This release mainly contains some improvements around the CLI's help-text, as well as adds the possibility to pipe via stdin when creating items.
Improvements
`op connect token create` help-text example now uses CLI 2 syntax. {2292}
`op connect` help-text now clarifies vault limitations. {2330}
`op connect token create` has improved help text, and now takes a `--vault` flag instead of `--vaults` to clarify that multiple `--vault` flags can be set. {2329}
`op item create` now accepts JSON input on stdin. {2425}
This release contains fixes and improvements that have been suggested by customers for the 2.0.0 CLI.
Additionally, it includes security improvements made after a security audit by Secfault Security.
New
Added support for OTP field type for inline item assignments. {1647}
Improvements
All links to related developer documentation articles now point to the new URLs. {2069}
`op account add` help text now notes that biometric unlock requires 1Password 8. {2099}
`op completion` help text now has instructions for loading completion information for PowerShell. {2068}
`UUIDs` are now referred to as `IDs` throughout help text. {2136}
JSON item output now includes the vault's name the item is from. {2100}
Errors are clearer when reading/creating config file fails. {2062,2095}
CLI now throws an error when a command doesn't work with Connect and Connect specific environment variables are set. {2046}
`op item template get` no longer shows an empty vault key for the item. {2169}
Subcommands in the help text now follow the CRUDL order. {2058}
The user ID in the output of `op account list` is now referred to as such, instead of user UUID. {2136}
op user provision help text is now more clear. {2159}
Revoking user access from the Team Members group returns a more descriptive error message. {1553}
When adding a new account, you can now supply your user's secret key with the `OP_SECRET_KEY` environment variable. This is the new recommended method to add accounts on systems where we cannot prompt you for the secret key. Credits to Secfault Security. {2185}
The `op` binary from the Docker Image is now statically compiled, and works well with Alpine Docker images. {1694}
The list output for vaults, items and accounts now contains more details in its json format. {2192}
op events-api help text now notes business or team account requirements. {2271}
op item template list now uses new syntax for op item template get example. {2265}
Events API naming is now standardized in help text. {2269}
.env files that are used with `op run` can now contain and refer to environment variables that contain linebreaks. {2086}
Parsing of .env files for `op run` is now more robust. Credits to Secfault Security for pointing out a parsing inconsistency. {2182}
Fixed
Fields called `title`, `url` and `tags` now take priority over the built-in attributes, with `op read`, `op run` and `op inject`. {2059}
The output of `op signin` now correctly mentions that `op signin` uses the `--account` flag instead of an argument. {2089}
Address fields are now properly displayed instead of being empty. {2063}
Addressed a rare case where running a CLI command with biometric unlock enabled consistently results in an "SRP-x unsupported length" error. {2193}
Windows signature file `op.exe.sig` returns to the Windows download archive. {2180}
`op connect vault grant` and `op connect vault revoke` now return an error if you are missing permissions to perform the action. {2213}
Example for document get now uses CLI 2 syntax. {2145}
Providing raw text as piped input into `op inject` now outputs an appropriate error message. {2178}
Date and MonthYear field types are now properly parsed when the item JSON template is provided to create an item. {2075}
The `pkg-version` for the 1Password CLI on macOS now returns the correct version. {2120}
Debian packages for 32-bit arm systems are packaged under the correct architecture name (armhf). {2186}
Addressed an issue where you could get a persistent "You are not currently signed in" even after signing in. {2293}
Security
Replaced backticks in help text and error messages with single quotes. {2112}
Improved the signature verification of the 1Password app when using biometric unlock on Windows. Credits to Secfault Security. {2143}
Filtering of `op` specific environment variables has been removed from `op run`, as no security advantages are obtained by this filtering. Credits to Secfault Security. {2184}
Fixed a race-condition that could result in a file written by the CLI to not end up with the specified filemode. Credits to Secfault Security. {2198}
The CLI refuses to write to files that are symlinked. Credits to Secfault Security. {2198}
Unprintable characters are now filtered out from the output of the CLI, when used interactively. Credits to Secfault Security. {2183}
This is the first release of the next generation of 1Password CLI! 🚀
It takes the usability and accessibility that you're used to from 1Password
to the terminal. Among others, it allows you to unlock the CLI using biometrics,
and has a new and improved command structure and output.
In addition, we also introduced some brand new functionality to 1Password CLI.
Some of the features we'd like to highlight are Psst! support
and the ability to securely load secrets into scripts, applications, and other workloads.
We would like to shout out our amazing early access community for raising bug
reports, suggesting improvements, and helping us shape the 1Password CLI along
every iteration of the beta into the product we are now releasing! 🎉
Check out all the improvements and new features below and learn more in our new
developer documentation!
New
1Password CLI 2 now uses a new command schema, together with a more intuitive JSON output format.
