1password api to access passwords programatically

claudiu
claudiu
Community Member

Hi,

Is there a possibility to integrate 1password into your development workflow? For example if you store your ssh logins into 1password, how would you access them? is there an api?

Thanks!

Best,
Claudiu


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

«13

Comments

  • Hi @claudiu ,

    Thanks for writing in with your request.

    We currently don't have an API for accessing 1Password data outside of the app, the mini, and the browser extensions. We can certainly consider your request though.

    But if you just want it to automate ssh logins, you may wish to investigate setting up private/public ssh key pairs for automated login to known hosts. Beyond that, the current way would be copy and paste from the 1Password app (or mini). I realize that may not be an ideal solution, but there are a few security and privacy challenges we must solve first before we could consider offering a third party 1Password API.

    Cheers,
    Kevin

  • dgc
    dgc
    Community Member

    LastPass: crummy
    DashLane: expensive
    1Password: no API

    You have more room to move on this than your competitors do.

  • Hi @dgc,

    Thanks for the feedback. We do recognize the demand, though it's not as easy as it sounds. It has to be done securely so that an app can only get the passwords designated for that app and not any others, and that 1Password is certain the app calling the API is who it claims it is.

    Cheers,
    Kevin

  • poshoholic
    poshoholic
    Community Member

    +1 for me as well.

    However, I strongly disagree with the notion that an app can only get the passwords designated for that app and not any others. I do a lot of automation and command-line work, and it would be useful to me to be able to run automation scripts against various secure endpoints (web apps that I sign into, physical/virtual/cloud computing resources I use that require a password, etc.) while still leveraging the password storage provided to me by 1password. To make this more secure, you could set it up as a configurable option to allow API access to a 1password vault only from specific computers though, perhaps as an opt-in per password that I want to allow such access for...that would do the job for me as far as security is concerned. People seem to be doing this and this already anyway. Better to just make an official API, no?

  • singhsays
    singhsays
    Community Member

    +1, this is a really useful feature for automation. There is no good solution (that I'm aware of) to securely use passwords in code without storing it locally.

  • Hi @poshoholic ,

    I just want to clarify my statement a bit. The issue I was referring to is not whether the scripts or apps you write can get access to the passwords they need, it's for third party apps and scripts to gain access to passwords the user didn't intend to grant. For example, let's say a customer downloads an app and wants access to 1Password to store and read passwords for its services using our API. That seems ok, the user grants it access. But then what if the developer of that app decides to access your twitter password and starts posting to twitter on your behalf too? This is just one of the situations we have to be careful of.

    So, we're not saying no, just that it takes a lot of careful consideration and planning, so any such API would take a considerable amount of planning and effort to do it securely.

    Regards,
    Kevin

  • MacKopes
    MacKopes
    Community Member

    +1 on this feature. Our company would be VERY interested in this as well if/when it might be available.

  • Pilar
    Pilar
    1Password Alumni

    Hi @MacKopes

    Thank you for letting us know what you'd like to see in 1Password, we appreciate it very much! :chuffed:

  • zero_shane
    zero_shane
    Community Member

    +1

    We subscribe to the philosophy of CI/CD, Automated "Infrastructure as Code", and heavily use APIs to manage and orchestrate complex changes. Part of that process requires creating "secrets" and information that needs to be shared with humans, but we are currently manually managing this. In larger complex and automated QA build environments - this simply isn't possible with manual intervention.

    We are seeking another solution that provides all of the great capabilities that 1password currently has - but add the ability to create "service accounts" ("actors") that can manipulate specific vaults. Then these Service Accounts/Actors can dynamically add/update/delete credentials as automation creates secrets that should be recorded.

    I realize that part of the fundamental design architecture of 1password with private and public key pairs makes this tricky to approach - but I suspect it's a feature that would catapult your feature set well ahead of many of the other solutions out there.

  • Drew_AG
    Drew_AG
    1Password Alumni

    Thank you very much for taking the time to let us know how that would be useful for you! We're always looking for ways to improve 1Password and love hearing from customers about what features they'd like. I can't make any promises about if or when we might add something like that, but I can certainly forward your comments to our developers to let them know you're interested.

    Don't hesitate to let us know if you need anything else. Have a great weekend! :)

  • jclende
    jclende
    Community Member

    For what it's worth, I am not in favor of an API that accesses passwords. I think this really opens up a lot of social engineering vulnerabilities (if not actual vulnerabilities), but if this feature is ever added, I'd like an option to disable API read access to all passwords across the board. If you want to extend functionality to ssh, would it be possible to make a custom terminal app, or may some sort of extension?

    That said, I would like to see an API that can send passwords. This would be extremely useful in 2 very common situations.

    1. During account registration, on a website or web app, a long, secure password (and even the username) could be automatically generated and inserted into a users vault. This could completely eliminate and potentially anonymize account registration procedures.

    2. In 1Password for Teams, IT/Admin could securely insert passwords into users personal vaults. This would not only allow the secure delivery of passwords, but it would also allow automated, periodic password changes.

  • AGAlumB
    AGAlumB
    1Password Alumni

    For what it's worth, I am not in favor of an API that accesses passwords. I think this really opens up a lot of social engineering vulnerabilities (if not actual vulnerabilities), but if this feature is ever added, I'd like an option to disable API read access to all passwords across the board. If you want to extend functionality to ssh, would it be possible to make a custom terminal app, or may some sort of extension?

    @jclende: Indeed, these are certainly things we'll need to consider. Excellent points.

    That said, I would like to see an API that can send passwords. This would be extremely useful in 2 very common situations.
    1) During account registration, on a website or web app, a long, secure password (and even the username) could be automatically generated and inserted into a users vault. This could completely eliminate and potentially anonymize account registration procedures.
    2) In 1Password for Teams, IT/Admin could securely insert passwords into users personal vaults. This would not only allow the secure delivery of passwords, but it would also allow automated, periodic password changes.

    Those are some really neat ideas! Thank you! Given that this discussion seems mainly targeted at workflow/automation, this is an angle I hadn't considered: sort of a password creation/distribution feature. I can see how that would be useful in some organizations. :)

  • bragi0
    bragi0
    Community Member

    FWIW we now heavily use a competitor at work because they have an API and we can use it fairly easily from Ansible. A well designed API made from the principle of least access where we can generate tokens and add a token, a list of tokens or a group of tokens to individual accounts, tags or folders makes it very easy to manage some of the older equipment in our fleet. Not everything out there takes in REST with auth tokens, and often admin / root accounts are local to individual pieces of kit, so being able to automate rolling out password changes to several thousand endpoints is a lot less painful, and for us a lot more secure than other options.

    Even just having a dedicated vault for programmatic access would have been tremendously useful.

    Usecase:

    box1 .. boxN have a local administrative account, that is the only way to access their REST API, as well as the only way to gather packet captures.

    Someone accidentally emails the admin password in a reply.

    We now need to change that password on all boxes box1..boxN as well as our orchestration tools boxX..boxZ and our front-end boxes boxP..boxW.

    Doing this by hand will take 4 SREs on the order of a couple of days to implement and check all of the connections.

    Automating this with Ansible to authenticate to the vault, get the old password, generate a new password, store the new one and then log into every endpoint to change it everywhere is several days of dev time, but minutes to roll out each time it's needed.

    This brings the side benefit of being able to regularly roll out new passwords reliably and quickly, something that pleases PCI auditors (not getting into that mess of security theatre, just that we have to do the dance).

  • AGAlumB
    AGAlumB
    1Password Alumni

    A well designed API made from the principle of least access where we can generate tokens and add a token, a list of tokens or a group of tokens to individual accounts, tags or folders makes it very easy to manage some of the older equipment in our fleet.

    Indeed, this is really interesting. Thank you for the feedback on this, and for sharing your example use case. :)

  • anortrup
    anortrup
    Community Member

    From a security perspective I would like to see 1Password provide an API that allows me to monitor use of my 1Password family account. I would like to be able to know when new devices or IPs log into 1Password or when values are changed inside of my account. This would be fantastic for the 1Password Teams offering and companies tracking security on an enterprise level with something like Splunk.

  • Hi @anortrup,

    It would be really cool to expose a way to get access to out audit event logs on the server. Right now they're a little cryptic and require a fair amount of work in order to make them presentable. If we could get at least some of that work done for you, there would be a lot of information that could be of use to you.

    Of course, I can't promise that we'll be doing this... but know that it's something that we think you should have access to and we'll try to make that possible for you.

    Rick

  • quickdraw6906
    quickdraw6906
    Community Member

    RE: Suggestion by jclende:
    /quote
    2. In 1Password for Teams, IT/Admin could securely insert passwords into users personal vaults. This would not only allow the secure delivery of passwords, but it would also allow automated, periodic password changes.
    /quote

    This is big deal. Currently DevOps will have to create a separate vault for each person like "Shared w/ Steve Smith". That's not efficient. If I just want to create a login to a server and send it securely to someone, I have to create a vault, create the item, add the person to the vault? There isn't a more efficient way to do this?

    Do you have a timeline for better sharing? Like symbolic links (clones that auto update from original). Like item sharing. We (50 people for now, up to hundreds) need to pick a tool and socialize it throughout the company. We're deep into a LastPass eval and don't like it, but it best fits the needs. 1Password comes SO CLOSE! You UI is so much better.

    I was saddened that your latest release didn't address sharing issues. Do you have a timeline for addressing sharing and IT level management features like sync'd copies?

  • AGAlumB
    AGAlumB
    1Password Alumni

    In 1Password for Teams, IT/Admin could securely insert passwords into users personal vaults. This would not only allow the secure delivery of passwords, but it would also allow automated, periodic password changes.

    @quickdraw6906: Personally I find it distasteful for someone other than me to put data into my personal vault, but it's certainly something we can consider. For now, it's incredibly easy for an admin to share a vault with someone else on their 1Password Team. Certainly efficiency is important, but so is security and user experience. At this time if an item is shared with you, you won't have the keys to decrypt it unless it's in a vault you have access to. That's very much by design. But one thing we could do perhaps that would work within these constraints is automate vault sharing so that when you try to share an item it sets up a vault automatically to facilitate this. As a user, it could appear like a single item is being shared, when really it has its own vault. But really I think that illustrates how the concept of "item sharing" is really meaningless; it's all about how it's presented to the user.

    Thanks for the kind words though! I'm glad to hear that you like 1Password so much, but we don't have a timeline for implementing every feature you can think of to ask for. It may be something we can do in the future, but certainly not immediately, and we can't make promises about future releases, as they're subject to change.

  • magamir
    magamir
    Community Member

    I work for a software company and we often have to setup test systems with different addons installed. Each addon needs a license, so we automated this process. We'd love to store the licenses securely in 1password if we need them manually, but still access them via an api.
    Are there any plans to address this API topic in the near future? Or do you rather set priorities on other features at the moment?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @magamir: We've definitely got our hands full with other things at the moment, but an API is something we're interested in. It sounds like it would make it much easier for you if you were able to access software licenses that way at least, but perhaps adding them programmatically is something we can explore too. Thanks for letting us know! :)

  • magamir
    magamir
    Community Member

    @brenty: Thanks for the information.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Likewise, thanks for your interest! :) :+1:

  • robertg
    robertg
    Community Member

    Adding ourselves to this request. We would like to see APIs for 1Password Teams. At a minimum, the ability to create and update records.

  • Drew_AG
    Drew_AG
    1Password Alumni

    Thanks for letting us know you'd be interested in that, @robertg! :)

  • ctaepper
    ctaepper
    Community Member

    +1 for at least being able to create/update/delete users for 1Password Teams via REST API

  • MacKopes
    MacKopes
    Community Member

    As a side, we are looking at Hashicorp Vault as an option for this. (Still would prefer 1Password as I think it is WAY easier to use)

  • Drew_AG
    Drew_AG
    1Password Alumni

    @ctaepper and @MacKopes, thanks for your feedback and for letting us know you're interested in that. Have a great weekend! :)

  • lukash
    lukash
    Community Member

    Hi there,

    I have tons of SSH keys w/ passphrases, some of them in iCloud vault, several in 1Password Teams vaults .. wanted to hack a script that would allow me to access them from command line but WITHOUT entering Master Password in my script of course (meaning only when 1Password in unlocked already - exactly like browser extension does it).

    Best way seemed to be the WebSocket API used for the browser extension but ... the signature verification and lack of info on this sadly made me give this up.

    I can see the API for these uses working exactly like the WebSocket between extension and Mini with some verification to authorized a new app using some mutual authentication ..

    This will give users BIG power in scripting on their own - as you said making API that 3rd party apps can use is VERY difficult in order to only give access to certain items but in my opinion not necessary for user-created scripts etc.

    Anybody has an idea how to script such a thing?

    Cheers!
    Lukas

  • AGAlumB
    AGAlumB
    1Password Alumni

    I have tons of SSH keys w/ passphrases, some of them in iCloud vault, several in 1Password Teams vaults .. wanted to hack a script that would allow me to access them from command line but WITHOUT entering Master Password in my script of course (meaning only when 1Password in unlocked already - exactly like browser extension does it).

    @lukash: This isn't possible with 1Password for Mac, but it's certainly a feature we can consider for the future.

    Best way seemed to be the WebSocket API used for the browser extension but ... the signature verification and lack of info on this sadly made me give this up.

    Indeed, 1Password wasn't designed with this use case in mind. It's meant to only communicate between 1Password and its extension, which is why we have code signature verification and other measures in place.

    I can see the API for these uses working exactly like the WebSocket between extension and Mini with some verification to authorized a new app using some mutual authentication ..
    This will give users BIG power in scripting on their own - as you said making API that 3rd party apps can use is VERY difficult in order to only give access to certain items but in my opinion not necessary for user-created scripts etc. Anybody has an idea how to script such a thing?

    It's definitely an interesting idea. Maybe we can do something in this area someday. Cheers! :)

  • lukash
    lukash
    Community Member

    For anybody trying to achieve something similar I've cooked up and AppleScript doing something close to that: https://github.com/lukaskuzmiak/SSHKeysVia1Password

    :-)

This discussion has been closed.