Overview
The 1Password integration lets you store integration credentials (API keys, tokens, passwords) in 1Password and reference them in Pwnbook by name — rather than pasting raw secrets into the UI. When Pwnbook needs a credential, it fetches the current value from 1Password at runtime. This is useful for teams that already manage secrets centrally in 1Password and want to avoid duplicating credentials in Pwnbook’s configuration.How it works
When you configure an integration in Pwnbook that supports secret references, you can enter a 1Password reference instead of the raw credential:{{op.Snyk Production.credential}}. Pwnbook resolves the reference against your 1Password vault at runtime.
Prerequisites
- A 1Password Teams or Business account
- 1Password Connect server deployed and accessible to your Pwnbook instance, or a 1Password Service Account token
- Admin or Owner access in Pwnbook
Credentials required
Choose one of:| Method | Field | Description |
|---|---|---|
| Connect server | Connect Server URL | Base URL of your 1Password Connect server (e.g., https://connect.yourcompany.com) |
| Connect server | Connect Token | Access token for the Connect server |
| Service Account | Service Account Token | ops_sa_... token from 1Password Settings → Service Accounts |
Setup — Connect server
Deploy 1Password Connect
Deploy the 1Password Connect server in your infrastructure by following 1Password’s Connect server setup guide.The Connect server must be reachable from your Pwnbook backend.
Create a Connect token
- In 1Password, go to Developer Tools → Connect Servers.
- Select your Connect server and click Manage Access.
- Create a token with Read access to the vaults that contain your integration secrets.
- Copy the token.
Setup — Service Account
Create a Service Account
- In 1Password, go to Settings → Service Accounts.
- Click Create a Service Account.
- Name it “Pwnbook” and grant Read access to the vaults containing integration secrets.
- Copy the service account token (
ops_sa_...).
Referencing secrets in integrations
Once 1Password is connected, any integration credential field in Pwnbook accepts a reference in the format:| Reference | What it resolves to |
|---|---|
{{op.Snyk Production.credential}} | The “credential” field of the “Snyk Production” item |
{{op.AWS Root Key.access key id}} | The “access key id” field of the “AWS Root Key” item |
{{op.GitHub App.private key}} | The “private key” field of the “GitHub App” item |
Security
- Pwnbook never stores the resolved secret value — it fetches from 1Password at runtime each time the credential is needed.
- The Connect token or Service Account token is stored encrypted in Pwnbook’s database.
- Rotate the Connect token or Service Account token from 1Password without changing any integration configuration in Pwnbook.
Disconnecting
- Go to Organization Settings → Marketplace → 1Password.
- Click Disconnect.
- Confirm.