Configures 1Password CLI with direnv for fast, secure credential loading. Activates for: 1Password + direnv setup, slow secrets (>2 sec), .env.op files, op:// references, AWS credentials via env vars, --reveal flag issues, repeated biometric prompts, creating 1Password items programmatically, op item get errors. Not for: 1Password GUI usage, SSH keys (use 1Password SSH agent).
View on GitHubJanuary 21, 2026
Select agents to install to:
npx add-skill https://github.com/clearfunction/cf-devtools/blob/main/skills/1password-direnv-secrets/SKILL.md -a claude-code --skill 1password-direnv-secretsInstallation paths:
.claude/skills/1password-direnv-secrets/# 1Password CLI Secret Management
Secure credential management using 1Password CLI with zero plaintext secrets on disk.
## Quick Reference
| Use Case | Approach | Details |
|-----------------------------|-----------------------|-------------------------------------------------------------------|
| All secrets (AWS, DB, APIs) | direnv + `op run` | [Core Pattern](#core-pattern-direnv--op-run) |
| CI/CD automation | Service account token | [Session Management](references/session-management.md) |
| Creating items for users | `op item create` | [Programmatic Creation](references/programmatic-item-creation.md) |
**Key insight:** Secrets load once on `cd` and all subprocesses inherit them (standard Unix `fork()` behavior). One `op` call, no re-fetching.
---
## Core Pattern: direnv + op run
**Use `op run --env-file` NOT multiple `op read` calls.**
| Approach | CLI Invocations | Load Time |
|--------------------|-----------------|------------|
| Multiple `op read` | N per secret | ~5 seconds |
| Single `op run` | 1 | ~1 second |
### Setup
**1. `.env.op`** (safe to commit - contains only `op://` references):
```bash
AWS_ACCESS_KEY_ID="op://Vault/Item/Access Key ID"
AWS_SECRET_ACCESS_KEY="op://Vault/Item/Secret Access Key"
DB_PASSWORD="op://Vault/Item/password"
```
**2. `.envrc`** (safe to commit - no secrets, just loader command):
```bash
direnv_load op run --env-file=.env.op --no-masking \
--account=yourcompany.1password.com -- direnv dump
```
**3. Enable:** `direnv allow`
### Global Helper
Add to `~/.config/direnv/direnvrc`:
```bash
use_1password() {
local env_file="${1:-.env.op}" account="${2:-yourcompany.1password.com}"
[[ -f "$env_file" ]] && direnv_load op run --env-file="$env_file" \
--no-masking --account="$account" -- direnv dump
}
```
Then `.envrc` becomes: `use 1p