now only need to enter it on the first sign-in, not every time.
When creating an item, op will now cause a warning or error when the item has the wrong JSON structure.
Searching for an item without its UUID and listing items will now run more quickly.
Fixed
Adding a user to a vault will now give the user Read/Write/Export permissions rather than full permissions.
We're back with a fresh update hot from the oven. We've got a new command, some bug fixes for our Windows friends, as well as some general stability improvements for all. Check out the release notes below for all the details!
New
Added `op delete trash` command to empty the trash for a vault.
Fixed
The CLI will now handle errors related to two-factor authentication with aplomb.
Windows users will no longer encounter occasional 403 errors while trying to sign in.
This command-line tool update is coming to you live from a wonderful patio under the sun, keeping everything running in tip-top shape. You can see everything we've changed since v0.4 in the release notes below!
Improvements
A more accurate error will now be output when authentication with Duo is denied.
The method of adding users to groups has been made more efficient.
Fixed
TOTP codes whose secret specifies a particular algorithm are now generated correctly.
Flags passed into op are no longer matched incorrectly because they are a prefix of another flag.
It's time for another command-line tool beta! On this bright and sunny, but still unseasonably cold April afternoon we're bringing you some new commands and a bevy of improvements and bug fixes. Let's see what's new!
New
Added the `op edit user` command with the ability to change a user's first and last names.
Added the `op edit group` command with the ability to edit the group's name and description.
Added the `op get group` command to get details about a group.
Added support for Duo and TOTP multi-factor authentication when signing into your 1Password account.
Improvements
`op get item` now returns only non-trashed items, unless the new `--include-trash` flag is passed.
Added type and state fields to the `op list users` output.
The `op list documents` output is now more detailed.
Help text across the tool is now much clearer.
Made certain confusing error messages more friendly.
Fixed
The `--vault` flag on `op get document` now works as expected.
Older document files will now download correctly without any changes needed.
op will now work correctly on systems with no user UIDs, in Alpine Docker containers for example.
The proper OS version is now reported to the 1Password server when using Windows, macOS, Ubuntu, Fedora, openSUSE, FreeBSD, NetBSD, OpenBSD, or Solaris.
One-time passwords with secrets of a non-standard length will now be displayed correctly.
Come one, come all! Version 0.3 of the 1Password command line tool has arrived! Today, we are bringing you a new command that will help in your item deleting quests, along with some improvements for all to enjoy. See the full changelog for details.
New
[NEW] Added the ability to delete items with `op delete item <item> [--vault] `
Multiple user accounts on a single system will now be able to use op independently
Improvements
Updated some prompts and error messages to improve clarity and consistency
Made improvements to the way request IDs are generated to ensure compatibility with future 1Password server updates
Updated the use of the `X-AgileBits-MAC` HTTP header to ensure compatibility with future 1Password server updates
Hello friends, today we are back with some bug fixes related to version 0.2. Notably, we fixed the issue where `op list items` could fail on vaults where access was granted via group membership. See the full changelog below for details!
Improvements
The list users output is now more concise, with 50% less empty fields.
Fixed
Fixed issue where vaults accessed via a group membership would be inaccessible.
Fixed issue where attempting to upload a file smaller than 16 bytes would fail.
Hello friends! We are coming back after some time off with a brand new feature release of the 1Password Command Line Interface. We've been hard at work delving deep into the code that powers this tool to make future releases that much quicker. Not only that, we have some brand new features, improvements, and fixes for you to enjoy, including some new commands! Let's see what's new:
New
Added the create group command
Added the delete group command
Added the add command to give users access to vaults and groups
Added the remove command to remove user access from vaults and groups
Added the delete vault command
Added builds for Solaris
Improvements
op is now built with the latest version of the Go language
The signout command will now correctly output an error when you are not signed in to begin with
Vault names are now included in the list vaults command output
Made the output from the update command clearer
The get totp command is now much more reliable thanks to better decoding of TOTP secrets
The get totp command now supports the 'period' parameter for codes that don't last 30 seconds
Fixed
Changing the email address on your 1Password account will now automatically update your CLI config file
Changing the subdomain on your Teams account will now automatically update your CLI config file
CLI utility commands such as --version and --help will now output to stdout rather than stderr
CLI utility commands now return a 0 status rather than an error status
Removed newline from get document output, ensuring document integrity checks pass
Vault that you manage but do not have read access to will no longer cause the list items or list vaults commands to crash
Greetings public beta testers! We'd like to thank you for an amazing launch with 0.1 yesterday. We've started getting some great feedback and we love seeing all the great things you're doing with the tool.
We've got a nice little bug hunt for you today with a few issues caught by you fine people in the first 24 hours after launch. An issue with signing in, an issue for users with a high permission set value, and some typos in our help text. Download now and enjoy! Full release notes below.
Fixed
Some of you noticed a typo or two in the tool's help text. Edited, they have been!
Users with a hyphen in their account's subdomain have had issues setting the environment variable for maintining sessions. These will now be automagically replaced with underscores.
Users with a high permissions value would be overflowing our lowly integers. This now has 64 bits of error-free address space.
Hello, and welcome to the 1Password Command Line Interface Public Beta! It's been a great few months of testing by our lovely private beta community, and today we're excited that `op` is ready for the masses... to test!
This build is almost identical to v0.0.5 with a few under-the-hood tweaks, and it is ready for prime-time! Remember, any feedback you may have can be directed to our discussion forums, or to support+cli[at]agilebits.com. Happy beta everyone!
Fixed
Updated the way the CLI identifies itself to the 1Password.com API to ensure future compatibility
Hello and welcome to the 1Password Command Line Interface's second release candidate for public beta! In the short week since our last release we've squashed a few small bugs and made a few improvements! Read all about it below, and download now to try it out!.
Improvements
The `op delete user` command would previously output an unhelpful server error when trying to delete a user that is not suspended. The message is now much friendlier.
The `op create vault`, `op create item`, and `op create document` commands now output JSON with some extra information about the object created, rather than a lonely UUID.
Fixed
The pubKey field from the `op list groups` command was AWOL. We brought it back safe and sound.
The `op reactivate` command was being greedy and expecting 2 arguments when 1 would suffice. This has been resolved.
When creating an item, op would set some optional fields as null rather than empty, which would cause the other apps in the family to get a little queasy. This has been resolved.
Welcome to our public beta release candidate! It's been a little over a month since our last release and oh the times, they are a' changin'! We've got some massive improvements to share with you.
Firstly, we have a new signin flow! We've started saving session tokens into environment variables so you can save your session and use `op` without needing to pass the session token into every command! Yay! Run a quick eval $(op signin [shorthand]) to save your 30 minute session token!
Of course, you can still do things the old way if you wish, using the --session=[token] flag on any command, or by passing the token to stdin as before.
We also have some great improvements to getting and listing items. `op list items` will now show much more than a list of UUIDs. You'll get a nice overview of each item including the title and URLs!
In addition, `op get item` now includes WAY more information. Run it to find out just how much :)
Read on to see all the fixes, improvements and features we've added!
New
`op signin` now outputs a command to save session tokens into environment variables
Added the `--shorthand` flag to the signin command to allow multiple users from the same account
Added the `--session` flag to all commands to keep backwards-compatibility with old authentication style (see --output=raw below)
Added `op update` command to check for new versions
Added `list templates` command to view all available item templates
Added `--title`, `--url`, and `--tags` flags to the `create item` command
Improvements
`op` now handles TOTP codes much more robustly
Improvements to our SRP server-client verification protocol
The delete command is now a properly formatted CLI subcommand
Added help text to top-level commands
All optional parameters have been converted to flags
Added the `--output=raw` flag to the signin command to get a raw session token
Item, Template, and Vault names, as well as item URLs are now case insensitive
The `get item`, `list items`, and `list documents` commands now show far more information, including URLs and item titles
Fixed
The `--vault` flag was previously causing an error when used with the `list documents` command, this has been resolved
Welcome to the last alpha build before our public beta release candidate cycle begins! We've completely overhauled the command structure of op, grouping commands into several categories: create, get, and list. You can use these commands with items, vaults, groups, users, and more!. Use the --help flag on any of these new top-level commands to see what's available.
We also now have support for creating ANY item type! Now you can create anything from Logins to Wireless Router items.
Also new to go along with this release is our official documentation! . You can learn how to get everything up and running, and see all the options for your favorite commands.
One last change that's important to mention is that creating new items now requires the use of the new `op encode` command. Simply pass your item JSON into `op encode` via stdin (pipe works best), and you'll recieve the encoded data needed for `op create item`.
New
op now includes an `encode` command for getting your item JSON ready for `op create item` {op-115}
Improvements
op now has a new and improved command structure! Run `op --help` to learn more. {op-116}
In this build of op we are improving the security of our logging. Logs now output to /dev/null, and are set to the `errors` level by default. These can be changed with the `--log-output` and `--log-level` flags.