op-mcp

An MCP (Model Context Protocol) server that provides Claude Code with full access to the 1Password CLI (op). This enables Claude to securely manage passwords, secrets, vaults, users, groups, and more through natural language.

Architecture

┌─────────────────────────────────────────────────────────────────────┐
│                         Claude Code / LLM                           │
└─────────────────────────────────────────────────────────────────────┘
                                   │
                                   │ MCP Protocol (JSON-RPC over stdio)
                                   ▼
┌─────────────────────────────────────────────────────────────────────┐
│                           op-mcp Server                             │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐                 │
│  │   Items     │  │   Vaults    │  │   Users     │  ... 46 tools   │
│  │  (9 tools)  │  │ (11 tools)  │  │  (8 tools)  │                 │
│  └─────────────┘  └─────────────┘  └─────────────┘                 │
└─────────────────────────────────────────────────────────────────────┘
                                   │
                                   │ CLI subprocess execution
                                   ▼
┌─────────────────────────────────────────────────────────────────────┐
│                        1Password CLI (op)                           │
└─────────────────────────────────────────────────────────────────────┘
                                   │
                                   │ Authenticated API calls
                                   ▼
┌─────────────────────────────────────────────────────────────────────┐
│                     1Password Service / Vaults                      │
└─────────────────────────────────────────────────────────────────────┘

Prerequisites

1. 1Password CLI (op) - Install from 1password.com/downloads/command-line

   # macOS (Homebrew)
   brew install 1password-cli
   
   # Verify installation
   op --version
   

2. 1Password App Integration - Enable CLI integration in the 1Password desktop app:

   • Open 1Password → Settings → Developer
   • Enable "Integrate with 1Password CLI"
   • This allows biometric unlock for CLI operations

3. Rust toolchain (for building from source)

   curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
   

Installation

From crates.io

cargo install op-mcp

Build from Source

# Clone the repository
git clone https://github.com/goodwokdev/op-mcp.git
cd op-mcp

# Build release binary
cargo build --release

# The binary is at ./target/release/op-mcp

Verify the Build

# Check that it responds to MCP protocol
echo '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"test","version":"1.0"}}}' | ./target/release/op-mcp

Claude Code Configuration

Global Configuration (Recommended)

Use the Claude CLI to add the server globally (available in all projects):

# If installed via cargo install
claude mcp add --transport stdio 1password --scope user -- op-mcp

# If using a specific path
claude mcp add --transport stdio 1password --scope user -- ~/.mcp/bin/op-mcp

Project-level Configuration

Create .mcp.json in your project root:

{
  "mcpServers": {
    "1password": {
      "command": "op-mcp"
    }
  }
}

Verify Connection

After configuration, restart Claude Code or run /mcp to verify the server is connected.

Usage Examples

Once configured, you can ask Claude to perform 1Password operations naturally:

Reading Secrets

"What's my GitHub token from the Development vault?"

"Read the database password from op://Production/PostgreSQL/password"

"List all items in my Personal vault"

Managing Items

"Create a new login item for api.example.com with username 'admin'"

"Update the password for my AWS root account"

"Move the 'Staging DB' item from Development to Production vault"

"Share the WiFi password item with a link that expires in 7 days"

Vault Management

"List all vaults I have access to"

"Create a new vault called 'Client Projects'"

"Who has access to the Production vault?"

"Grant read-only access to the Shared vault for the Engineering group"

User & Group Management

"List all users in my organization"

"Create a new group called 'DevOps Team'"

"Add user@example.com to the DevOps Team group"

"Suspend the user john.doe@example.com"

Documents

"List all documents in the Legal vault"

"Download the SSL certificate from the Certificates vault"

"Upload this license file to the Software vault"

Secret Injection

"Inject secrets into this .env template"

"Run this deployment script with secrets from the Production vault"

Available Tools (66 total)

Authentication (3)

Account Management (4)

Vault Management (11)

Item Management (9)

Document Management (5)

User Management (8)

Group Management (8)

Connect Server Management (11)

Service Account (2)

Events API (1)

Secrets (3)

Security Considerations

• Biometric Authentication: When integrated with the 1Password app, operations require biometric confirmation
• No Secret Storage: This server doesn't store any secrets; it proxies requests to the op CLI
• Audit Trail: All operations are logged by 1Password
• Permission Scoping: Access is limited to what your 1Password account can access

Troubleshooting

"1Password CLI (op) not found"

Ensure op is installed and in your PATH:

which op
op --version

"Not signed in to 1Password"

Sign in using the 1Password app or CLI:

op signin

"Permission denied"

• Check that CLI integration is enabled in 1Password app settings
• Verify you have access to the requested vault/item
• For team accounts, ensure your role has the required permissions

Server not appearing in Claude Code

1. Check the path in your configuration is absolute and correct
2. Verify the binary is executable: chmod +x /path/to/op-mcp
3. Restart Claude Code after configuration changes
4. Run /mcp in Claude Code to see server status

Development

# Run in debug mode
cargo run

# Run tests
cargo test

# Check formatting
cargo fmt --check

# Run linter
cargo clippy

License

MIT