Skip to content

1Password Connect Server Token

Service Name: 1Password Connect

Service Description: 1Password Connect is an API service that allows applications to securely access and manage secrets stored in 1Password vaults. It provides a way for applications to retrieve credentials and other sensitive information without human intervention.

Service Address: https://1password.com/connect/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the Connect Server level to limit which IP addresses can access the Connect API.

Secret Access Scope: Grants programmatic access to secrets stored in specified 1Password vaults through the Connect API. The scope depends on the permissions assigned to the token.

Secret Revokement URL: https://support.1password.com/connect-api-reference/#authentication

Secret Example: eyJhbGciOiJFUzI1NiIsImtpZCI6InNlcnZlci0xMjM0NTY3OCJ9.eyJhdWQiOlsiY29tLjFwYXNzd29yZC5jb25uZWN0Il0sImV4cCI6MTY0MDk5NTIwMCwiaWF0IjoxNjA5NDU5MjAwLCJpc3MiOiJjb20uMXBhc3N3b3JkLmIyYiIsImp0aSI6ImFiY2RlZjEyMzQ1Njc4OTAiLCJzdWIiOiJzZXJ2ZXItMTIzNDU2NzgifQ.EXAMPLE_SIGNATURE

Suspicious Activity Investigation Instructions:

  • Review 1Password Connect Server logs for unusual API access patterns or unauthorized vault access.

  • Check for unexpected API calls or access to vaults that shouldn't be accessed by the application.

  • Monitor for increased frequency of API calls that might indicate credential harvesting.

  • Verify if the token is being used from unexpected IP addresses or outside normal operating hours.

  • Review the audit logs in 1Password to identify any unusual activity.

Mitigation Instructions:

  • Immediately revoke the compromised Connect API token from the 1Password administration console.

  • Generate a new Connect API token with appropriate permissions.

  • Update the token in all legitimate applications that require access.

  • Consider implementing more restrictive IP allow lists for the Connect Server.

  • Review and potentially reduce the scope of vaults and items accessible via the Connect API.

  • Implement additional monitoring for Connect API usage.

  • Consider rotating Connect API tokens on a regular schedule as a security best practice.