Type a Password/TOTP from 1Password 8 CLI

1Password 8's new Universal Autofill works well - but there are still some circumstances where I find it helpful to use KM to type 1P passwords. And that's now much easier with the new 1Password CLI.

The subroutine below retrieves and types a password, TOTP, or any other field from 1Password. It's much more reliable (and far quicker) than my previous macro which used keyboard navigation in 1Password 7 Mini. It types rather than pastes the password for both security and compatibility with non-standard password dialogs.

As ever, constructive criticism is very much welcomed :slight_smile:
I haven't worked through all of the options and error handling yet, but it's been working well for me for the last week or so.

(And apologies if someone else has already posted something like this; I've seen references to the CLI being used but not to a macro.)

You'll need to:

  • Install the 1Password op CLI tool (I found I needed to install it using the "Manual" method - which only required the download and installation of a standard macOS package - as I don't permit my normal user account to run sudo, which their Brew method requires).

  • To retrieve TOTP codes, you'll also need to install the jq JSON Query command-line tool. I used Homebrew for this: brew install jq.

  • Work through the rest of the CLI Getting Started steps - critically "Turn On Biometric Unlock", if you use your Apple Watch to unlock 1Password.

  • Download the main "Type a password from 1Password" subroutine macro below and import into Keyboard Maestro.

  • If your Mac has an Apple Silicon (M1) CPU, swap the path to jq in the "Sign into 1Password and find the OTP..." step to /opt/homebrew/Cellar/jq/1.6/bin/jq (or equivalent), as Rob describes below.

  • Check/fix the default Account in the "Parse parameters" step. I use "my.1password.eu" but you may need to change that to "my.1password.com" or "my.1password.ca". That's the only account-specific item in this macro; everything else is supplied as parameters to the subroutine.

  • Test with something like the second and third macros below, substituting for the name of one of the items in your 1Password vault. Note that only the Vault and Item name/ID have to be specified (and you could of course change that if you only have a single vault) - plus the Type for a TOTP item.

  • If you have any problems with the name of an item (or you think it might get renamed over time) use its persistent Item ID rather than its name. It can be found using the op item list | grep NAME command or using Edit > Copy Private Link (then isolating the part after the i= in the query string).

  • If you run into problems, consult the KM log: tail -f ~/Library/Logs/Keyboard\ Maestro/Engine.log and try to run the equivalent op commands (substituting for account, vault, item etc) on the command line.

Type a password from 1Password.kmmacros (22 KB)

Toggle display of image of macro (with relevant steps expanded)

Here are two test macros (you'll need to add a trigger and adjust the names of the Vault and Item to suit your own items), showing the optional Description (which will trigger a notification when present) and specifying a "TOTP" Type...

Type a test password from 1Password.kmmacros (1.7 KB)

Type a test OTP from 1Password.kmmacros (1.7 KB)

2 Likes

Thanks for these macros. They work great, except that on Monterey, home-brew installs jq at

/opt/homebrew/Cellar/jq/1.6/bin/jq

Once I changed the text script in the KM subroutine macro to reflect that, it works fine.

1 Like

Thanks, Rob - that's really helpful. I've incorporated that as an extra step in my original post to make it easier to follow.

I hadn't spotted that Homebrew uses a different install prefix on M1 Macs. I'm on Monterey too, but still on Intel (and I am a little jealous of your shiny new processor :wink: )

Does this require Biometric Unlock (rather than it being optional for Watch users), and therefore also require 1Password 8? Otherwise I'm not sure how to pass in the account's master password, since a KM "Execute Script" action isn't interactive.

Still on v7 myself and trying to avoid bouncing a Terminal window and grabbing the creds with commands in that, so would love to know if you solved this!

Sorry for the late reply, Nige - I was away when you posted.

No, biometric unlock isn't required; you can still use the password to unlock.
However, I believe that the CLI itself (which this macro uses) only comes with 1Password v8.

Whilst I'd recommend moving to v8 (and using Universal Autofill where possible), I do have old macros for typing a password/TOTP from 1Password v7, but they're far more temperamental! Let me know if they'd help you and I'll upload them... (though I suspect there are several alternatives already in prior forum posts).

Best wishes,
Steve

I'm wondering if turning on biometric is what enables you to use the local account, rather than the 1Pass master password?

v8 requires Catalina, and a couple of my machines are limited to 10.13 or 14 for either hardware or software reasons (nothing to do with my aversion to Electron apps, honest!). v7 requires you to authenticate to get a 30-minute session token, and that requires an interactive session...

I've got a nice bounce-through-Terminal going which I might post when I'm happy with the results. It may not be specifically useful, but might have a couple of tricks people could use in their own projects.

1 Like