Back to Nodes

1Password

v0.1.1
Last updated May 4, 2026

n8n community node to fetch secrets and items from 1Password using a Service Account

10 Weekly Downloads
276 Monthly Downloads

Included Nodes

1Password

Description


n8n-nodes-onepassword

NPM Version
GitHub License
NPM Downloads
NPM Last Update
Static Badge

Installation |
Credentials |
Resources |
Usage |
Security |
Development |
License

A community node for n8n that fetches secrets and items from 1Password using a Service Account.

Use it to keep secrets out of n8n credentials: store API keys, passwords, and tokens in 1Password, then resolve them at workflow runtime and pass them into downstream nodes via expressions.

API Coverage

The package ships a single action node backed by the official @1password/sdk, covering read-only access to vaults, items, and secret references.

View resources

| Resource | Operations |
| — | — |
| Secret | Get |
| Item | Get, List |
| Vault | List |

Installation

1. Create a new workflow or open an existing one
2. Open the nodes panel by selecting + or pressing N
3. Search for 1Password
4. Select Install to install the node for your instance

Alternatively, follow the community node installation guide and install n8n-nodes-onepassword.

Credentials

The node uses a 1Password Service Account API credential with one field:

  • Service Account Token — an OPSERVICEACCOUNT_TOKEN. Create one at my.1password.com → Developer Tools → Service Accounts and grant it read access to the vaults you need.
  • The token is sent only to 1Password’s SDK; the node makes no other outbound calls.

    Resources & Operations

    See the collapsible table above under API Coverage for the full list.

    Secret → Get

    Resolves an op://Vault/Item/field reference to a single string. Output: { reference, value }.

    Item → Get

    Fetches a full item by vault ID and item ID. Output flattens fields into two buckets:

  • value — concealed (password-type) fields, keyed by field title.
  • fields — non-concealed fields, keyed by field title.
  • Item → List

    Lists active items in a vault. Output: one row per item with overview metadata (no field values).

    Vault → List

    Lists vaults the service account can access. Output: one row per vault with overview metadata.

    Usage

    Pattern: feed a 1Password secret into another n8n credential

    n8n evaluates expressions in credential fields at runtime, so a 1Password node placed early in the workflow can supply secrets to any downstream credential.

    1. Add a 1Password node, connect a Service Account credential, set Resource = Secret, Operation = Get, and Reference = op://Production/SlackBot/token.
    2. Add a Slack node downstream. Edit its credential, switch the Bot User OAuth Token field to Expression mode, and enter:

       {{ $('1Password').item.json.value }}
       

    3. Run the workflow. The Slack call is made with the token resolved from 1Password — nothing is hardcoded in n8n.

    This mirrors n8n’s official “Set credentials dynamically” template. It works reliably for API key, bearer, basic-auth, and header-auth credential types. OAuth2 flows are unreliable because token exchange happens out-of-band.

    Security

    Read this before using the node in production.

    By design, the value resolved by Secret → Get lives in the upstream node’s runData so that downstream expression references can resolve it. On free / community editions of n8n, the secret value is therefore visible in the editor’s execution-data panel during runs.

    Mitigations, in order of strength:

    1. Disable execution data persistence in workflow settings → Save Data Successful/Failed/Manual Executions → “Do not save”. Prevents the secret from being written to the n8n database. Manual editor view during a test run still shows it; production runs do not persist.
    2. sensitiveOutputFields: ['value'] is declared on this node. On n8n Enterprise this triggers automatic redaction of the value field in execution data. On free editions it’s a no-op (forward-compatible).
    3. Use n8n’s built-in External Secrets instead of this node if you have n8n Enterprise + a 1Password Connect Server. That’s the only fully transparent path — secrets never enter runData. This community node fills the gap for users without Enterprise.

    Notes (a free-form item field) is not covered by the redaction declaration. If you store secrets in notes, treat the Get Item output as fully sensitive.

    Development

    git clone https://github.com/hansdoebel/n8n-nodes-onepassword.git
    cd n8n-nodes-onepassword
    bun install
    bun run build
    bun run lint
    

    The node depends on @1password/sdk, which provides the official Service Account client used for all API calls.

    Resources

  • 1Password Service Accounts
  • 1Password Secret Reference Syntax
  • n8n Community Nodes documentation
  • @1password/sdk on npm

License

MIT

GitHub |
Issues |
1Password SDK Docs