After a few months of usage, some suggestions around tokens and approval:
The main thing here is that seeing a unix process list shouldn't show the session token in the args list. Basically I'd like op to behave like hashicorp's vault when looking for the session token:
I don't personally approve of the last option but I can imagine many circumstances where this will be useful, especially when combined with the following ideas.
It would be very handy to have tokens expire not just after a certain period of time has passed, but also after N uses -- you can pass the token to a script and know that after it has retrieved e.g. an ssh key, the token is now useless.
I'd like to have scopes for a token - this time-limited and use-limited token is valid only for a particular secret or secrets, and ideally would trigger an email or some other alert if the token were to be used against other secrets.
Duo security have a sweet app for iphone/android that requires you to actively approve a Thing. It would be superb to have this built into 1password so that a script runs, and then waits for op to confirm that the iphone app has Approved All The Things befor spitting out the requested password or secrets.
I know these might be out of scope for 1P at present but these are the things where I use hashicorp vault instead of 1P.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided