Skip to main content

Overview

The 1Password integration enables your AI agent to securely authenticate with services during browser automation by injecting secrets, credentials, and other sensitive data from your 1Password vaults directly into your Anchor Browser sessions. This gives your AI agent the ability to log into websites, access APIs, and perform authenticated actions without you needing to hardcode credentials in your automation scripts.
The actual secret values are never exposed to the AI agent, logs, API responses, or any other output

Prerequisites

Before you can use the 1Password integration, you need:
  1. 1Password Account: An active 1Password account with access to the secrets you want to use in a vault different than “Personal”.
  2. Anchor Browser API Key: Your Anchor Browser API key for authentication

Getting a 1Password Service Account Token

  1. Log in to your 1Password account
  2. Navigate to DeveloperDirectoryService Accounts
  3. Click Create Service Account
  4. Give your service account a descriptive name (e.g., “Anchor Browser Automation”)
  5. Grant the service account access to the vaults containing the secrets you need
  6. Copy the service account token (starts with ops_) - you’ll need this for the integration setup
Store your service account token securely. It provides access to your 1Password secrets and should be treated like a password.

Using 1Password as an Identity Auth Method

In addition to injecting raw secrets as environment variables (described above), 1Password can back an Identity — the credentials Anchor uses to log your AI agent into a specific application. This is configured per identity in the Create / Update Identity flow, not on the team Integrations page. When you select 1Password as the auth method for an identity, you provide a service account token and Anchor resolves the login credentials for you. There are two ways credentials are discovered:
The service account token is entered directly in the identity creation form. See Getting a 1Password Service Account Token, or create one directly at the 1Password service account page.

Domain Discovery Mode

In domain discovery mode, you only provide the service account token. Anchor automatically finds the 1Password login item whose website matches the application’s domain and uses its fields (username, password, one-time password, etc.) to authenticate.
  • No op:// references are required — just grant the service account access to the relevant vault.
  • This is the default when the auth flow does not define explicit reference fields.

Reference Mode

In reference mode, you supply explicit 1Password secret references (op://vault/item/field) for each field the auth flow requires. Use this when domain discovery is ambiguous or when the credentials live in a differently-named item.

One-Time Passwords (TOTP / 2FA)

If the matched 1Password item or a referenced field contains a one-time password field — Anchor resolves the code at runtime, the moment the agent reaches the 2FA step.
The service account token is never exposed to the AI agent.

Creating a 1Password Integration

Using the API

Create a 1Password integration using the AnchorBrowser API: 
curl -X POST https://api.anchorbrowser.io/v1/integrations \
  -H "anchor-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "My 1Password Integration",
    "type": "1PASSWORD",
    "credentials": {
      "type": "serviceAccount",
      "data": {
        "serviceAccount": "ops_xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
      }
    }
  }'
Response: 
{
  "data": {
    "integration": {
      "id": "550e8400-e29b-41d4-a716-446655440000",
      "name": "My 1Password Integration",
      "type": "1PASSWORD",
      "path": "integrations/team-id/550e8400-e29b-41d4-a716-446655440000",
      "createdAt": "2024-01-01T00:00:00.000Z"
    }
  }
}
Save the id from the response - you’ll need it to use the integration in browser sessions.

Using 1Password Integration in Browser Sessions

Once you’ve created a 1Password integration, you can use it in your browser sessions to automatically load secrets.

