---
title: 1Password Connector
description: Use 1Password as the source of truth while keeping Cuitty Safe references stable.
section: Safe
order: 4
updatedAt: 2026-06-09
slug: safe/onepassword
---
# 1Password Connector

The 1Password connector is a pass-through provider. Cuitty Safe stores the Safe index and mapping metadata; 1Password stores the secret value.

## Mapping model

```text
acme/dev/database-url -> op://Development/Database/url
```

The Cuitty reference remains `account/safe/secret`. Vault names, item titles, field names, and stable 1Password object IDs belong in connector metadata.

## Auth modes

| Mode | Use case |
| --- | --- |
| Desktop app | Local development and desktop UI flows with human approval |
| Service account | CI/CD, headless workers, and automation with scoped vault access |
| 1Password Connect | Self-hosted deployments that already run Connect and want cached private REST access |

Service account auth should load from `OP_SERVICE_ACCOUNT_TOKEN` unless configured otherwise. Do not ask users to paste a 1Password account password into Cuitty Safe.

## Setup sketch

```bash
cuitty-safe connector 1password login --account acme
cuitty-safe connector 1password map acme/dev/database-url --op-ref op://Development/Database/url
cuitty-safe connector 1password map acme/ci/github-token --op-ref op://CI/GitHub/token
cuitty-safe connector 1password test --scope acme/dev
```

The `op://...` examples above are references, not values.

## Least privilege

- Grant service accounts access only to required vaults and fields.
- Prefer read-only permission for CI jobs that only resolve values.
- Store stable object IDs when available and keep display names for UI fallback.
- Cache metadata, not secret values. Secret value TTL defaults to `0`.
- Emit metadata-only audit events for reads, writes, and auth-required states.

## Marketplace status

The first milestone is a product connector. A 1Password Marketplace listing is a separate partner-readiness track with its own review, docs, support link, logo, and security checklist.