1Password MCP Server¶
A secure Model Context Protocol (MCP) server that provides authenticated 1Password credential retrieval with comprehensive error handling, resilience patterns, security hardening, and full MCP protocol compliance.
Overview¶
The 1Password MCP Server enables AI assistants like Claude to securely retrieve credentials from your 1Password vaults. Built with enterprise-grade security, comprehensive error handling, and operational excellence in mind.
Key Features¶
- 🔐 Secure by Default: Memory protection, request signing, TLS enforcement
- 🛡️ Enterprise Security: Service account authentication, audit logging, rate limiting
- ⚡ High Performance: Circuit breakers, retry logic, performance monitoring
- 📊 Observable: Structured logging, health checks, metrics collection
- 🔧 Production Ready: Comprehensive testing, documentation, monitoring
Quick Start¶
Prerequisites¶
- Python 3.12+
- 1Password service account token
- Claude Desktop or compatible MCP client
Installation¶
# Install via pip
pip install onepassword-mcp-server
# Or install with optional dependencies
pip install onepassword-mcp-server[dev,docs]
Configuration¶
- Get 1Password Service Account Token:
- Go to 1Password Developer Console
- Create a service account
- Grant access to required vaults
-
Copy the service account token
-
Configure Environment:
-
Configure Claude Desktop (
claude_desktop_config.json):
Usage¶
Once configured, you can ask Claude to retrieve credentials:
"Please get my GitHub credentials from 1Password"
The server will securely retrieve and provide the username and password while maintaining complete audit trails.
Architecture¶
graph TB
A[AI Assistant<br/>Claude] -->|MCP Protocol| B[1Password MCP Server]
B -->|Authenticated API| C[1Password Service]
B --> D[Security Layer<br/>🛡️ Memory Protection<br/>🔐 Request Signing<br/>📝 Audit Logging]
B --> E[Resilience Layer<br/>⚡ Circuit Breaker<br/>🔄 Retry Logic<br/>⏱️ Timeouts]
B --> F[Monitoring Layer<br/>📊 Health Checks<br/>📈 Metrics<br/>🔍 Observability]Security Model¶
Defense in Depth¶
- Authentication: Service account tokens with vault-scoped access
- Input Validation: Comprehensive parameter validation and sanitization
- Memory Protection: Secure credential handling with automatic cleanup
- Transport Security: TLS enforcement and request signing
- Audit Logging: Complete request/response tracking with correlation IDs
- Rate Limiting: Configurable rate limits to prevent abuse
Production Security¶
- No Credential Caching: Always fetch fresh credentials
- Secure Error Messages: No information leakage in error responses
- Environment Validation: Security posture assessment
- Compliance Ready: SOC 2 compliance support
Tools Available¶
get_1password_credentials¶
Securely retrieve credentials from 1Password.
Parameters: - item_name (required): Name of the 1Password item - vault (optional): Name of the 1Password vault
Example:
# Via Claude
"Get my database credentials for production"
# Direct tool response
{
"username": "admin@company.com",
"password": "secure_password_here",
"item_name": "database-prod",
"vault": "Infrastructure"
}
get_health_status¶
Get comprehensive health status of all server components.
get_metrics¶
Get operational metrics including performance data and security insights.
get_security_status¶
Get security hardening status and configuration validation.
Documentation¶
- Setup Guide - Detailed installation and configuration
- Security Guide - Security best practices and policies
- API Reference - Complete tool documentation
- Troubleshooting - Common issues and solutions
- Developer Guide - Development and contribution guide
Support¶
- GitHub: Issues and feature requests
- Security: Security policy
- Documentation: Complete documentation
License¶
MIT License - see LICENSE for details.
Ready to get started? Follow the Setup Guide for detailed installation instructions.