Biometric Unlock can now be used instead of typing your account password on the command line. {1943}
The item get, inject, run and read commands now also support using a Connect server. Use it by setting OP_CONNECT_HOST and OP_CONNECT_TOKEN environment variables. {1580}
1Password CLI can now be installed via apt, dnf and apk.
All commands now format their output in a new human friendly format. Use the --format=json flag or OP_FORMAT=json environment variable to output as JSON. {1487, 1564}
Improvements
Vault access permissions can now be granted and revoked granularly when managing users' and groups' access to vaults by specifying --permissions. {1517}
Listing groups or users that have access to a vault now displays the group's or user's permissions. {1608}
Granting or revoking vault permissions prints the resulting permissions. {1739}
Setting whether a vault is safe for travel can be achieved with the --travel-mode flag, while editing vaults. {1505}
Deleting multiple vaults at once is now possible. {1505}
When getting items, you can now retrieve fields by field type. {1855}
Creating and editing items now have a dry-run feature, which prints the resulting items without saving them. {1515}
When editing items, you can now change the autofill url, tags and title. {1506}
Creating items can now be done using templates similar in format to the items retrieved with 1Password CLI. The old format is no longer supported. Support for passing in base64 encoded templates as an argument has been removed. {1578}
Creating and editing items now offer support for setting, updating and deleting fields through command line arguments. {1515}
Curly brackets are no longer shown around vault IDs when listing items. {1632}
Selecting items by tags now retrieves nested tags. {1529}
Setting the --tags flag to an empty value while editing items or documents will now remove all tags. {1558}
Tags specified multiple times on commands to create or edit items or documents are now applied only once. {1598}
Adding new accounts is now done using a standalone command, op account add. Configuring new accounts via op signin is no longer supported. {1898}
op signin accepts the --account flag to select which account to sign in to. The command no longer supports arguments. {1898}
$OP_ACCOUNT and --account flag now also accept a user UUID or an account UUID. {1900}
The --list flag of op signin has been removed, and the functionality has been moved to op account list. {1881}
Listing accounts no longer returns DSECRET and SECRET_KEY in its output. {1748}
Forgetting all authenticated accounts at once is now possible. {1504}
Confirming multiple users of an account at once is now possible. {1502}
Deleting multiple users from an account at once is now possible. {1502}
Editing multiple users within an account at once is now possible. {1502}
Reactivating multiple users within an account at once is now possible. {1502}
Suspending multiple users within an account at once is now possible. {1502}
You can now output debug logs using the binary flag --debug or the environment variable OP_DEBUG. Currently debug logs exist for biometric unlock only. {1910}
--iso-timestamps can now also be set using the $OP_ISO_TIMESTAMPS environment variable. {1926}
The --include-archive flag can now also be specified setting the OP_INCLUDE_ARCHIVE environment variable to true. {1616}
The formatting and phrasing of error messages has been improved. {1871}
The help text across 1Password CLI commands is now clearer, more elaborate and better formatted. {1736}
list and delete commands can now be used with their aliases: ls, remove and rm. {1571}
Listing events is no longer possible. Please continue using 1Password CLI version 1 to read audit events. Before support for version 1 ends, a more sophisticated solution for audit events will be available. {1710}
armv7 and arm64 Docker images of 1Password CLI are now being built and published on DockerHub. {1771}
This release introduces auto-completion for fish shells, check out op completion --help for instructions. We also renamed a command to be more accurate as well.
New
CLI now has completion support for fish shell. {2056}
Improvements
`op user invite` is now called `op user provision` to better reflect what the command does. {2155}
2.0.0-beta.15
(build #2000017)
– released 2022-03-08
In this release, we have some UX improvements and bug fixes in our authentication flows.
In addition, starting from this release, 1Password CLI beta releases can be installed over the Apt, APK, and YUM repositories! Instructions are
located at https://developer.1password.com/docs/cli/install.
Improvements
The 1Password CLI will now more clearly instruct you what to do when biometric unlock is enabled, but the 1Password app is not running. {1685}
The `signout` command now only signs out the specified account if --account or $OP_ACCOUNT is set and biometric unlock is enabled. {1953}
The `signin` command now outputs an error when being called without `eval` or `Invoke-Expression`. {2030}
Biometric unlock now can now be manually enabled or disabled by setting OP_BIOMETRIC_UNLOCK respectively "true" or "false". {2035}
The error message displayed when dismissing the biometric unlock prompt multiple times in short succession is clearer. {1946}
Refactor help text command syntax from `op ` to `op `. {2083}
More accurate error messages are now displayed when using biometric unlock requires extra setup steps. {2097}
Fixed
`op account get` now returns the correct account type for Team accounts. {2008}
The flags for `op group user revoke` are now correct. {2073}
2.0.0-beta.13
(build #2000015)
– released 2022-02-24
Thanks again for all the feedback folks! This update includes another set of improvements, most of which are around the new signin experience and creating items with templates.
