1password

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

1Password CLI

Use the 1Password CLI (

op

) to fetch and manage secrets without exposing them in plain text.

使用1Password CLI（

op

）获取和管理密钥，无需以明文形式暴露它们。

Fetching Secrets

获取密钥

Ask the user for their 1Password secret reference (right-click field in 1Password → "Copy Secret Reference"):

bash

undefined

请用户提供他们的1Password密钥引用（在1Password中右键点击字段→“复制密钥引用”）：

bash

undefined

Read a secret value

读取密钥值

op read "op://Vault/Item/field"

Use in a command (secret never shown in shell history)

在命令中使用（密钥不会出现在Shell历史记录中）

some-cli --token "$(op read 'op://Vault/Item/api-key')"

Use as environment variable

用作环境变量

export API_KEY="$(op read 'op://Vault/Item/api-key')"

undefined

export API_KEY="$(op read 'op://Vault/Item/api-key')"

undefined

Common Patterns

常见使用模式

bash

undefined

bash

undefined

CLI auth

CLI认证

toggl auth "$(op read 'op://Employee/Toggl/api key')" gh auth login --with-token < <(op read 'op://Personal/GitHub/token')

Docker login

Docker登录

docker login -u $(op read op://Vault/Docker/username) -p $(op read op://Vault/Docker/password)

undefined

docker login -u $(op read op://Vault/Docker/username) -p $(op read op://Vault/Docker/password)

undefined

Reference Format

引用格式

op://vault-name/item-name/field-name
op://vault-name/item-name/section-name/field-name

Special fields:

bash

op read "op://Vault/Item/one-time password?attribute=otp"      # TOTP
op read "op://Vault/Item/private key?ssh-format=openssh"        # SSH key

op://vault-name/item-name/field-name
op://vault-name/item-name/section-name/field-name

特殊字段：

bash

op read "op://Vault/Item/one-time password?attribute=otp"      # TOTP一次性密码
op read "op://Vault/Item/private key?ssh-format=openssh"        # SSH密钥

Creating Items

创建条目

Field Type Syntax

字段类型语法

bash

"Field Name[text]=value"        # Plain text (visible)
"Field Name[concealed]=value"   # Password/secret (hidden)
"Field Name[url]=https://..."   # Clickable URL
"Field Name[delete]"            # Remove a field

Default (no suffix) = concealed. Always be explicit about field types.

bash

"Field Name[text]=value"        # 纯文本（可见）
"Field Name[concealed]=value"   # 密码/密钥（隐藏）
"Field Name[url]=https://..."   # 可点击URL
"Field Name[delete]"            # 删除字段

默认（无后缀）= 隐藏。请始终明确指定字段类型。

Principles

原则

Only conceal actual secrets — passwords, API keys, tokens. URLs, usernames, client IDs, hostnames, ports, and other non-sensitive identifiers must use
```
[text]
```
or
```
[url]
```
. If someone would read it aloud in a meeting, it's not a secret.
Use clear, descriptive field names — Match the source terminology
Include context — Add account info, notes, and details
Clean up template cruft — Remove or set default fields from templates

仅对实际密钥设置隐藏 — 密码、API密钥、令牌。URL、用户名、客户端ID、主机名、端口及其他非敏感标识符必须使用
```
[text]
```
或
```
[url]
```
。如果某信息可以在会议中大声读出，那它就不是密钥。
使用清晰、描述性的字段名称 — 与服务文档中的术语保持一致
包含上下文信息 — 添加账户信息、备注和详细说明
清理模板冗余字段 — 删除或设置模板中的默认字段

OAuth API Credential

OAuth API凭据

bash

op item create --category="API Credential" --title="Service Name - App Name" --vault="VaultName" \
  "Client ID[text]=ABC123" \
  "Client Secret[concealed]=secret-value-here" \
  "Account[text]=user@example.com" \
  "Redirect URL[text]=http://localhost:8080" \
  "Authorization URL[text]=https://service.com/oauth2/authorize" \
  "Token Request URL[text]=https://api.service.com/oauth2/token" \
  "Developer Portal[url]=https://developer.service.com" \
  "notesPlain=Context about this credential and any gotchas."

bash

op item create --category="API Credential" --title="Service Name - App Name" --vault="VaultName" \
  "Client ID[text]=ABC123" \
  "Client Secret[concealed]=secret-value-here" \
  "Account[text]=user@example.com" \
  "Redirect URL[text]=http://localhost:8080" \
  "Authorization URL[text]=https://service.com/oauth2/authorize" \
  "Token Request URL[text]=https://api.service.com/oauth2/token" \
  "Developer Portal[url]=https://developer.service.com" \
  "notesPlain=Context about this credential and any gotchas."

Simple API Key

简单API密钥

bash

op item create --category="API Credential" --title="Service Name API" --vault="VaultName" \
  "API Key[concealed]=sk-xxxxxxxxxxxx" \
  "Account[text]=user@example.com" \
  "Documentation[url]=https://docs.service.com/api" \
  "notesPlain=Used for X purpose. Rate limit: 1000/day."

bash

op item create --category="API Credential" --title="Service Name API" --vault="VaultName" \
  "API Key[concealed]=sk-xxxxxxxxxxxx" \
  "Account[text]=user@example.com" \
  "Documentation[url]=https://docs.service.com/api" \
  "notesPlain=Used for X purpose. Rate limit: 1000/day."

Database Credential

数据库凭据

bash

op item create --category="Database" --title="Production DB - ServiceName" --vault="VaultName" \
  "type[text]=postgresql" \
  "server[text]=db.example.com" \
  "port[text]=5432" \
  "database[text]=myapp_production" \
  "username[text]=app_user" \
  "password[concealed]=secret-password" \
  "notesPlain=Read replica. Primary is on port 5433."

bash

op item create --category="Database" --title="Production DB - ServiceName" --vault="VaultName" \
  "type[text]=postgresql" \
  "server[text]=db.example.com" \
  "port[text]=5432" \
  "database[text]=myapp_production" \
  "username[text]=app_user" \
  "password[concealed]=secret-password" \
  "notesPlain=Read replica. Primary is on port 5433."

Editing Existing Items

编辑现有条目

When adding fields to existing items with

op item edit

, the same type rules apply — always specify the field type explicitly:

bash

undefined

使用

op item edit

为现有条目添加字段时，同样适用上述类型规则——请始终明确指定字段类型：

bash

undefined

WRONG — defaults to concealed, hides the URL and username

错误示例 — 默认设置为隐藏，会隐藏URL和用户名

op item edit "My Item" "Section.URL=https://example.com" "Section.username=admin"

RIGHT — only the password is concealed

正确示例 — 仅对密码设置隐藏

op item edit "My Item" "Section.URL[url]=https://example.com" "Section.username[text]=admin" "Section.password[concealed]=secret"

undefined

op item edit "My Item" "Section.URL[url]=https://example.com" "Section.username[text]=admin" "Section.password[concealed]=secret"

undefined

Handling Template Fields

处理模板字段

Some categories add default fields like

valid from

and

expires

set to epoch 0.

bash

undefined

部分分类会添加默认字段，比如设置为纪元0的

valid from

和

expires

。

bash

undefined

Delete if not applicable

若不适用则删除

op item edit "Item Name" --vault="VaultName" "valid from[delete]" "expires[delete]"

Set if applicable

若适用则设置

op item edit "Item Name" --vault="VaultName" "valid from=2026-01-27" "expires=2027-01-27"

undefined

op item edit "Item Name" --vault="VaultName" "valid from=2026-01-27" "expires=2027-01-27"

undefined

Field Naming

字段命名规范

Bad	Good
`credential`	`Client ID`
`token_uri`	`Token Request URL`
`secret`	`Client Secret` or `API Key`

Match the terminology from the service's docs.

不佳命名	良好命名
`credential`	`Client ID`
`token_uri`	`Token Request URL`
`secret`	`Client Secret` 或 `API Key`

1password

Original

Translation

1Password CLI

1Password CLI

Fetching Secrets

获取密钥

Read a secret value

读取密钥值

Use in a command (secret never shown in shell history)

在命令中使用（密钥不会出现在Shell历史记录中）

Use as environment variable

用作环境变量

Common Patterns

常见使用模式

CLI auth

CLI认证

Docker login

Docker登录

Reference Format

引用格式

Creating Items

创建条目

Field Type Syntax

字段类型语法

Principles

原则

OAuth API Credential

OAuth API凭据

Simple API Key

简单API密钥

Database Credential

数据库凭据

Editing Existing Items

编辑现有条目

WRONG — defaults to concealed, hides the URL and username

错误示例 — 默认设置为隐藏，会隐藏URL和用户名

RIGHT — only the password is concealed

正确示例 — 仅对密码设置隐藏

Handling Template Fields

处理模板字段

Delete if not applicable

若不适用则删除

Set if applicable

若适用则设置

Field Naming

字段命名规范

Prerequisites

前提条件