Skip to content
🚧 DMNO is still in beta! Use with caution!
✨ If you've tried DMNO or looked through the docs, let us know what you think!

1Password plugin

DMNO’s 1Password plugin allows you to securely access your stored secrets in 1Password. This plugin uses the 1Password CLI by means of a Service Account. It is compatible with any account type. Note that rate limits vary by account type, you can read more about that in the 1Password Developer documentation.


Install the package

Terminal window
npm add @dmno/1password-plugin

Initialize the plugin in the root, or service if not shared

import { OnePasswordDmnoPlugin, OnePasswordTypes } from '@dmno/1password-plugin';
const OnePassBackend = new OnePasswordDmnoPlugin('1pass/prod', {
token: configPath('OP_TOKEN'),
// if using an item link, we will assume the config is in an item called `env`
envItemLink: '',
// OR
const OnePassBackend2 = new OnePasswordDmnoPlugin('1pass/prod', {
token: configPath('OP_TOKEN'),
// using a reference to the actual item
envItem: '"op://dev test/n4wmgfq77mydg5lebtroa3ykvm/env"',
export default defineDmnoService({
schema: {
extends: OnePasswordTypes.serviceAccountToken,
// NOTE - the type itself is already marked as secret

Note, we’re giving the plugin an alias, in this case 1pass/prod, so we can refer to it in other services or in the CLI. This is useful if you have multiple vaults or service accounts.

If you don’t have an existing service account or vault, we’ll go over that in the next section.

Setting up your vaults and service account(s)

  1. Create a vault in your 1Password account. This is where you’ll store your secrets. You can create multiple vaults for different environments or services. link

  2. Create a service account in your 1Password account. This is a separate account that has access to the vault(s) you created. You can create multiple service accounts for different environments or services. link

  3. Add the service account to the vault. This is done in the 1Password web interface. You can add multiple service accounts to a single vault. link

Add your items

DMNO supports a few different ways to reference items in 1Password. You can use a direct link to the item, the item’s UUID, or a reference to the item in the format op://vaultname/itemname/path. We also support, storing the items in one large blob, similar to your existing .env file(s). This allows you to easily transition from a .env file to 1Password as a secure vault.

Using a env blob

If you have a single item that contains all your secrets, you can reference that item in your config. In the example below, we’re referencing an item called env that contains all our secrets and matching based on the key, in this case ITEM_PULLING_FROM_ENV_BLOB_ITEM.

// from blob env
value: OnePassBackend.item(),

You can also reference a specific item in 1Password, in the following three ways:

// ...
// from private link
value: OnePassBackend.itemByLink('', 'somepath'),
value: OnePassBackend.itemById('vaultUuid', 'itemUuid', 'somepath'),
value: OnePassBackend.itemByReference('op://vaultname/itemname/path'),