{"id":13858995,"url":"https://github.com/dcreemer/1pass","last_synced_at":"2026-01-07T09:58:08.851Z","repository":{"id":25102012,"uuid":"103188840","full_name":"dcreemer/1pass","owner":"dcreemer","description":"A caching wrapper for the 1Password CLI","archived":false,"fork":false,"pushed_at":"2024-04-23T23:42:15.000Z","size":130,"stargazers_count":161,"open_issues_count":8,"forks_count":28,"subscribers_count":9,"default_branch":"master","last_synced_at":"2024-08-06T03:06:32.107Z","etag":null,"topics":["1password","bash","cli","emacs","fzf","password-manager"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dcreemer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2017-09-11T21:14:22.000Z","updated_at":"2024-06-20T12:48:27.000Z","dependencies_parsed_at":"2024-04-24T00:25:10.001Z","dependency_job_id":"47477162-6a68-46e4-a986-12d3e7e51da3","html_url":"https://github.com/dcreemer/1pass","commit_stats":null,"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dcreemer%2F1pass","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dcreemer%2F1pass/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dcreemer%2F1pass/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dcreemer%2F1pass/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dcreemer","download_url":"https://codeload.github.com/dcreemer/1pass/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225938750,"owners_count":17548544,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["1password","bash","cli","emacs","fzf","password-manager"],"created_at":"2024-08-05T03:02:28.927Z","updated_at":"2026-01-07T09:58:08.839Z","avatar_url":"https://github.com/dcreemer.png","language":"Shell","funding_links":[],"categories":["Shell"],"sub_categories":[],"readme":"# 1pass\n\n**1pass** is a caching wrapper for the [1Password\nCLI](https://support.1password.com/command-line-getting-started/) `op`.\n\n![Shellcheck](https://github.com/dcreemer/1pass/workflows/shellcheck/badge.svg)\n\n## NO LONGER MAINTAINED\n\nI am no longer maintaining this software, as the 1Password CLI version 2\nprovides all of the features I need.\n\n## WARNING 1password 2 CLI compatibility\n\nDo not upgrade to 1password CLI version 2! This `1pass` tool is not yet compatible with\nit.\n\n## UPGRADE NOTE\n\nUpgrading to version 1.1 requires installation of the\n[expect](https://core.tcl.tk/expect/index) tool. `1pass` will check for this (and\nother) dependencies and remind you to install them.\n\n## Introduction\n\n**1pass** is designed to make using your 1Password usernames and passwords quick and easy. It is\nintended for use within an interactive shell as well as from scripts. Once installed and configured\nas described below, you can obtain an account password in a shell simply by typing:\n\n```sh\n$ 1pass Github\n```\n\nand your Github password will be copied to the clipboard.\n\nThe official 1Password CLI application (```op```) can be difficult to use interactively, and unlike\nthe macOS or Windows 1Password native applications, requires an internet connection to fetch data\nfrom your password vaults. **1pass** solves both of these problems. ```Op``` needs session tokens to\nbe revalidated manually after 30 minutes of inactivity and produces rich output in JSON format. The\nJSON output is easy for a program to use, but is not trivially consumed by humans without help.\n**1pass** provides that help, with two main features:\n\n- a simplified interface for listing and fetching usernames, passwords, and other fields for\n  individual items.\n- an encrypted local cache of 1Password CLI results.\n\nTogether these features enable easy use of 1Password-stored credentials.\n\n## Installation\n\nFirst make sure that the `op` [1Password\nCLI](https://support.1password.com/command-line-getting-started/) and the `jq`\n[JQ](https://stedolan.github.io/jq) and\n[expect](https://core.tcl.tk/expect/index) requirements are installed. If you use\nhomebrew cask on macOS, this works well:\n\n```sh\n$ brew install 1password-cli\n$ brew install jq expect\n```\n\nIf you want to automate 2FA (TOTP) logging into 1password.com, then also install the oathtool, and\nsee further instructions below.\n\n```sh\n$ brew install oath-toolkit\n```\n\nCopy the 1pass executable file to a suitable location on your PATH (for example, /usr/local/bin)\nand ensure that it is executable. For example:\n\n```sh\ncurl https://raw.githubusercontent.com/dcreemer/1pass/master/1pass \u003e /usr/local/bin/1pass\nchmod a+x /usr/local/bin/1pass\n```\n\n### Bash Completion\n\nIf you would like to install bash-completion for 1pass, place the `bash-completion.sh` script in\nand accessible location and then source it from your `.bash_profile`.  For example:\n\n```sh\nmkdir -p /usr/local/etc/1pass\ncurl https://raw.githubusercontent.com/dcreemer/1pass/master/bash_completion.sh \u003e /usr/local/etc/1pass/bash_completion.sh\necho \"source /usr/local/etc/1pass/bash_completion.sh\" \u003e\u003e ~/.bash_profile\n```\n\nBy default the completion script will look for `fzf` completion support in your environment. If present,\nit will use fzf completion ([see here](https://github.com/junegunn/fzf#fuzzy-completion-for-bash-and-zsh)).\n\n_Note: If you have installed `fzf` using homebrew on macOS, make sure you have enabled completion by\nrunning `$(brew --prefix)/opt/fzf/install --completion` and follow the prompts._\n\nIf you do not have fzf or if you turn this feature off it will revert to standard bash completion\nbehavior. If you would like to explicitly disable FZF completion for 1pass, you can do so as follows:\n\n```sh\nexport ONEPASS_FZF_COMPLETE=false\n```\nThis line should be added to your `.bash_profile`\n\n## Security and Warning\n\n**1pass** requires you to store your 1Password master password in a local GPG-encrypted file. You\nshould inspect the source code to ensure that you trust the software, as well as read this\ndocumentation to understand the security tradeoffs.\n\nLike the 1Password application itself, **1pass** relies on *one password*. However that password is\n**not** your 1Password \"master password\" -- it is your Gnu Privacy Guard ([gpg](https://gnupg.org/))\nprivate key. GPG, when configured to use the GPG-agent, will cache your private key password for a\nconfigurable length of time (a few hours to a day is perhaps reasonable). **1pass** uses your GPG\nkey to store an encrypted copies of your 1Password master password and your 1Password account secret\nkey.\n\nWhen data is needed from your online 1Password data store, the master password and secret key are\ntemporarily decrypted and exchanged for a session token, which is also then encrypted and stored.\nThe session token will be refreshed as needed. These actions happen automatically once your GPG key\nis available in the GPG-agent.\n\nThe data that is fetched from the 1Password service is cached in local files -- once again also\nencrypted using your GPG private key.\n\nYou can \"lock\" your **1pass** session by running the \"forget\" command:\n\n```sh\n$ 1pass -f\ncleared local session\n```\n\nwhich removes the local session token (if any), and calls ```gpgconf --kill gpg-agent``` to purge\nany running gpg-agent of your GPG secret keys.\n\n## Configuration\n\nIn order to run with minimum user input, **1pass** relies on the Gnu Privacy Guard\n[gpg](https://gnupg.org/) to encrypt all locally stored data. 1Password needs both a *master\npassword* and a *secret key* to access your vault. Each of these must be stored in an encrypted\nfile (in ~/.1pass or `$XDG_CONFIG_HOME/1pass`) for 1pass to work correctly. 1pass encrypts these\nand all other files with your own gpg key. This key, as well as your 1Password login email and\ndomain must be configured in the ~/.1pass/config file. The domain is the full domain name that you\nuse to sign-in when you use the 1Password website, for example `example.1password.com` or\n`subdomain.1password.ca`.\n\nGPG can be configured to use the ```gpg-agent```, which can prompt for your *gpg* password, and\ncache it in a local agent for a fixed amount of time. If you configure GPG this way, you will only\nneed to enter you GPG password (e.g.) once a day, and then seldom need to enter your 1Password\nmaster password.\n\nRunning ```1pass -rv``` repeatedly will output instructions on how to configure this file and safely\nstore your master password and secret key.\n\n```sh\n$ ./1pass -rv\nplease config 1pass by editing /home/me/.1pass/config\n$ vi ~/.1pass/config\n$ ./1pass -rv\nplease put your master password into /home/me/.1pass/_master.gpg\nex: echo \"master-password\" | gpg -er me@example.com \u003e /home/me/.1pass/_master.gpg\n$ echo \"sEcre77\" | gpg -er me@example.com \u003e /home/me/.1pass/_master.gpg\n$ ./1pass -rv\nplease put your mysubdomain.1password.com secret key into /home/me/.1pass/_secret.gpg\nex: echo \"A3-XXXXXX-XXXXXX-XXXXX-XXXXX-XXXXX-XXXXX\" | gpg -er me@example.com \u003e /home/me/.1pass/_secret.gpg\n$ echo \"A3-XXXXXX-XXXXXX-XXXXX-XXXXX-XXXXX-XXXXX\" | gpg -er me@example.com \u003e /home/me/.1pass/_secret.gpg\n$ ./1pass -rv\nsigning in to mysubdomain.1password.com me@example.com\n...\n```\n\n## Usage\n\nOnce you are configured and signed in, you are ready to use **1pass**. The simplest command is\n**1pass** with no arguments to list all items in your vault:\n\n```sh\n$ 1pass\nGithub\nMyBankAccount\ngmail.com\n...\n```\n\nThe list consists of the *titles* of each item. You can then retrieve the password of an item:\n\n```sh\n$ 1pass -p Github\nsjd$kh23@0dfjs1DDj\n```\n\nThe password is echoed to the standard output (when the '-p' option is used). You can easily use\nthis in scripts, for example:\n\n```sh\nexport PGPASSWORD=$(1pass -p MyPostgresServer)\n```\n\nWithout the '-p' option, 1pass copies the password to the clipboard:\n\n```sh\n$ 1pass Github\n```\n\nThe contents of the clipboard will be automatically cleared after 30 seconds. You can also pass\n**1pass** an optional field argument -- for example \"username\" to retrieve that field from the item:\n\n```sh\n$ 1pass -p MyBankAccount username\nme@example.com\n```\n\nSometimes it's easier to pass the title to search for via stdin, rather than as a command line\nargument. Use the `-` character to force 1pass to read from stdin for the value.\n\n```sh\n$ echo \"MyBankAccount\" | 1pass -p - username\nme@example.com\n```\n\n**1pass** can lookup other fields besides username or password. They field name is the \"label\" for\nthe field in the 1Password GUI.\n\n```sh\n$ 1pass -p MyBankAccount pin\n1234\n```\n\n**1pass** has special support for TOTP fields -- these are fetched directly via `op`\nrather than a local cache. (Thanks to (@ev0rtex)[https://github.com/ev0rtex]).\nNote that this **is different** from using TOTP 2FA to log into your 1Password\naccount (that is supported too -- see below)\n\n```sh\n$ 1pass -p MyBankAccount totp\n9865432\n```\n\n## FZF Integration\n\n**1pass** can be nicely combined with [fzf](https://github.com/junegunn/fzf) for fuzzy search and\ncompletion.\n\nStarting with 1pass v1.5:\n\n```sh\n$ 1pass | fzf | 1pass -p -\n```\n\nwhich can be easily created as an alias in your `.bashrc` or equivalent:\n\n`alias fp=\"1pass | fzf | 1pass -p -\"`\n\nIn older versions: See [fuzzpass.sh](fuzzpass.sh) or [fuzzpass.fish](fuzzpass.fish) for sample\nintegration functions.\n\n## Emacs\n\nFor the brave, a trivial Emacs wrapper library is included. E.g.\n\n```elisp\n(setq freenode-nick-username (1pass--item-username \"Freenode/nick1\"))\n(setq freenode-nick-password (1pass--item-password \"Freenode/nick1\"))\n(setq freenode-nick-password (1pass--item-field \"Freenode\" \"server\"))\n```\n\n## Iterm2 integration\n\n(This work is thanks to [birlog](https://github.com/birlorg)). This integration lets you select and\ninsert passwords into programs running in iTerm2(shell). If you are tired of typing in your sudo\npassword, this is for you.\n\nThis is effectively a clone of [sudolikeaboss](https://github.com/ravenac95/sudolikeaboss)\nfunctionality. with the caveat that all of your passwords are available, not just ones tagged\nx-sudolikeaboss\n\nUsing [choose](https://github.com/chipsenkbeil/choose) (a GUI fzf clone)\n\nin iTerm2, go to preferences, then keys, add a new key `open-apple+/` to run coprocess and then\ncopy paste in the command to run box:\n\n`export PATH=\"/usr/local/bin:/usr/bin\"; 1pass | choose | 1pass -p -`\n\nThen start a program asking for input like `sudo -s` and then at the password prompt push the key\nyou assigned earlier(`open-apple+/` above) and select the password title by typing or arrowing\ndown/up and then hit enter. It might take a second, as 1pass has to go fetch your password from\n1pass, but it then should type in your password and hit enter for you.\n\nIf you run into trouble, iTerm2 should attach a little yellow bar at the top, select 'view errors'\nand it should then open a new window showing the output of the commands above, you will need to\nwork through whatever issue comes up.\n\nIf you get a `Command not found error` You installed choose, 1pass or op other than\n`/usr/local/bin/`, you will need to edit the PATH part of the line above.\n\nFZF will not work in place of choose, as coprocesses if they want to ask for user input need to\nhappen in their own window.\n\n\n## Caching and Sessions\n\nWhen using **1pass**, all response data from 1Password is encrypted and then cached to\n```~/.1pass/cache```. Sometimes this cache will be out of date -- for example if you have created a\nnew password entry via the 1Password application. Passing ```-r``` to **1pass** will force a refresh\nfrom the online 1Password vault.\n\nSimilarly, 1Password CLI sessions last for 30 minutes from the time of last use. **1pass** will\nmanage the session for you, and refresh it as needed.\n\n## 2FA for 1Password\n\nIf you have turned on two-factor authentication (2FA) support for your 1Password account, then\n1pass will prompt for you to enter a TOTP code when creating a session. You can either re-enter\nthis code after every session expiration (30 minutes of inactivity), or automate entry of the code\nusing the oath-toolkit `oathtool` command. If you wish to automate the 2FA process, add\n`use_totp=\"1\"` to your config file, and follow the instructions to store the TOTP secret:\n\n```sh\n$ ./1pass -rv\nplease put your ${domain} totp secret into /home/me/.1pass/_totp.gpg\nex: echo \\\"XXXXXXXXXXXXXXXX\\\" | $GPG -er $email \u003e /home/me/.1pass/_totp.gpg\n```\n\n## License\n\nCopyright (c) 2017-2021, David Creemer (twitter:\n[@dcreemer](https://twitter.com/dcreemer)) with some components from other GPL 2+\nsoftware.\n\n[GPL3](https://raw.githubusercontent.com/dcreemer/1pass/master/LICENSE)\n\n## Credits\n\nSome ideas, and a tiny bit of code are taken from [pass](https://www.passwordstore.org) by Jason\nA. Donenfeld. Please see the git commit log for contributions from others.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdcreemer%2F1pass","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdcreemer%2F1pass","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdcreemer%2F1pass/lists"}