1Password is not clear about its position on secret key confidentiality. Here are some excerpts from the support page on the secret key, https://support.1password.com/secret-key-security/ :
Your Secret Key protects your data off your devices. Someone who attempts a brute-force attack on our servers won’t be able to decrypt your data without your Secret Key, which we never have.
Also, from the same page
Keep it secret. Don’t send it to us or make it public.
We can draw at least two conclusions from your support page, 1) Keep your secret key secret, 2) Don't share it with anyone, not even 1Password.
The login page at https://my.1password.com requires users to send all their local secrets, master password and secret key, to log in to the 1Password online service. The online service is the only service that allows for account management tasks, such as changing account or subscription details. Sharing all user secrets with 1Password, over the internet, goes directly against everything you've communicated about the secret key so far. To top it off, the endpoint that accepts the secrets are protected by a DV certificate—easily achieved by anyone from services like Let's Encrypt.
Different operations has different requirements to confidentiality, integrity and availability; the 1Password web ui is no exception. Changing credit card details or inviting a new family member to the family 1Password account does not have the same requirements to integrity as accessing all user secrets stored with 1Password.
I ask you to do the following
Alternatively make the web ui obsolete by offering the same services in the application.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided