1Password CLI

2.6.0-beta.06  (build #2060006) – released 2022-07-18

This release includes all of the new beta features from our previous release, and fixes some regressions that were included in it.

Fixed

• The inject command supports unenclosed references in the beta release again. {2641}
• Connect sub-command is visible in the beta release again. {2641}
• Piping input into commands works in the beta release again. {2641}

2.6.0-beta.05  (build #2060005) – released 2022-07-15

This beta release delivers the ability to authenticate with 1Password Service Accounts by setting an environment variable as the service account token. For more information on service accounts and how to use them, visit our developer documentation!

This release also contains two other beta features that we'd like to ask for your input on. You can now specify query parameters in secret references (eg. "?attr=otp" to retrieve a one-time-password value). We've also added a convenience command `op account use` to let users more easily switch between the active account when biometric unlock is enabled.

This release also contains some non-beta features relating to performance optimisations that improve the caching logic of the CLI.

New

• Authenticate using service account tokens to retrieve vaults and items.
• Fetching attributes of fields and files is now possible with secret references, by adding the `attribute` query parameter to them. {2027}
• `op account use` can now be used to designate a new default account to run commands with biometric unlock. {2048}

Improvements

• The file of a Document-type item can now be referenced using the 1Password CLI secret referencing syntax. {2118}
• Cache is enabled by default, it can be disabled by setting the `OP_CACHE` env var to `false`, or by specifying the `--cache=false` flag. {2589}
• `op --help` now contains documentation related to the default caching between commands. {2589}
• The help text example for concatenating secrets with op inject now uses db_url consistently. {2522}
• `op read` help text now notes that whitespaces are supported and require quotation marks. {2522}

Fixed

• The cache daemon process no longer holds the current directory in use. {2485}
• Vault items are cached more reliably and efficiently. {2540}
• The name of file-type fields is again visible in json and human-readable item representations. {2616}
• The file-type fields now have the correct ID in the json and human-readable output of items. {2625}
• Omit timestamps when printing user if timestamps are not returned by server. {2435}

2.0.0-beta.16  (build #2000018) – released 2022-03-09

This release introduces auto-completion for fish shells, check out op completion --help for instructions. We also renamed a command to be more accurate as well.

New

• CLI now has completion support for fish shell. {2056}

Improvements

• `op user invite` is now called `op user provision` to better reflect what the command does. {2155}

2.0.0-beta.15  (build #2000017) – released 2022-03-08

This release contains an improvement and a bugfix related to item handling.

Improvements

• `op item get --help` now contains information related to specifying items by non-unique identifiers. {1975}

Fixed

• Items of the Medical record item category can now be created using item templates. {2082}

2.0.0-beta.14  (build #2000016) – released 2022-03-04

In this release, we have some UX improvements and bug fixes in our authentication flows. In addition, starting from this release, 1Password CLI beta releases can be installed over the Apt, APK, and YUM repositories! Instructions are located at https://developer.1password.com/docs/cli/install.

Improvements

• The 1Password CLI will now more clearly instruct you what to do when biometric unlock is enabled, but the 1Password app is not running. {1685}
• The `signout` command now only signs out the specified account if --account or $OP_ACCOUNT is set and biometric unlock is enabled. {1953}
• The `signin` command now outputs an error when being called without `eval` or `Invoke-Expression`. {2030}
• Biometric unlock now can now be manually enabled or disabled by setting OP_BIOMETRIC_UNLOCK respectively "true" or "false". {2035}
• The error message displayed when dismissing the biometric unlock prompt multiple times in short succession is clearer. {1946}
• Refactor help text command syntax from `op ` to `op `. {2083}
• More accurate error messages are now displayed when using biometric unlock requires extra setup steps. {2097}

Fixed

• `op account get` now returns the correct account type for Team accounts. {2008}
• The flags for `op group user revoke` are now correct. {2073}

2.0.0-beta.13  (build #2000015) – released 2022-02-24

Thanks again for all the feedback folks! This update includes another set of improvements, most of which are around the new signin experience and creating items with templates.

Improvements

• `op account add` can now be used to configure new accounts via flags or interactive inputs. Configuring new accounts via `op signin` is no longer supported. {1898}
• `op signin` accepts the `--account` flag to select which account to sign in to. The command no longer supports arguments. {1898}
• You can now output debug logs using the binary flag `--debug` or the environment variable `OP_DEBUG`. {1910}
• Secret references containing spaces are now supported. {1905}
• The tool is now called "1Password CLI" instead of "1Password command-line tool" in the help-text. {1944}
• The output of `op --help` is now more concise. {1951}
• `op item share` now throws an elegant error when called with unshareable item types. {1911}
• `op item list` now has both a long and a short format, toggled with the `--long` flag. {1994}
• Signing out from all accounts with a single command is now possible with `op signout --all`. {2003}
• The `op inject` help text now includes a warning to delete the resolved config file when it's no longer needed. {2034}
• `op item create` and `op item edit` now have instructions documented about using them securely. {1997}
• `op item template get` now returns the new item JSON format. {1578}
• `op item create` now supports templates that resemble the output of `op item get` and use common language keys. The old format is no longer supported. {1578}
• Files created by the 1Password CLI on Linux are no longer owned by the onepassword-cli group. {2045}
• `$OP_ACCOUNT` and `--account` flag now also accept a user UUID or an account UUID. {1900}

Fixed

• Caching now also works when using biometric unlock. {1971}
• When multiple accounts are available for an account filter, the user is prompted with the correct command to execute, in order to list all available accounts. {1996}
• `op run` no longer returns an error when the --env-file is used and the environment contains a multiline environment variable. {1851}

2.0.0-beta.12  (build #2000014) – released 2022-01-28

This release focuses on continuing to improve the experience for CLI 2 Early Access participants!

Improvements

• Long description help text is now stylistically consistent across commands. {1927}
• Successful biometric authentications do not print "Signing in to.." messages. {1917}

Fixed

• `op item list` takes less time to load results. {1938}

2.0.0-beta.11  (build #2000013) – released 2022-01-26

This release introduces Biometric Unlock; If you have the latest nightly build of the 1Password 8 installed, you can now use it to sign in to the CLI using biometrics.

New

• Biometric Unlock can now be used with the latest nightly release of 1Password 8. {1943}

Improvements

• `--iso-timestamps` can now also be set using the `$OP_ISO_TIMESTAMPS` environment variable. {1926}

2.0.0-beta.10  (build #2000012) – released 2022-01-24

This release contains fixes and improvements based on your feedback during Early Access. Thank you all for sharing your thoughts! ❤️ Please keep your feedback coming and we'll improve 1Password CLI together.

Note that this release doesn't cover all provided feedback yet, and we'll continue to release more updates when they're ready.

Improvements

• `op item get` now has `--otp` to fetch the primary OTP code of an item, similarly to `op get totp` in 1Password CLI 1. {1908}
• The help text for `op item ls` and `op item get` now include documentation for the `OP_INCLUDE_ARCHIVE` environment variable. {1670}
• The `--list` flag of `op signin` has been removed, and the functionality has been moved to `op account list`. {1881}
• The API Credential item category is now documented in help-texts. {1214}
• The `read`, `inject` and `template get` commands now have a force flag to bypass user confirmation when the output file already exists. {1922}

Fixed

• `op item template get` help text now references the right item create command. {1902}
• `op update` now works on MacOS too. {1717}
• Sections without fields are now displayed properly. {1932}

2.0.0-beta.9  (build #2000011) – released 2022-01-17

This release contains fixes and improvements based on your feedback during Early Access. Thank you all for sharing your thoughts! ❤️ Please keep your feedback coming and we'll improve 1Password CLI together.

Note that this release doesn't cover all provided feedback yet, and we'll continue to release more updates when they're ready.

