Skip to main content
1Password

Overview

The 1Password integration lets you store integration credentials (API keys, tokens, passwords) in 1Password and reference them in Pwnbook by name — rather than pasting raw secrets into the UI. When Pwnbook needs a credential, it fetches the current value from 1Password at runtime. This is useful for teams that already manage secrets centrally in 1Password and want to avoid duplicating credentials in Pwnbook’s configuration.

How it works

When you configure an integration in Pwnbook that supports secret references, you can enter a 1Password reference instead of the raw credential:
{{op.Item Name.field}}
For example, instead of pasting an API key directly, enter {{op.Snyk Production.credential}}. Pwnbook resolves the reference against your 1Password vault at runtime.

Prerequisites

  • A 1Password Teams or Business account
  • 1Password Connect server deployed and accessible to your Pwnbook instance, or a 1Password Service Account token
  • Admin or Owner access in Pwnbook

Credentials required

Choose one of:
MethodFieldDescription
Connect serverConnect Server URLBase URL of your 1Password Connect server (e.g., https://connect.yourcompany.com)
Connect serverConnect TokenAccess token for the Connect server
Service AccountService Account Tokenops_sa_... token from 1Password Settings → Service Accounts
Use a Connect server if you have one deployed. Use a Service Account token for a lighter-weight setup without running a Connect server.

Setup — Connect server

1

Deploy 1Password Connect

Deploy the 1Password Connect server in your infrastructure by following 1Password’s Connect server setup guide.The Connect server must be reachable from your Pwnbook backend.
2

Create a Connect token

  1. In 1Password, go to Developer Tools → Connect Servers.
  2. Select your Connect server and click Manage Access.
  3. Create a token with Read access to the vaults that contain your integration secrets.
  4. Copy the token.
3

Configure in Pwnbook

  1. Go to Organization Settings → Marketplace → 1Password.
  2. Select Connect Server.
  3. Enter your Connect Server URL and Connect Token.
  4. Click Save & Test.

Setup — Service Account

1

Create a Service Account

  1. In 1Password, go to Settings → Service Accounts.
  2. Click Create a Service Account.
  3. Name it “Pwnbook” and grant Read access to the vaults containing integration secrets.
  4. Copy the service account token (ops_sa_...).
2

Configure in Pwnbook

  1. Go to Organization Settings → Marketplace → 1Password.
  2. Select Service Account.
  3. Enter your Service Account Token.
  4. Click Save & Test.

Referencing secrets in integrations

Once 1Password is connected, any integration credential field in Pwnbook accepts a reference in the format:
{{op.Item Title.field name}}
Examples:
ReferenceWhat it resolves to
{{op.Snyk Production.credential}}The “credential” field of the “Snyk Production” item
{{op.AWS Root Key.access key id}}The “access key id” field of the “AWS Root Key” item
{{op.GitHub App.private key}}The “private key” field of the “GitHub App” item
Item titles and field names are case-sensitive and must match exactly as they appear in 1Password.

Security

  • Pwnbook never stores the resolved secret value — it fetches from 1Password at runtime each time the credential is needed.
  • The Connect token or Service Account token is stored encrypted in Pwnbook’s database.
  • Rotate the Connect token or Service Account token from 1Password without changing any integration configuration in Pwnbook.

Disconnecting

  1. Go to Organization Settings → Marketplace → 1Password.
  2. Click Disconnect.
  3. Confirm.
After disconnecting, any integrations using {{op.…}} references will fail until you either reconnect 1Password or replace the references with raw credential values.