Security Integration
OpenClaw + 1Password
Securely retrieve secrets and credentials from your password manager.
Category
Security
Setup Time
~5 minutes
What you can do
- Securely retrieve secrets
- Access passwords on demand
- List vault items
- Integration with automation
Setup Guide
Prerequisites
- OpenClaw running (see our deployment guide)
- A 1Password account (any plan including free)
- 1Password CLI installed (optional but recommended)
Step 1: Create a 1Password Connect Server
- Sign in to your 1Password account
- Go to Developer Tools → 1Password Connect
- Click Create a Connect Server
- Name it (e.g., "OpenClaw")
- Select the vaults to share with OpenClaw
- Click Create
- Download the 1password-credentials.json file
Step 2: Deploy Connect Server
Option A: Docker (recommended)
# docker-compose.yml
services:
op-connect:
image: 1password/connect-api:latest
ports:
- "8080:8080"
volumes:
- ./1password-credentials.json:/home/opuser/.op/1password-credentials.json
- op-data:/home/opuser/.op/data
restart: unless-stopped
volumes:
op-data:Start the server:
docker compose up -d op-connectOption B: 1Password CLI
# Install on Linux
curl -sS https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64.deb -o op.deb
sudo dpkg -i op.deb
# Sign in
op signinStep 3: Create an Access Token
- In 1Password Developer Tools, go to your Connect Server
- Click Create Access Token
- Name it "OpenClaw Integration"
- Set expiration (or leave for 1 year default)
- Copy the token immediately (shown only once)
Configuration
Add the 1Password integration to your OpenClaw config:
# In your openclaw config
secrets:
provider: op
integrations:
onepassword:
enabled: true
connect_url: "http://op-connect:8080"
token: "ops_token_xxxxxxxx" # Your access tokenOr via environment variables in your docker-compose.yml:
environment:
- OP_CONNECT_HOST=http://op-connect:8080
- OP_CONNECT_TOKEN=ops_token_xxxxxxxxStep 4: Verify Connection
Test the integration by asking OpenClaw to retrieve a secret:
"Get my API key from 1Password"
"List items in my Private vault"
"What's the password for AWS?"Check the Connect server is running:
curl http://localhost:8080/v1/vaultsSecurity Best Practices
- Least privilege: Only share vaults OpenClaw needs
- Rotate tokens: Create new tokens periodically
- Audit access: Review token usage in 1Password
- Network isolation: Don't expose Connect server publicly
- Separate vaults: Use dedicated vaults for automation secrets
Common Issues
Token invalid: Access tokens can be revoked. Check in 1Password Developer Tools and regenerate if needed.
Vault not found: Ensure the vault is shared with your Connect Server during setup. You can edit access later.
Connection refused: Verify the Connect server is running: docker compose ps op-connect. Check logs with docker compose logs op-connect.
Frequently Asked Questions
Does OpenClaw work with 1Password?
Yes — OpenClaw integrates with 1Password via the Connect API. It can securely retrieve secrets, passwords, and credentials from your vaults. Setup takes about 5 minutes.
Is the 1Password integration secure?
Yes. OpenClaw uses 1Password Connect, which provides scoped access tokens and vault-level permissions. You control exactly which vaults OpenClaw can access.
How do I set up 1Password with OpenClaw?
Create a 1Password Connect Server in Developer Tools, deploy it (Docker recommended), generate an access token, and configure OpenClaw with the token and Connect URL.
Do I need 1Password Business?
No. 1Password Connect works with any 1Password plan including personal accounts. Developer Tools and Connect are available on all plans.
Can OpenClaw create or update items in 1Password?
The primary integration focuses on reading secrets. Write operations require additional scopes and are available but should be used carefully for security.
Ready to set up 1Password?
Follow our free guide to deploy OpenClaw and connect 1Password in minutes.
Official docs: https://developer.1password.com/docs/connect