Improvements

• Error messages when something doesn't exist no longer introduce ambiguity. {1871}
• Help text for flags is better divided into flag name and its usage. {1868}
• The item in human-readable output now displays the one-time password code. {1891}
• `op item list` now shows the vault name instead of the ID. {1887}
• Flag help text now starts with capital letters and have terminal punctuation. {1886}

Fixed

• The retrieval of fields with the 'section.field' format is now possible via 'op item get'. {1870}
• An error is now thrown if a field with non-unique name is inquired by name. {1870}
• `op item get` usage now shows the correct command to retrieve one-time passwords. {1855}
• Sections without fields are now excluded from the human output of `op item get`. {1888}

2.0.0-beta.8  (build #2000010) – released 2022-01-11

This release introduces item sharing, adds support for Docker images running on ARM machines and includes many usability improvements.

New

• Share items with others using `op share`. {1650}
• armv7 and arm64 Docker images of the op CLI are now being built and published. {1771}
• `op item get` now supports retrieving fields by field type. {1855}

Improvements

• The spacing and formatting of various help text commands is now more consistent. {1818}
• Add variable expansion support to op run help text. {1758}
• The human readable output of the CLI commands is now better formatted. {1824}
• The fields of an item in human-readable output only include the label, the value, the totp, and the section now. {1843}
• The flag for using environment files with `op run` is now `--env-file`. {1796}
• Keys in the human output format are now Title Cased. {1817}
• The keys of the CLI json output are now in snake case. {1866}
• `op item ls` human format now also includes when the item was last edited. {1853}
• Throw an error if item's specified field doesn't exist. {1682}
• `op item get` now gives a hint to fetch auto-fill URLs when trying to retrieve a field named website when no such field exists. {1830}
• Help text for `op run` is updated with the new flag for using environment files. {1796}
• `op item get` in human output format now includes the name of the vault. {1854}
• `op item get` in human output format now includes the name of the user that last updated the item. {1854}
• URLs in human output format of `op item get` are now displayed more concisely. {1854}
• `op item get` now has keys ordered by relevance. {1854}
• `op item get` now has a more concise human output format, with field labels and values together on a single line. {1854}
• Granting or revoking vault permissions prints the resulting permissions. {1739}

Fixed

• `op vault user grant` does not sporadically return Application Errors when being granted vault access for the first time. {1730}
• External link to vault permissions guide in help text navigates to the correct URL. {1794}
• The human readable format now formats the tables properly, taking into account emojis and other special characters. {1753}
• `op item get` does not support using Connect with human output format. {1854}

2.0.0-beta.7  (build #2000007) – released 2021-12-07

This release focuses on improving command help text to be more clear and concise. We also fixed a critical bug where unintended vault permissions would be granted in the `op vault user grant/revoke` commands.

Improvements

• The help text of multiple commands is now clearer and more elaborate. {1736}
• The flag `--fields` for the command `op item get` now has an alias `--field`. {1762}
• `op item create` and `op item edit` commands’ help text are more descriptive and concise. {1664}
• Vault access permission management commands’ help text are more accurate and concise, and include a link to an in-depth guide to developer documentation. {1664}

Fixed

• The `op vault user grant` command does not grant any additional permissions than what was specified. {1723}

2.0.0-beta.6  (build #2000006) – released 2021-11-26

This release improves the usability and experience with various improvements.

Improvements

• Next to the existing Docker images for a specific CLI version, an image for 1password/op:2 is now published as well. {#1684}
• `op account list` no longer returns DSECRET and SECRET_KEY in its output. {1748}
• `op item template list` returns human readable output by default. {1749}
• `--role` for `op group user grant` is now case insensitive. {1752}
• `op user confirm` now validates against empty inputs. {1740}
• `op connect` commands' help text are now more understandable and have correct punctuation. {1736}
• Help text for the `--expires-in` flags in commands now specify the acceptable time units. {1736}
• Each `get` command's help text now describes how to specify the respective object. {1736}
• Usage of `--encoding` is now documented with the flags instead of in the body of `op --help`. {1736}
• Usage of `--format` now specifies an alternative way to set the output format using the `OP_FORMAT` environment variable. {1736}
• Usage of `--session` now includes where a session token is retrieved. {1736}
• Usage of `op run` now specifies duplicate environment variables' order of precedence. {1736}
• Usage of `op user` long help text now describes the command and user states, and billing implications in detail. {1736}
• Valid command argument inputs are now specified in the usage and the help text. {1736}
• Usage of `--travel-mode` of `vault edit` now includes the effects of enabling travel mode. {1736}
• Usage of `--allow-admins-to-manage` of `op vault create` now describes the default behavior. {1736}
• `op document list` now returns human-readable output by default. {1741}

Fixed

• `op inject` no longer keeps trailing characters of input file, when the input and output destination are the same. {1750}
• `op user confirm` now properly confirms individual users. {1751}
• The keys in the json output of `op account list` are now lowercased. {1748}
• Examples for the `op vault user/group grant/revoke` commands' help text are now indented. {1736}
• Errors from entering the wrong number of arguments now include the command's usage text. {1736}

2.0.0-beta.5  (build #2000005) – released 2021-11-22

The main feature included in this release revolves around a set of commands that have been added or improved for managing granular vault access permissions. A specific vault's group and user vault access permissions can be viewed by the `op vault group list VAULT` and `op vault user list VAULT` commands. In addition, they can be set via using the `--permission` flag to a comma-separated list of permissions in the `op vault group grant`,`op vault group revoke`, `op vault user grant`, and `op vault user revoke` commands.

New

• The `op vault group/user grant/revoke` commands now have a `permissions` flag to specify the vault access permissions being granted/revoked. {1517}
• The `op vault group list` and `op vault user list` commands now display the vault’s group or user access permissions. {1608}

Improvements

• Suggested next steps have been improved when `op` fails to grant a group access to a Connect instance. {1664}
• The usage of secret references is now specified in more detail in the `run`, `inject`, and `read` commands' help text. {1711}
• The `op events list` command is no longer available. Continue to use CLI version 1 to read audit events. Before support for CLI 1 ends a more sophisticated solution for audit events will be available. {1710}
• The `op events create` command is now `op events-api create`. {1710}

Fixed

• The `op vault group list` command now displays the correct permissions based on the account’s tier. {1517}

2.0.0-beta.4  (build #2000004) – released 2021-11-05

Creating and editing items with the command-line tool is now easier than ever, thanks to the new field assignment syntax. You can create, delete and update custom fields of an item (and even change their type) with just one command, for example: op item edit 'database' 'creds.db2_admin_username[text]=dbadmin2' 'creds.db2_admin_pw[password]=RTA@gug9vmn7xey7pbq' We've also made a number of small improvements and bug fixes.

New

• The `item create` and `item edit` commands now have a `dry-run` flag that will print the resulting items without saving them. {1515}

Improvements

• The `op item create` and `op item edit` commands now support setting, updating and deleting fields through command line arguments. {1515}
• Errors in templates for `op inject` are now described in more detail. {1605}
• Table output headers are now separated by spaces instead of underscores. {1635}
• The field names createdAt and updatedAt are now displayed as created and updated. {1635}
• Vault types are now fully spelled out in the command-line tool output. {1633}
• Null or empty fields are no longer displayed in the human-readable item output. {1634}
• The `op item template get` command now has an `--out-file` flag to write item templates to a file instead of stdout. {1636}
• Curly brackets are no longer shown around vault IDs when listing items. {1632}
• Help-texts are now more consistent and easier to read. {2946}

Fixed

• The command-line tool can now use Connect as backend even if it has access to more than one vault. {1681}

2.0.0-beta.3  (build #2000003) – released 2021-10-07

Buckle up command-line tool users! We are launching an awesome ride that we'd love for you to join us on. 🚀

I'm super excited to announce our first Early Access release for v2 of the command-line tool. We have redesigned the command structure from the ground up and as you'll see commands are now neatly organized by topic. There's a ton of other improvements - big and small - outlined in more detail below.

