Skip to main content
Connect 1Password to automatically use credentials from your existing vaults with Agent Auth. No need to manually create credentials in Kernel—1Password items are discovered by domain matching.

How It Works

  1. Connect a service account — Add your 1Password service account token in the dashboard
  2. Domain matching — When Agent Auth needs credentials, it searches your connected vaults for items matching the target domain
  3. Automatic fill — Credentials (including TOTP secrets) are used to complete authentication
Credentials are retrieved securely at authentication time. Values are never stored in Kernel—they remain in 1Password.

Setup

1

Create a 1Password Service Account

In 1Password, create a service account with access to the vaults containing your login credentials.Copy the service account token.
2

Connect in Kernel Dashboard

Go to Agent Auth in the Kernel dashboard, click the settings icon, then select Integrations. Click Connect 1Password.Paste your service account token. Kernel will validate the connection and show which vaults are accessible.
3

Use with Agent Auth

Start an auth invocation without specifying a credential_id. If 1Password has a matching item for the domain, it will be used automatically.
const agent = await kernel.agents.auth.create({
  domain: 'github.com',
  profile_name: 'my-github-profile',
  // No credential_name needed—1Password will provide credentials
});

const invocation = await kernel.agents.auth.invocations.create({
  auth_agent_id: agent.id,
});
// Credentials for github.com are automatically retrieved from 1Password

Domain Matching

1Password items are matched by their website/URL field:
1Password Item URLMatches Domain
github.comgithub.com
https://github.com/logingithub.com
*.example.comapp.example.com, api.example.com
If multiple items match a domain, the first match is used. Organize your vaults to ensure the correct credentials are selected.

TOTP Support

If your 1Password item has a one-time password (TOTP) field configured, it will be used automatically for 2FA—no additional setup needed.

Priority

When both Kernel credentials and 1Password are available for a domain:
  1. Explicit credential — If credential_name or credential_id is specified, that credential is used
  2. 1Password — If no explicit credential, 1Password is searched
  3. Request input — If no credentials found, the auth agent waits for input

Security

FeatureDescription
Token encryptedService account token encrypted with per-org keys
No credential storageCredentials stay in 1Password, retrieved at auth time
Vault access controlLimit access via 1Password service account permissions
Audit trail1Password logs all credential access