1Password CLI reference
Manage 1Password vault metadata and item fields from the terminal. These commands let you list vaults and items, create fields, and rotate values — all without printing secret content.
Command tree
loom secrets op
├── vault
│ └── list List accessible vaults
└── item
├── list List item paths and field names
├── create Create an item field from an environment variable
└── update Update an item field from an environment variable
Prerequisites
| Requirement | Detail |
|---|---|
OP_SERVICE_ACCOUNT_TOKEN | Must be exported in your shell |
| Vault access | Service account needs read access (write access for create and update) |
All commands use the 1Password Go SDK internally — no op CLI installation is required.
See Install and configure 1Password if you have not set up authentication yet.
Vault commands
loom secrets op vault list
List every vault the service account can access.
loom secrets op vault list
Output:
name=Engineering id=vlt_abc123
name=Platform id=vlt_def456
Returns no op vaults found if the service account has no vault assignments.
Item commands
loom secrets op item list
List item paths and their field names within a vault.
Flags:
| Flag | Required | Description |
|---|---|---|
--vault | Yes | Vault name or UUID |
--item-prefix | No | Filter results by item path prefix |
Examples:
List all items in a vault:
loom secrets op item list --vault Engineering
Filter by prefix:
loom secrets op item list \
--vault Engineering \
--item-prefix services/loom
Output:
services/loom/deploy password,token
services/loom/db username,password
Returns no op items found if no items match.
loom secrets op item create
Create a new item with a field. The value is read from an environment variable — never passed as a CLI argument.
Flags:
| Flag | Required | Description |
|---|---|---|
--vault | Yes | Vault name or UUID |
--item-path | Yes | Item path/title (e.g. services/loom/deploy) |
--field | Yes | Field name (e.g. token, password) |
--value-from-env | Yes | Name of the environment variable holding the value |
Example:
export DEPLOY_TOKEN_VALUE="tok_abc123"
loom secrets op item create \
--vault Engineering \
--item-path services/loom/deploy \
--field token \
--value-from-env DEPLOY_TOKEN_VALUE
Output:
item field created: vault=Engineering item=services/loom/deploy field=token
loom secrets op item update
Update an existing field value, or append the field if it does not exist on the item. Same env-var indirection applies.
Flags:
| Flag | Required | Description |
|---|---|---|
--vault | Yes | Vault name or UUID |
--item-path | Yes | Existing item path/title |
--field | Yes | Field name to update or append |
--value-from-env | Yes | Name of the environment variable holding the value |
Example:
export DEPLOY_TOKEN_VALUE="tok_rotated_456"
loom secrets op item update \
--vault Engineering \
--item-path services/loom/deploy \
--field token \
--value-from-env DEPLOY_TOKEN_VALUE
Output:
item field updated: vault=Engineering item=services/loom/deploy field=token
Security design
All commands follow Loom's secrets security principles:
| Principle | How it is enforced |
|---|---|
| No secret values in flags | Mutation commands accept values through --value-from-env to avoid shell history and ps exposure |
| Metadata-only output | Output shows vault names/IDs, item paths, and field names — never secret content |
| Fail closed | Missing auth or invalid references produce structured error codes, not partial results |
Next steps
- Provider overview — URI format, resolution flow, and error codes.
- Install and configure 1Password — prerequisites and authentication setup.
- All providers — compare with KeePass and environment passthrough.