Skip to main content

Overview

The 1Password integration enables your AI agent to securely authenticate with services during browser automation by injecting secrets, credentials, and other sensitive data from your 1Password vaults directly into your Anchor Browser sessions. This gives your AI agent the ability to log into websites, access APIs, and perform authenticated actions without you needing to hardcode credentials in your automation scripts.
The actual secret values are never exposed to the AI agent, logs, API responses, or any other output

Prerequisites

Before you can use the 1Password integration, you need:
  1. 1Password Account: An active 1Password account with access to the secrets you want to use in a vault different than “Personal”.
  2. Anchor Browser API Key: Your Anchor Browser API key for authentication

Getting a 1Password Service Account Token

  1. Log in to your 1Password account
  2. Navigate to DeveloperDirectoryService Accounts
  3. Click Create Service Account
  4. Give your service account a descriptive name (e.g., “Anchor Browser Automation”)
  5. Grant the service account access to the vaults containing the secrets you need
  6. Copy the service account token (starts with ops_) - you’ll need this for the integration setup
Store your service account token securely. It provides access to your 1Password secrets and should be treated like a password.

Using 1Password as an Identity Auth Method

In addition to injecting raw secrets as environment variables (described above), 1Password can back an Identity — the credentials Anchor uses to log your AI agent into a specific application. This is configured per identity in the Create / Update Identity flow, not on the team Integrations page. When you select 1Password as the auth method for an identity, you provide a service account token and Anchor resolves the login credentials for you. There are two ways credentials are discovered:
The service account token is entered directly in the identity creation form. See Getting a 1Password Service Account Token, or create one directly at the 1Password service account page.

Domain Discovery Mode

In domain discovery mode, you only provide the service account token. Anchor automatically finds the 1Password login item whose website matches the application’s domain and uses its fields (username, password, one-time password, etc.) to authenticate.
  • No op:// references are required — just grant the service account access to the relevant vault.
  • This is the default when the auth flow does not define explicit reference fields.

Reference Mode

In reference mode, you supply explicit 1Password secret references (op://vault/item/field) for each field the auth flow requires. Use this when domain discovery is ambiguous or when the credentials live in a differently-named item.

One-Time Passwords (TOTP / 2FA)

If the matched 1Password item or a referenced field contains a one-time password field — Anchor resolves the code at runtime, the moment the agent reaches the 2FA step.
The service account token is never exposed to the AI agent.

1Password Secret Reference Format

1Password uses a specific format for secret references: 
op://[vault]/[item]/[field]
  • vault: The name of your 1Password vault
  • item: The name of the item in the vault
  • field: The specific field within the item

Examples

op://Production/AWS Credentials/access_key_id
op://Development/GitHub/personal_access_token
op://Shared/Stripe/api_key

Support

For additional help with 1Password integration: