1Password Tools
List vaults, list items, and fetch item details from a 1Password Connect server.
The 1Password tools let a workflow read secrets and items from a self-hosted 1Password Connect server. Use them to discover vaults, enumerate the items in a vault, and retrieve the full details of a single item at run time instead of hardcoding credentials.
Overview
| Property | Value |
|---|---|
| Provider | onepassword |
| Category | tools |
| Auth | Bearer Token (1Password Connect access token) |
All three tools call the 1Password Connect REST API. The connectUrl you supply points at your own Connect server (e.g. https://connect.example.com); a trailing slash is stripped automatically. Every request sends Authorization: Bearer <apiKey> and Content-Type: application/json.
Operations
| Operation | Tool ID | Description |
|---|---|---|
| List vaults | onepassword_list_vaults | List the vaults available on a 1Password Connect server |
| List items | onepassword_list_items | List the items inside a 1Password vault |
| Get item | onepassword_get_item | Get the full details of a single item from a 1Password vault |
Configuration
onepassword_list_vaults
Calls GET {connectUrl}/v1/vaults.
| Parameter | Type | Required | Description |
|---|---|---|---|
apiKey | string | Yes | Secret. 1Password Connect access token (sent as a Bearer token). Visibility: user-only. |
connectUrl | string | Yes | 1Password Connect server URL (e.g. https://connect.example.com). Visibility: user-only. |
onepassword_list_items
Calls GET {connectUrl}/v1/vaults/{vaultId}/items.
| Parameter | Type | Required | Description |
|---|---|---|---|
apiKey | string | Yes | Secret. 1Password Connect access token (sent as a Bearer token). Visibility: user-only. |
connectUrl | string | Yes | 1Password Connect server URL (e.g. https://connect.example.com). Visibility: user-only. |
vaultId | string | Yes | ID of the vault to list items from. Visibility: user-or-llm. |
onepassword_get_item
Calls GET {connectUrl}/v1/vaults/{vaultId}/items/{itemId}.
| Parameter | Type | Required | Description |
|---|---|---|---|
apiKey | string | Yes | Secret. 1Password Connect access token (sent as a Bearer token). Visibility: user-only. |
connectUrl | string | Yes | 1Password Connect server URL (e.g. https://connect.example.com). Visibility: user-only. |
vaultId | string | Yes | ID of the vault containing the item. Visibility: user-or-llm. |
itemId | string | Yes | ID of the item to retrieve. Visibility: user-or-llm. |
Outputs
onepassword_list_vaults
data(json) — Array of 1Password vault objects.metadata(json) — List metadata.metadata.count(number) — Number of vaults returned.
onepassword_list_items
data(json) — Array of 1Password item summary objects.metadata(json) — List metadata.metadata.count(number) — Number of items returned.
onepassword_get_item
data(json) — The full 1Password item object.metadata(json) — Item identifiers.metadata.id(string) — Item ID.
YAML Example
onepassword_1:
type: onepassword
name: "1Password"
inputs:
operation: "onepassword_list_vaults"
connectUrl: "https://connect.example.com"
apiKey: "{{ONEPASSWORD_CONNECT_TOKEN}}"
connections:
outgoing:
- target: next-block-idGet a specific item (chaining a vault ID and item ID from earlier blocks):
onepassword_get:
type: onepassword
name: "1Password"
inputs:
operation: "onepassword_get_item"
connectUrl: "https://connect.example.com"
apiKey: "{{ONEPASSWORD_CONNECT_TOKEN}}"
vaultId: "{{onepassword_1.data}}"
itemId: "abc123itemid"
connections:
outgoing:
- target: next-block-idTips
- Self-hosted Connect required. These tools talk to a 1Password Connect server, not the consumer 1Password app or web account. Deploy Connect and issue an access token first; set
connectUrlto that server (the consumermy.1password.comendpoint will not work). - Store the token as a secret. The
apiKeyis the Connect access token (markedpasswordin the block anduser-onlyvisibility). Reference it via an environment variable like{{ONEPASSWORD_CONNECT_TOKEN}}rather than pasting it inline, and scope the token to only the vaults the workflow needs. - Discover IDs in order. Run
onepassword_list_vaultsto get vault IDs, feed a vault ID intoonepassword_list_itemsto get item IDs, then pass both intoonepassword_get_item.vaultIdanditemIdareuser-or-llm, so an agent can resolve them, but the access token (apiKey) andconnectUrlmust be configured by the user.