Loading...
Loading...
Fetch secrets and create/manage 1Password items via CLI. Use when needing API keys, tokens, or credentials, or when storing new secrets. Ask user for the 1Password secret reference (op://Vault/Item/field format) rather than the actual secret.
npx skill4agent add steveclarke/dotfiles 1passwordop# Read a secret value
op read "op://Vault/Item/field"
# Use in a command (secret never shown in shell history)
some-cli --token "$(op read 'op://Vault/Item/api-key')"
# Use as environment variable
export API_KEY="$(op read 'op://Vault/Item/api-key')"# CLI auth
toggl auth "$(op read 'op://Employee/Toggl/api key')"
gh auth login --with-token < <(op read 'op://Personal/GitHub/token')
# Docker login
docker login -u $(op read op://Vault/Docker/username) -p $(op read op://Vault/Docker/password)op://vault-name/item-name/field-name
op://vault-name/item-name/section-name/field-nameop read "op://Vault/Item/one-time password?attribute=otp" # TOTP
op read "op://Vault/Item/private key?ssh-format=openssh" # SSH key"Field Name[text]=value" # Plain text (visible)
"Field Name[concealed]=value" # Password/secret (hidden)
"Field Name[url]=https://..." # Clickable URL
"Field Name[delete]" # Remove a field[text][url]op item create --category="API Credential" --title="Service Name - App Name" --vault="VaultName" \
"Client ID[text]=ABC123" \
"Client Secret[concealed]=secret-value-here" \
"Account[text]=user@example.com" \
"Redirect URL[text]=http://localhost:8080" \
"Authorization URL[text]=https://service.com/oauth2/authorize" \
"Token Request URL[text]=https://api.service.com/oauth2/token" \
"Developer Portal[url]=https://developer.service.com" \
"notesPlain=Context about this credential and any gotchas."op item create --category="API Credential" --title="Service Name API" --vault="VaultName" \
"API Key[concealed]=sk-xxxxxxxxxxxx" \
"Account[text]=user@example.com" \
"Documentation[url]=https://docs.service.com/api" \
"notesPlain=Used for X purpose. Rate limit: 1000/day."op item create --category="Database" --title="Production DB - ServiceName" --vault="VaultName" \
"type[text]=postgresql" \
"server[text]=db.example.com" \
"port[text]=5432" \
"database[text]=myapp_production" \
"username[text]=app_user" \
"password[concealed]=secret-password" \
"notesPlain=Read replica. Primary is on port 5433."op item edit# WRONG — defaults to concealed, hides the URL and username
op item edit "My Item" "Section.URL=https://example.com" "Section.username=admin"
# RIGHT — only the password is concealed
op item edit "My Item" "Section.URL[url]=https://example.com" "Section.username[text]=admin" "Section.password[concealed]=secret"valid fromexpires# Delete if not applicable
op item edit "Item Name" --vault="VaultName" "valid from[delete]" "expires[delete]"
# Set if applicable
op item edit "Item Name" --vault="VaultName" "valid from=2026-01-27" "expires=2027-01-27"| Bad | Good |
|---|---|
| |
| |
| |
op signinop vault list