> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pwnbook.app/llms.txt
> Use this file to discover all available pages before exploring further.

# 1Password

> Reference secrets stored in 1Password when configuring integrations in Pwnbook.

<img src="https://mintcdn.com/pwnbook/noJyYhCscAD7TYUE/logos/1password.svg?fit=max&auto=format&n=noJyYhCscAD7TYUE&q=85&s=34225b212cd2dedff6c27b254509b76c" alt="1Password" style={{ height: "32px", marginBottom: "16px" }} width="32" height="32" data-path="logos/1password.svg" />

## Overview

The 1Password integration lets you store integration credentials (API keys, tokens, passwords) in 1Password and reference them in Pwnbook by name — rather than pasting raw secrets into the UI. When Pwnbook needs a credential, it fetches the current value from 1Password at runtime.

This is useful for teams that already manage secrets centrally in 1Password and want to avoid duplicating credentials in Pwnbook's configuration.

## How it works

When you configure an integration in Pwnbook that supports secret references, you can enter a 1Password reference instead of the raw credential:

```
{{op.Item Name.field}}
```

For example, instead of pasting an API key directly, enter `{{op.Snyk Production.credential}}`. Pwnbook resolves the reference against your 1Password vault at runtime.

## Prerequisites

* A 1Password Teams or Business account
* 1Password Connect server deployed and accessible to your Pwnbook instance, **or** a 1Password Service Account token
* Admin or Owner access in Pwnbook

## Credentials required

Choose one of:

| Method              | Field                     | Description                                                                         |
| ------------------- | ------------------------- | ----------------------------------------------------------------------------------- |
| **Connect server**  | **Connect Server URL**    | Base URL of your 1Password Connect server (e.g., `https://connect.yourcompany.com`) |
| **Connect server**  | **Connect Token**         | Access token for the Connect server                                                 |
| **Service Account** | **Service Account Token** | `ops_sa_...` token from 1Password Settings → Service Accounts                       |

Use a Connect server if you have one deployed. Use a Service Account token for a lighter-weight setup without running a Connect server.

## Setup — Connect server

<Steps>
  <Step title="Deploy 1Password Connect">
    Deploy the 1Password Connect server in your infrastructure by following [1Password's Connect server setup guide](https://developer.1password.com/docs/connect/get-started/).

    The Connect server must be reachable from your Pwnbook backend.
  </Step>

  <Step title="Create a Connect token">
    1. In 1Password, go to **Developer Tools → Connect Servers**.
    2. Select your Connect server and click **Manage Access**.
    3. Create a token with **Read** access to the vaults that contain your integration secrets.
    4. Copy the token.
  </Step>

  <Step title="Configure in Pwnbook">
    1. Go to **Organization Settings → Marketplace → 1Password**.
    2. Select **Connect Server**.
    3. Enter your **Connect Server URL** and **Connect Token**.
    4. Click **Save & Test**.
  </Step>
</Steps>

## Setup — Service Account

<Steps>
  <Step title="Create a Service Account">
    1. In 1Password, go to **Settings → Service Accounts**.
    2. Click **Create a Service Account**.
    3. Name it "Pwnbook" and grant Read access to the vaults containing integration secrets.
    4. Copy the service account token (`ops_sa_...`).
  </Step>

  <Step title="Configure in Pwnbook">
    1. Go to **Organization Settings → Marketplace → 1Password**.
    2. Select **Service Account**.
    3. Enter your **Service Account Token**.
    4. Click **Save & Test**.
  </Step>
</Steps>

## Referencing secrets in integrations

Once 1Password is connected, any integration credential field in Pwnbook accepts a reference in the format:

```
{{op.Item Title.field name}}
```

Examples:

| Reference                           | What it resolves to                                  |
| ----------------------------------- | ---------------------------------------------------- |
| `{{op.Snyk Production.credential}}` | The "credential" field of the "Snyk Production" item |
| `{{op.AWS Root Key.access key id}}` | The "access key id" field of the "AWS Root Key" item |
| `{{op.GitHub App.private key}}`     | The "private key" field of the "GitHub App" item     |

<Tip>Item titles and field names are case-sensitive and must match exactly as they appear in 1Password.</Tip>

## Security

* Pwnbook never stores the resolved secret value — it fetches from 1Password at runtime each time the credential is needed.
* The Connect token or Service Account token is stored encrypted in Pwnbook's database.
* Rotate the Connect token or Service Account token from 1Password without changing any integration configuration in Pwnbook.

## Disconnecting

1. Go to **Organization Settings → Marketplace → 1Password**.
2. Click **Disconnect**.
3. Confirm.

<Warning>After disconnecting, any integrations using `{{op.…}}` references will fail until you either reconnect 1Password or replace the references with raw credential values.</Warning>
