Skip to main content
Connect 1Password to automatically use credentials from your existing vaults with Managed Auth. No need to manually create credentials in Kernel—1Password items are discovered by domain matching.

How It Works

  1. Connect a service account — Add your 1Password service account token in the dashboard
  2. Domain matching — When Managed Auth needs credentials, it searches your connected vaults for items matching the target domain
  3. Automatic fill — Credentials (including TOTP secrets) are used to complete authentication
Credentials are retrieved securely at authentication time. Values are never stored in Kernel—they remain in 1Password.

Setup

1

Create a 1Password Service Account

Create a service account in 1Password with access to the vaults containing your login credentials.Copy the service account token (starts with ops_).
2

Connect in Kernel Dashboard

Go to Integrations in the Kernel dashboard and click Connect 1Password.Give your provider a name (e.g., my-1p) and paste your service account token. Kernel will validate the connection and show which vaults are accessible.You can connect multiple 1Password accounts with different names.
3

Use with Managed Auth

Reference your 1Password provider in the credential object. You can either specify an explicit item path or use auto-lookup by domain.
// Option 1: Auto-lookup by domain
const auth = await kernel.auth.connections.create({
  domain: 'github.com',
  profile_name: 'my-github-profile',
  credential: { provider: 'my-1p', auto: true },
});

// Option 2: Explicit item path (VaultName/ItemName)
const auth = await kernel.auth.connections.create({
  domain: 'github.com',
  profile_name: 'my-github-profile',
  credential: { provider: 'my-1p', path: 'Engineering/github-login' },
});

const login = await kernel.auth.connections.login(auth.id);

Path Format

When using explicit paths, specify VaultName/ItemName: 
credential: { provider: 'my-1p', path: 'Engineering/github-login' }
Vault and item names containing forward slashes (/) are not supported. Rename items in 1Password if needed.

Domain Matching

1Password items are matched by their website/URL field:
1Password Item URLMatches Domain
github.comgithub.com
https://github.com/logingithub.com
*.example.comapp.example.com, api.example.com
If multiple items match a domain, the first match is used. Organize your vaults to ensure the correct credentials are selected.

TOTP Support

If your 1Password item has a one-time password (TOTP) field configured, it will be used automatically for 2FA—no additional setup needed.

Credential Options

The credential object supports multiple sources:
TypeExampleDescription
Kernel credential{ name: 'my-creds' }Use a credential stored in Kernel
1Password explicit{ provider: 'my-1p', path: 'Vault/Item' }Use a specific 1Password item
1Password auto{ provider: 'my-1p', auto: true }Search 1Password by domain
If no credential is specified, the flow will wait for manual input.

Security

FeatureDescription
Token encryptedService account token encrypted with per-org keys
No credential storageCredentials stay in 1Password, retrieved at auth time
Vault access controlLimit access via 1Password service account permissions
Audit trail1Password logs all credential access