This release also introduces the ability to pass secrets from 1Password items to your applications, scripts and any other processes that require secrets.

We're just getting started and we'd love to hear your feedback and suggestions. What should we focus on next? Let us know!

New

• Secrets can now be loaded into templated (configuration) files using the `inject` command. {1577}
• Secrets can now be loaded as environment variables to any process using the `run` command. {1577}
• A secret can now be read using the `read` command. {1577}
• A secret can now be loaded into a system file using the `read` command. {1577}
• `op item get` now retrieves items via a Connect server if the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` environment variables are configured. {1580}
• Groups that have access to a vault can now be listed using `op vault group list`. {1541}
• `op item edit` command now supports the `--url`, `--tags`, and `--title` flags to edit the fields. {1506}
• The `create vault` and `edit vault` commands can now specify an icon with the `--icon` flag. {1556}
• Details of a Connect server can now be retrieved with `op connect server get`. {1508}

Improvements

• Commands are now organized by topic. {1503, 1504, 1505, 1506, 1508, 1509, 1511, 1560, 1568, 1589, 1600}
• All commands now format their output in a new human-friendly format. `--format=json` switches the output to JSON. {1487, 1564}
• The flags `--format` and `--include-archive` can now also be specified using the environment variables `OP_FORMAT` and `OP_INCLUDE_ARCHIVE` respectively. {1616}
• The human-friendly output format uses prose instead of timestamps. `--iso-timestamps` switches the output to timestamps. {1487}
• Item, vault, connect, user, and group JSON output formats are now stripped from acronyms and unneeded internal data. {1477}
• JSON outputs are now formatted and colored. {1579}
• `op item create` command now supports filepaths for item templates via the `--template` flag, support for passing in base64 encoded templates as an argument has been removed. {1506, 1560}
• `list` and `delete` commands can now be used with their aliases: `ls`, `remove` and `rm`. {1571}
• `op account list` command replaces `op signin --list`. {1504}
• `op account forget` command now has an `--all` flag to forget all accounts. {1504}
• `op user list` output can now be piped to `op user confirm`. {1502}
• `op user list` output can now be piped to `op user confirm`. {1502}
• `op user list` output can now be piped to `op user delete`. {1502}
• `op user list` output can now be piped to `op user edit`. {1502}
• `op user list` output can now be piped to `op user reactivate`. {1502}
• `op user list` output can now be piped to `op user suspend`. {1502}
• `op vault list` output can now be piped to `op vault delete`. {1505}
• `op vault edit` now supports `--travel-mode` to set whether a vault is safe for travel. {1505}
• `op user invite` now accepts name and email via flags instead of arguments. {1502}
• Connect commands now accept group and server via flags instead of arguments. {1508, 1540, 1568}
• `op user grant` and `op user revoke` now accept user and group via flags instead of arguments. {1503}
• `op user accept` now accepts email, UUID, token and URL via flags instead of arguments. {1560}
• The `--deauthorize-devices-after` flag of `op user suspend` now accepts any duration unit and not just seconds. {1502}
• `item get` output now includes a generated TOTP token for OTP fields. {1557}
• Selecting items by tags now retrieves nested tags. {1529}
• Setting the `--tags` flag to an empty value for `op item edit` and `op document edit` will now remove all tags. {1558}
• The help text of `op item get` now includes details of the `--fields` flag format. {1551}
• Tags specified multiple times on commands to create or edit items or documents are now applied only once. {1598}
• Flag validation error messages are now more descriptive. {1568}
• `op group edit` and `op vault edit` now support clearing the description with `--description=""`. {1544}

Fixed

• Creating Events API or Connect instances will no longer panic. {1537}
• The error message shown when setting a URL for items which category does not support URLs now correctly shows "URL" instead of the URL itself. {1549}