I use 1Password as my password manager but didn't really see much need for the CLI that they provide until fairly recently. I'll go over a couple of use cases where the CLI has integrated really well into my workflow.

Keeping Dot Files Password-Free

I've been usingaerc¹ for a few weeks. When you add an email account toaerc, it saves the password in a configuration file (~/.config/aerc/accounts.conf for me), an example of which can be seen below:

[Fastmail]source=imaps://user%40fastmail.com:agvsbg8gd29ybgqh@imap.fastmail.comoutgoing=smtps://user%40fastmail.com:agvsbg8gd29ybgqh@imap.fastmail.com

Having the password stored in plain text² is less than ideal, even if it is on a device you own. Helpfully,aerc provides a way to specify an arbitrary command that can be executed to retrieve the password. To use the 1Password CLI, the accounts configuration file can be modified as follows:

[Fastmail]source            = imaps://user%40fastmail.com@imap.fastmail.comsource-cred-cmd   = op read op://MyVault/Fastmail/aerc-passwordoutgoing          = smtps://user%40fastmail.com@imap.fastmail.comoutgoing-cred-cmd = op read op://MyVault/Fastmail/aerc-password

The command we want executed isop read, and we pass it the URL³ of the secret to access. The next timeaerc is launched, a TouchID prompt, or a prompt toAllow Access, will be presented as shown below:

Autofilling One-Time Passwords

As a publisher of npm packages, it's a good idea to enable 2FA on your npm account. This makes a leaked token with write-access less of a risk since no writes (such as publishing a new version of a package) can be performed without a valid OTP.

When publishing an npm package usingnpm publish, a prompt is shown in the terminal asking the user to type in the OTP. However, there is also an--otp flag we can make use of to provide the OTP upfront:

npm publish --otp $(op item get NPM --otp)

This time we use theop item get command⁴, passing it the name of the item and the--otp flag. Upon execution, a TouchID prompt or anAllow Access prompt is presented, removing the need to manually type or paste the OTP. As an added convenience, the above command can be bound to a shell alias.

Footnotes

1. aerc is a terminal-based email client.↩︎

2. Thishelpful URL scheme shows that the password isagvsbg8gd29ybgqh.↩︎

3. The URL takes the form:

   op://<vault>/<item>[/<section>]/<field>

   ↩︎

4. Note that if we tried using theop read command:

   op read 'op://MyVault/NPM/Security/one-time password'

   instead of the current OTP being returned, we would get the reference URL used to generate the OTP:

   otpauth://totp/croccifixio?secret=AGVSBG8GD29YBGQHIGDVB2QGBMLNAHQ1&issuer=npm

   ↩︎