1Password SecretRef provider integration for OpenClaw.
This plugin keeps 1Password-specific resolution outside OpenClaw core. It
declares a secretProviderIntegrations.1password preset that materializes an
OpenClaw exec secret provider.
1Password itself is not generally self-hosted. The self-hostable component is 1Password Connect, which runs in your infrastructure and exposes an API bridge for vault data from your 1Password account.
This plugin uses the official op CLI. The CLI can resolve secrets with:
OP_SERVICE_ACCOUNT_TOKENOP_CONNECT_HOSTandOP_CONNECT_TOKENfor 1Password Connect- an existing authenticated
opCLI session
The recommended id format is a native 1Password secret reference:
{ "source": "exec", "provider": "onepassword", "id": "op://Engineering/OpenRouter/apiKey" }The resolver also accepts:
<vault>/<item>/<field>
<vault>/<item>/<section>/<field>
If CLAW_1PASSWORD_VAULT is set, it also accepts:
<item>/<field>
Required for real 1Password reads:
- the
opCLI onPATH, orCLAW_1PASSWORD_OPpointing to the CLI - one of the authentication modes supported by
op
Common auth environment:
OP_SERVICE_ACCOUNT_TOKENOP_CONNECT_HOSTOP_CONNECT_TOKENOP_ACCOUNT
Optional plugin environment:
CLAW_1PASSWORD_OP(default:op)CLAW_1PASSWORD_VAULT
Test fallback:
CLAW_1PASSWORD_VALUES_JSON
printf '%s\n' '{"protocolVersion":1,"ids":["op://Engineering/OpenRouter/apiKey"]}' \
| CLAW_1PASSWORD_VALUES_JSON='{"op://Engineering/OpenRouter/apiKey":"not-a-real-value"}' \
./onepassword-secret-ref-resolver.jsExpected:
{"protocolVersion":1,"values":{"op://Engineering/OpenRouter/apiKey":"not-a-real-value"},"errors":{}}Until this plugin is packaged with compiled runtime output, load it as a source plugin:
openclaw config patch --stdin <<'JSON5'
{
plugins: {
load: {
paths: ["/absolute/path/to/claw-1password"],
},
},
}
JSON5Then configure SecretRefs that use provider onepassword.
npm install
npm test