{
  "slug": "safe/onepassword",
  "title": "1Password Connector",
  "description": "Use 1Password as the source of truth while keeping Cuitty Safe references stable.",
  "url": "https://cuitty.com/docs/safe/onepassword",
  "markdown_url": "https://cuitty.com/docs/safe/onepassword.md",
  "json_url": "https://cuitty.com/docs/safe/onepassword.json",
  "frontmatter": {
    "title": "1Password Connector",
    "description": "Use 1Password as the source of truth while keeping Cuitty Safe references stable.",
    "order": 4,
    "section": "Safe",
    "updatedAt": "2026-06-09"
  },
  "headings": [
    {
      "depth": 1,
      "slug": "1password-connector",
      "text": "1Password Connector"
    },
    {
      "depth": 2,
      "slug": "mapping-model",
      "text": "Mapping model"
    },
    {
      "depth": 2,
      "slug": "auth-modes",
      "text": "Auth modes"
    },
    {
      "depth": 2,
      "slug": "setup-sketch",
      "text": "Setup sketch"
    },
    {
      "depth": 2,
      "slug": "least-privilege",
      "text": "Least privilege"
    },
    {
      "depth": 2,
      "slug": "marketplace-status",
      "text": "Marketplace status"
    }
  ],
  "body_markdown": "# 1Password Connector\n\nThe 1Password connector is a pass-through provider. Cuitty Safe stores the Safe index and mapping metadata; 1Password stores the secret value.\n\n## Mapping model\n\n```text\nacme/dev/database-url -> op://Development/Database/url\n```\n\nThe Cuitty reference remains `account/safe/secret`. Vault names, item titles, field names, and stable 1Password object IDs belong in connector metadata.\n\n## Auth modes\n\n| Mode | Use case |\n| --- | --- |\n| Desktop app | Local development and desktop UI flows with human approval |\n| Service account | CI/CD, headless workers, and automation with scoped vault access |\n| 1Password Connect | Self-hosted deployments that already run Connect and want cached private REST access |\n\nService account auth should load from `OP_SERVICE_ACCOUNT_TOKEN` unless configured otherwise. Do not ask users to paste a 1Password account password into Cuitty Safe.\n\n## Setup sketch\n\n```bash\ncuitty-safe connector 1password login --account acme\ncuitty-safe connector 1password map acme/dev/database-url --op-ref op://Development/Database/url\ncuitty-safe connector 1password map acme/ci/github-token --op-ref op://CI/GitHub/token\ncuitty-safe connector 1password test --scope acme/dev\n```\n\nThe `op://...` examples above are references, not values.\n\n## Least privilege\n\n- Grant service accounts access only to required vaults and fields.\n- Prefer read-only permission for CI jobs that only resolve values.\n- Store stable object IDs when available and keep display names for UI fallback.\n- Cache metadata, not secret values. Secret value TTL defaults to `0`.\n- Emit metadata-only audit events for reads, writes, and auth-required states.\n\n## Marketplace status\n\nThe first milestone is a product connector. A 1Password Marketplace listing is a separate partner-readiness track with its own review, docs, support link, logo, and security checklist.",
  "body_html": "<h1 id=\"1password-connector\">1Password Connector</h1>\n<p>The 1Password connector is a pass-through provider. Cuitty Safe stores the Safe index and mapping metadata; 1Password stores the secret value.</p>\n<h2 id=\"mapping-model\">Mapping model</h2>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"text\"><code><span class=\"line\"><span>acme/dev/database-url -> op://Development/Database/url</span></span></code></pre>\n<p>The Cuitty reference remains <code>account/safe/secret</code>. Vault names, item titles, field names, and stable 1Password object IDs belong in connector metadata.</p>\n<h2 id=\"auth-modes\">Auth modes</h2>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n<table><thead><tr><th>Mode</th><th>Use case</th></tr></thead><tbody><tr><td>Desktop app</td><td>Local development and desktop UI flows with human approval</td></tr><tr><td>Service account</td><td>CI/CD, headless workers, and automation with scoped vault access</td></tr><tr><td>1Password Connect</td><td>Self-hosted deployments that already run Connect and want cached private REST access</td></tr></tbody></table>\n<p>Service account auth should load from <code>OP_SERVICE_ACCOUNT_TOKEN</code> unless configured otherwise. Do not ask users to paste a 1Password account password into Cuitty Safe.</p>\n<h2 id=\"setup-sketch\">Setup sketch</h2>\n<pre class=\"astro-code github-dark\" style=\"background-color:#24292e;color:#e1e4e8; overflow-x: auto;\" tabindex=\"0\" data-language=\"bash\"><code><span class=\"line\"><span style=\"color:#B392F0\">cuitty-safe</span><span style=\"color:#9ECBFF\"> connector</span><span style=\"color:#9ECBFF\"> 1password</span><span style=\"color:#9ECBFF\"> login</span><span style=\"color:#79B8FF\"> --account</span><span style=\"color:#9ECBFF\"> acme</span></span>\n<span class=\"line\"><span style=\"color:#B392F0\">cuitty-safe</span><span style=\"color:#9ECBFF\"> connector</span><span style=\"color:#9ECBFF\"> 1password</span><span style=\"color:#9ECBFF\"> map</span><span style=\"color:#9ECBFF\"> acme/dev/database-url</span><span style=\"color:#79B8FF\"> --op-ref</span><span style=\"color:#9ECBFF\"> op://Development/Database/url</span></span>\n<span class=\"line\"><span style=\"color:#B392F0\">cuitty-safe</span><span style=\"color:#9ECBFF\"> connector</span><span style=\"color:#9ECBFF\"> 1password</span><span style=\"color:#9ECBFF\"> map</span><span style=\"color:#9ECBFF\"> acme/ci/github-token</span><span style=\"color:#79B8FF\"> --op-ref</span><span style=\"color:#9ECBFF\"> op://CI/GitHub/token</span></span>\n<span class=\"line\"><span style=\"color:#B392F0\">cuitty-safe</span><span style=\"color:#9ECBFF\"> connector</span><span style=\"color:#9ECBFF\"> 1password</span><span style=\"color:#9ECBFF\"> test</span><span style=\"color:#79B8FF\"> --scope</span><span style=\"color:#9ECBFF\"> acme/dev</span></span></code></pre>\n<p>The <code>op://...</code> examples above are references, not values.</p>\n<h2 id=\"least-privilege\">Least privilege</h2>\n<ul>\n<li>Grant service accounts access only to required vaults and fields.</li>\n<li>Prefer read-only permission for CI jobs that only resolve values.</li>\n<li>Store stable object IDs when available and keep display names for UI fallback.</li>\n<li>Cache metadata, not secret values. Secret value TTL defaults to <code>0</code>.</li>\n<li>Emit metadata-only audit events for reads, writes, and auth-required states.</li>\n</ul>\n<h2 id=\"marketplace-status\">Marketplace status</h2>\n<p>The first milestone is a product connector. A 1Password Marketplace listing is a separate partner-readiness track with its own review, docs, support link, logo, and security checklist.</p>",
  "links_out": []
}