Getting Credentials from 1Password 7 via CLI

Hat tip to @coordinated, who spurred me into writing this macro with his post for 1P v8.

I wasn't going to bother posting this -- hopefully any 1Password users here are happily using version 8. But if anyone is restricted to v7 because they can't update to Catalina for some reason, they might find this useful.

And it combines KM with an interactive Terminal session -- so if you ever need to do that there might be something here for you!

The 1Password CLI 2 page is at -- v2 works fine with 1Pass v7. Like @coordinated I used the manual method, and the whole install and setup only took a minute.

It isn't as featured as @coordinated's macro because I have a limited set of requirements -- get either a username, a password, or both for a 1Pass item specified by ID (not name -- we use a Shared Vault and I can't rely on my co-workers not changing names to "something more sensible"...), across all Vaults. But it would be easy to add @coordinated's extras to this.

Easiest way to get the UUID of an item is to "Share" -> "Copy Private Link" and look at the text, which "="-delimited. UUID is the last but one item:

It's a subroutine so it can be called from other macros -- if you do add extras you might need to update the parameters to suit.

SUB -- Credentials from 1Password.kmmacros (8.4 KB)


The meat's in the AppleScript, which either brings the previously-used Terminal window to the front or makes a new one and sets its background to a really lary colour to get your attention. Setting the HISTCONTROL environment variable stops the shell storing any command that starts with a space in the history file, so people can't up-arrow and see (or edit and re-run!) a previous credentials request. The shell scripts themselves are straight forward -- signing in and getting the required fields for the UUID we're interested in -- except that we also redirect errors to standard output, put output on the clipboard, and clear the window so prying eyes see nothing...

The other trick is that the Terminal runs asynchronously to the script so we have to pause and wait until the Terminal command puts something on the clipboard -- so we blank the clipboard and run a looped delay until it's no longer empty. Pop the clipboard into a local variable, delete the past clipboard (again, security), and pass the result back to the calling macro.

I decided to use JSON for the result, mainly so I could error-check in the calling macro -- does JSON length match expected number of parameters, etc.

Example calling macro:
Open Passworded Web Page.kmmacros (8.8 KB)


Again this is quite specific to me -- there's an extra pause at the beginning because Safari loads the initial page (so SAFARIISCOMPLETE() is true) then gets bounced to an SSO page with "authenticate" in the URL if I'm not already logged in by previously-set cookies. But all is obvious, and all is easily changed to suit anyone's needs.

It works, but could stand improvement -- particularly in the JSON-handling, which is all new to me. But for all its (and my!) flaws, perhaps it'll help someone do something similar, just as @coordinated's post inspired this.


@Nige_S, thanks for sharing. This looks very useful and I look forward to trying it out.

I’ve not changed to 1Password 8 because the application doesn't include a method to set the Default Vault. This missing feature has been raised on the 1Password forum and generated four pages of spirited feedback. For those of us that use 1Password Families and share vaults, this causes lots of confusion particularly for those that are less technically inclined. For example, my wife and I store the majority or our information in a common vault, thus we've always set it as the default vault. With 1Password 8 all new entries go into the Private vault unless it is changed each time a new entry is saved.

I'm on 7 because I vastly prefer my workflow with the classic browser extensions... which are going away in a few months. I also very much dislike how intrusive the new extensions are. Figured I'd have to go this sort of route so thank you for this as well, @Nige_S

If I remember correctly the 1Password legacy browser extension will sunset on 1 July 2023.

I must say I'm very unhappy about this, but c'est la vie.