> ## Documentation Index
> Fetch the complete documentation index at: https://tbd-6fc993ce-hypeship-docker-sandboxes-integration.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# 1Password

> Use credentials from your 1Password vaults for Managed Auth

Connect 1Password to automatically use credentials from your existing vaults with [Managed Auth](/auth/overview). No need to manually create credentials in Kernel—1Password items are discovered by domain matching.

## How It Works

1. **Connect a service account** — Add your 1Password service account token in the dashboard
2. **Domain matching** — When Managed Auth needs credentials, it searches your connected vaults for items matching the target domain
3. **Automatic fill** — Credentials (including TOTP secrets) are used to complete authentication

<Note>
  Credentials are retrieved securely at authentication time. Values are never stored in Kernel—they remain in 1Password.
</Note>

## Setup

<Steps>
  <Step title="Create a 1Password Service Account">
    [Create a service account](https://start.1password.com/developer-tools/infrastructure-secrets/serviceaccount/?source=dev-portal) in 1Password with access to the vaults containing your login credentials.

    Copy the service account token (starts with `ops_`).
  </Step>

  <Step title="Connect in Kernel Dashboard">
    Go to **Integrations** in the Kernel dashboard and click **Connect 1Password**.

    Give your provider a name (e.g., `my-1p`) and paste your service account token. Kernel will validate the connection and show which vaults are accessible.

    You can connect multiple 1Password accounts with different names.
  </Step>

  <Step title="Use with Managed Auth">
    Reference your 1Password provider in the `credential` object. You can either specify an explicit item path or use auto-lookup by domain.

    <CodeGroup>
      ```typescript TypeScript theme={null}
      // Option 1: Auto-lookup by domain
      const auth = await kernel.auth.connections.create({
        domain: 'github.com',
        profile_name: 'my-github-profile',
        credential: { provider: 'my-1p', auto: true },
      });

      // Option 2: Explicit item path (VaultName/ItemName)
      const auth = await kernel.auth.connections.create({
        domain: 'github.com',
        profile_name: 'my-github-profile',
        credential: { provider: 'my-1p', path: 'Engineering/github-login' },
      });

      const login = await kernel.auth.connections.login(auth.id);
      ```

      ```python Python theme={null}
      # Option 1: Auto-lookup by domain
      auth = await kernel.auth.connections.create(
          domain="github.com",
          profile_name="my-github-profile",
          credential={"provider": "my-1p", "auto": True},
      )

      # Option 2: Explicit item path (VaultName/ItemName)
      auth = await kernel.auth.connections.create(
          domain="github.com",
          profile_name="my-github-profile",
          credential={"provider": "my-1p", "path": "Engineering/github-login"},
      )

      login = await kernel.auth.connections.login(auth.id)
      ```
    </CodeGroup>
  </Step>
</Steps>

## Path Format

When using explicit paths, specify `VaultName/ItemName`:

```typescript theme={null}
credential: { provider: 'my-1p', path: 'Engineering/github-login' }
```

<Warning>
  Vault and item names containing forward slashes (`/`) are not supported. Rename items in 1Password if needed.
</Warning>

## Domain Matching

1Password items are matched by their website/URL field:

| 1Password Item URL         | Matches Domain                       |
| -------------------------- | ------------------------------------ |
| `github.com`               | `github.com`                         |
| `https://github.com/login` | `github.com`                         |
| `*.example.com`            | `app.example.com`, `api.example.com` |

If multiple items match a domain, the first match is used. Organize your vaults to ensure the correct credentials are selected.

## TOTP Support

If your 1Password item has a one-time password (TOTP) field configured, it will be used automatically for 2FA—no additional setup needed.

## Credential Options

The `credential` object supports multiple sources:

| Type               | Example                                     | Description                       |
| ------------------ | ------------------------------------------- | --------------------------------- |
| Kernel credential  | `{ name: 'my-creds' }`                      | Use a credential stored in Kernel |
| 1Password explicit | `{ provider: 'my-1p', path: 'Vault/Item' }` | Use a specific 1Password item     |
| 1Password auto     | `{ provider: 'my-1p', auto: true }`         | Search 1Password by domain        |

If no `credential` is specified, the flow will wait for manual input.

## Security

| Feature                   | Description                                            |
| ------------------------- | ------------------------------------------------------ |
| **Token encrypted**       | Service account token encrypted with per-org keys      |
| **No credential storage** | Credentials stay in 1Password, retrieved at auth time  |
| **Vault access control**  | Limit access via 1Password service account permissions |
| **Audit trail**           | 1Password logs all credential access                   |