Improvements
`op account add` can now be used to configure new accounts via flags or interactive inputs. Configuring new accounts via `op signin` is no longer supported. {1898}
`op signin` accepts the `--account` flag to select which account to sign in to. The command no longer supports arguments. {1898}
You can now output debug logs using the binary flag `--debug` or the environment variable `OP_DEBUG`. {1910}
Secret references containing spaces are now supported. {1905}
The tool is now called "1Password CLI" instead of "1Password command-line tool" in the help-text. {1944}
The output of `op --help` is now more concise. {1951}
`op item share` now throws an elegant error when called with unshareable item types. {1911}
`op item list` now has both a long and a short format, toggled with the `--long` flag. {1994}
Signing out from all accounts with a single command is now possible with `op signout --all`. {2003}
The `op inject` help text now includes a warning to delete the resolved config file when it's no longer needed. {2034}
`op item create` and `op item edit` now have instructions documented about using them securely. {1997}
`op item template get` now returns the new item JSON format. {1578}
`op item create` now supports templates that resemble the output of `op item get` and use common language keys. The old format is no longer supported. {1578}
Files created by the 1Password CLI on Linux are no longer owned by the onepassword-cli group. {2045}
`$OP_ACCOUNT` and `--account` flag now also accept a user UUID or an account UUID. {1900}
Fixed
Caching now also works when using biometric unlock. {1971}
When multiple accounts are available for an account filter, the user is prompted with the correct command to execute, in order to list all available accounts. {1996}
`op run` no longer returns an error when the --env-file is used and the environment contains a multiline environment variable. {1851}
2.0.0-beta.12
(build #2000014)
– released 2022-01-28
This release introduces Biometric Unlock; If you have the latest nightly build of the 1Password 8 installed, you can now use it to sign in to the CLI using biometrics.
New
Biometric Unlock can now be used with the latest nightly release of 1Password 8. {1943}
Improvements
`--iso-timestamps` can now also be set using the `$OP_ISO_TIMESTAMPS` environment variable. {1926}
2.0.0-beta.10
(build #2000012)
– released 2022-01-24
This release contains fixes and improvements based on your feedback during Early Access. Thank you all for sharing your thoughts! ❤️ Please keep your feedback coming and we'll improve 1Password CLI together.
Note that this release doesn't cover all provided feedback yet, and we'll continue to release more updates when they're ready.
Improvements
`op item get` now has `--otp` to fetch the primary OTP code of an item, similarly to `op get totp` in 1Password CLI 1. {1908}
The help text for `op item ls` and `op item get` now include documentation for the `OP_INCLUDE_ARCHIVE` environment variable. {1670}
The `--list` flag of `op signin` has been removed, and the functionality has been moved to `op account list`. {1881}
The API Credential item category is now documented in help-texts. {1214}
The `read`, `inject` and `template get` commands now have a force flag to bypass user confirmation when the output file already exists. {1922}
Fixed
`op item template get` help text now references the right item create command. {1902}
`op update` now works on MacOS too. {1717}
Sections without fields are now displayed properly. {1932}
2.0.0-beta.9
(build #2000011)
– released 2022-01-17
This release contains fixes and improvements based on your feedback during Early Access. Thank you all for sharing your thoughts! ❤️ Please keep your feedback coming and we'll improve 1Password CLI together.
Note that this release doesn't cover all provided feedback yet, and we'll continue to release more updates when they're ready.
Improvements
Error messages when something doesn't exist no longer introduce ambiguity. {1871}
Help text for flags is better divided into flag name and its usage. {1868}
The item in human-readable output now displays the one-time password code. {1891}
`op item list` now shows the vault name instead of the ID. {1887}
Flag help text now starts with capital letters and have terminal punctuation. {1886}
Fixed
The retrieval of fields with the 'section.field' format is now possible via 'op item get'. {1870}
An error is now thrown if a field with non-unique name is inquired by name. {1870}
`op item get` usage now shows the correct command to retrieve one-time passwords. {1855}
Sections without fields are now excluded from the human output of `op item get`. {1888}
2.0.0-beta.8
(build #2000010)
– released 2022-01-11
This release focuses on improving command help text to be more clear and concise. We also fixed a
critical bug where unintended vault permissions would be granted in the `op vault user grant/revoke` commands.
Improvements
The help text of multiple commands is now clearer and more elaborate. {1736}
The flag `--fields` for the command `op item get` now has an alias `--field`. {1762}
`op item create` and `op item edit` commands’ help text are more descriptive and concise. {1664}
Vault access permission management commands’ help text are more accurate and concise, and include a link to an in-depth guide to developer documentation. {1664}
Fixed
The `op vault user grant` command does not grant any additional permissions than what was specified. {1723}
2.0.0-beta.6
(build #2000006)
– released 2021-11-26
The main feature included in this release revolves around a set of commands that have been added or
improved for managing granular vault access permissions. A specific vault's group and user vault access
permissions can be viewed by the `op vault group list VAULT` and `op vault user list VAULT` commands.
In addition, they can be set via using the `--permission` flag to a comma-separated list of permissions
in the `op vault group grant`,`op vault group revoke`, `op vault user grant`, and `op vault user revoke`
commands.
New
The `op vault group/user grant/revoke` commands now have a `permissions` flag to specify the vault access permissions being granted/revoked. {1517}
The `op vault group list` and `op vault user list` commands now display the vault’s group or user access permissions. {1608}
Improvements
Suggested next steps have been improved when `op` fails to grant a group access to a Connect instance. {1664}
The usage of secret references is now specified in more detail in the `run`, `inject`, and `read` commands' help text. {1711}
The `op events list` command is no longer available. Continue to use CLI version 1 to read audit events. Before support for CLI 1 ends a more sophisticated solution for audit events will be available. {1710}
The `op events create` command is now `op events-api create`. {1710}
Fixed
The `op vault group list` command now displays the correct permissions based on the account’s tier. {1517}
2.0.0-beta.4
(build #2000004)
– released 2021-11-05
Creating and editing items with the command-line tool is now easier than ever, thanks to the new field assignment syntax. You can create, delete and update custom fields of an item (and even change their type) with just one command, for example:
op item edit 'database' 'creds.db2_admin_username[text]=dbadmin2' 'creds.db2_admin_pw[password]=RTA@gug9vmn7xey7pbq'
We've also made a number of small improvements and bug fixes.
New
The `item create` and `item edit` commands now have a `dry-run` flag that will print the resulting items without saving them. {1515}
Improvements
The `op item create` and `op item edit` commands now support setting, updating and deleting fields through command line arguments. {1515}
Errors in templates for `op inject` are now described in more detail. {1605}
Table output headers are now separated by spaces instead of underscores. {1635}
The field names createdAt and updatedAt are now displayed as created and updated. {1635}
Vault types are now fully spelled out in the command-line tool output. {1633}
Null or empty fields are no longer displayed in the human-readable item output. {1634}
The `op item template get` command now has an `--out-file` flag to write item templates to a file instead of stdout. {1636}
Curly brackets are no longer shown around vault IDs when listing items. {1632}
Help-texts are now more consistent and easier to read. {2946}
Fixed
The command-line tool can now use Connect as backend even if it has access to more than one vault. {1681}
2.0.0-beta.3
(build #2000003)
– released 2021-10-07
Buckle up command-line tool users! We are launching an awesome ride that we'd love for you to join us on. 🚀
I'm super excited to announce our first Early Access release for v2 of the command-line tool. We have
redesigned the command structure from the ground up and as you'll see commands are
now neatly organized by topic. There's a ton of other improvements - big and small -
outlined in more detail below.
This release also introduces the ability to pass secrets from 1Password items to
your applications, scripts and any other processes that require secrets.
We're just getting started and we'd love to hear your feedback and suggestions.
What should we focus on next? Let us know!
New
Secrets can now be loaded into templated (configuration) files using the `inject` command. {1577}
Secrets can now be loaded as environment variables to any process using the `run` command. {1577}
A secret can now be read using the `read` command. {1577}
A secret can now be loaded into a system file using the `read` command. {1577}
`op item get` now retrieves items via a Connect server if the `OP_CONNECT_HOST` and `OP_CONNECT_TOKEN` environment variables are configured. {1580}
Groups that have access to a vault can now be listed using `op vault group list`. {1541}
`op item edit` command now supports the `--url`, `--tags`, and `--title` flags to edit the fields. {1506}
The `create vault` and `edit vault` commands can now specify an icon with the `--icon` flag. {1556}
Details of a Connect server can now be retrieved with `op connect server get`. {1508}
Improvements
Commands are now organized by topic. {1503, 1504, 1505, 1506, 1508, 1509, 1511, 1560, 1568, 1589, 1600}
All commands now format their output in a new human-friendly format. `--format=json` switches the output to JSON. {1487, 1564}
The flags `--format` and `--include-archive` can now also be specified using the environment variables `OP_FORMAT` and `OP_INCLUDE_ARCHIVE` respectively. {1616}
The human-friendly output format uses prose instead of timestamps. `--iso-timestamps` switches the output to timestamps. {1487}
Item, vault, connect, user, and group JSON output formats are now stripped from acronyms and unneeded internal data. {1477}
JSON outputs are now formatted and colored. {1579}
`op item create` command now supports filepaths for item templates via the `--template` flag, support for passing in base64 encoded templates as an argument has been removed. {1506, 1560}
`list` and `delete` commands can now be used with their aliases: `ls`, `remove` and `rm`. {1571}