Load All Secrets

Load all secrets from your 1Password vaults: 
curl -X POST https://api.anchorbrowser.io/v1/sessions \
  -H "anchor-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "integrations": [
      {
        "id": "550e8400-e29b-41d4-a716-446655440000",
        "type": "1PASSWORD",
        "configuration": {
          "load_mode": "all"
        }
      }
    ]
  }'

Load Specific Secrets

Load only specific secrets using 1Password secret references: 
curl -X POST https://api.anchorbrowser.io/v1/sessions \
  -H "anchor-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "integrations": [
      {
        "id": "550e8400-e29b-41d4-a716-446655440000",
        "type": "1PASSWORD",
        "configuration": {
          "load_mode": "specific",
          "secrets": [
            "op://Production/Database/username",
            "op://Production/Database/password",
            "op://Production/API Keys/stripe_key"
          ]
        }
      }
    ]
  }'

1Password Secret Reference Format

1Password uses a specific format for secret references: 
op://[vault]/[item]/[field]
  • vault: The name of your 1Password vault
  • item: The name of the item in the vault
  • field: The specific field within the item

Examples

op://Production/AWS Credentials/access_key_id
op://Development/GitHub/personal_access_token
op://Shared/Stripe/api_key

Accessing Secrets in Your Browser Session

Once loaded, secrets are available as environment variables in your browser session. The environment variable name is derived from the secret reference:
  • Secret reference: op://Production/Database/username
  • Environment variable: OP_PRODUCTION_DATABASE_USERNAME
The conversion follows these rules:
  1. Remove the op:// prefix
  2. Replace / with _
  3. Convert to uppercase
  4. Prefix with OP_
AI Agent Security: When your AI agent accesses these environment variables, it can use them for authentication with external services, but the actual credential values are never visible in the agent’s output, logs, or responses. The credentials are used transparently by the browser environment for authentication purposes only.

Example: Using Secrets in Automation

(async () => {
  // Create a session with 1Password integration
  const response = await fetch('https://api.anchorbrowser.io/v1/sessions', {
    method: 'POST',
    headers: {
      'anchor-api-key': process.env.ANCHOR_API_KEY,
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({
      integrations: [
        {
          id: integrationId,
          type: '1PASSWORD',
          configuration: {
            load_mode: 'specific',
            secrets: [
              'op://Production/Database/username',
              'op://Production/Database/password'
            ]
          }
        }
      ]
    })
  });


  const sessionData = await response.json();
  console.log(sessionData)

  // Access the secrets in your automation code
  // The secrets are automatically available as environment variables
  // OP_PRODUCTION_DATABASE_USERNAME and OP_PRODUCTION_DATABASE_PASSWORD
  // Your AI agent can use these for authentication without exposing the actual values
})();

Managing Integrations

List All Integrations

curl -X GET https://api.anchorbrowser.io/v1/integrations \
  -H "anchor-api-key: YOUR_API_KEY"
Response: 
{
  "data": {
    "integrations": [
      {
        "id": "550e8400-e29b-41d4-a716-446655440000",
        "name": "My 1Password Integration",
        "type": "1PASSWORD",
        "createdAt": "2024-01-01T00:00:00.000Z"
      }
    ]
  }
}

Delete an Integration

curl -X DELETE https://api.anchorbrowser.io/v1/integrations/550e8400-e29b-41d4-a716-446655440000 \
  -H "anchor-api-key: YOUR_API_KEY"
Response: 
{
  "data": {
    "integration": {
      "id": "550e8400-e29b-41d4-a716-446655440000",
      "deleted": true,
      "path": "integrations/team-id/550e8400-e29b-41d4-a716-446655440000"
    }
  }
}
Deleting an integration will remove the stored service account token. Any browser sessions using this integration will fail to load secrets.

Troubleshooting

Integration Creation Fails

  • Invalid Service Account Token: Verify your token starts with ops_ and is valid
  • Insufficient Permissions: Ensure the service account has access to the required vaults

Secrets Not Loading

  • Invalid Secret Reference: Check the format of your secret references (op://vault/item/field)
  • Service Account Access: Verify the service account has access to the specified vaults and items
  • Item or Field Not Found: Ensure the vault, item, and field names are correct and exist

Environment Variables Not Available

  • Check Secret Reference Format: Ensure your secret references follow the correct format
  • Verify Integration ID: Make sure you’re using the correct integration ID in your session configuration

Support

For additional help with 1Password integration: