playbooks

home / mcp / 1password mcp server

1Password MCP Server

Provides MCP access to 1Password vaults, enabling automated vault actions and password management through predefined tools and prompts.

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "cakerepository-1password-mcp": {
      "command": "npx",
      "args": [
        "-y",
        "@takescake/1password-mcp"
      ],
      "env": {
        "OP_SERVICE_ACCOUNT_TOKEN": "YOUR_SERVICE_ACCOUNT_TOKEN"
      }
    }
  }
}

You can connect MCP-compatible AI clients to your 1Password vaults using a community-built MCP server. It enables secure, programmatic access to vaults and items through predefined tools and prompts, letting you automate password management and vault operations from your AI workflows while using a Service Account for authentication.

How to use

You will run the MCP server with a client that supports the MCP protocol. The server exposes a set of tools to manage vaults and passwords, and provides prompts to guide common workflows such as generating secure passwords, rotating credentials, auditing vault contents, and constructing secret references. To start, configure your MCP client to connect to the 1Password MCP server using the provided runtime command and environment variable for authentication. Once connected, you can list accessible vaults, search for items by title, create and delete items, read and rotate passwords, generate new passwords, and generate memorable passphrases as needed.

How to install

Prerequisites you need before setting up the server are: I. Node.js version 18 or newer II. A 1Password Service Account token to authenticate with your vaults.

Install and run the MCP server using the runtime configuration shown for JSON and TOML setups. Use the exact commands and environment variables as described below.

{
  "mcpServers": {
    "1password": {
      "command": "npx",
      "args": ["-y", "@takescake/1password-mcp"],
      "env": {
        "OP_SERVICE_ACCOUNT_TOKEN": "YOUR_SERVICE_ACCOUNT_TOKEN"
      }
    }
  }
}
[mcp_servers."1password"]
command = "npx"
args = ["-y", "@takescake/1password-mcp"]
env = {"OP_SERVICE_ACCOUNT_TOKEN": "YOUR_SERVICE_ACCOUNT_TOKEN"}

The following are recommended options for storing the token in different clients. In some cases you may prefer not to store the token directly in the client config.

### Claude Desktop / VS Code / IDEs (JSON)

```json
{
  "mcpServers": {
    "1password": {
      "command": "npx",
      "args": ["-y", "@takescake/1password-mcp"],
      "env": {
        "OP_SERVICE_ACCOUNT_TOKEN": "YOUR_SERVICE_ACCOUNT_TOKEN"
      }
    }
  }
}
### OpenAI Codex (TOML) Option A stores the token in config

```toml
[mcp_servers."1password"]
command = "npx"
args = ["-y", "@takescake/1password-mcp"]

[mcp_servers."1password".env]
OP_SERVICE_ACCOUNT_TOKEN = "YOUR_SERVICE_ACCOUNT_TOKEN"
### OpenAI Codex (TOML) Option B uses env var reference

```toml
[mcp_servers."1password"]
command = "npx"
args = ["-y", "@takescake/1password-mcp"]
env_vars = ["OP_SERVICE_ACCOUNT_TOKEN"]
```

Then set `OP_SERVICE_ACCOUNT_TOKEN` in your shell/session/CI environment.

CLI options you may use when starting or configuring the MCP server include: --service-account-token, --log-level, --integration-name, and --integration-version. Provide the token via the environment variable OP_SERVICE_ACCOUNT_TOKEN or through the config shown above.

Additional sections

Security and privacy considerations are important when using the MCP server. Secrets retrieved or created may be transmitted to your large language model provider and stored according to your provider’s policies. There is no end-to-end encryption inside the MCP workflow; secrets are plaintext during transit and only encrypted when stored in 1Password. Use dedicated automation vaults for automation credentials and rotate service tokens if exposed. Keep MCP config files out of version control and prefer secret references using op:// URLs rather than copying raw passwords into prompts.

Development workflow guidelines indicate how to set up and run the project locally. You can clone the repository, install dependencies, build, test, lint, and run in watch mode for development. Use the following sequence to work with the project locally.

git clone https://github.com/CakeRepository/1Password-MCP.git
cd 1Password-MCP
npm install

# Build
npm run build

# Run tests
npm test

# Type-check
npm run lint

# Watch mode (dev)
npm run dev

Available tools

vault_list

List all accessible vaults for the connected service account.

item_lookup

Search items by title within a vault to find specific credentials or notes.

item_delete

Delete an item from a vault securely.

password_create

Create a new password/login item in a selected vault.

password_read

Retrieve a password via a secret reference like op://vault/item/field or by item ID.

password_update

Rotate or update an existing password to a new value.

password_generate

Generate a cryptographically secure random password.

password_generate_memorable

Generate a memorable passphrase from a large dictionary of words.