1Password Connect Server Token
Service Name: 1Password Connect
Service Description: 1Password Connect is an API service that allows applications to securely access and manage secrets stored in 1Password vaults. It provides a way for applications to retrieve credentials and other sensitive information without human intervention.
Service Address: https://1password.com/connect/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the Connect Server level to limit which IP addresses can access the Connect API.
Secret Access Scope: Grants programmatic access to secrets stored in specified 1Password vaults through the Connect API. The scope depends on the permissions assigned to the token.
Secret Revokement URL: https://support.1password.com/connect-api-reference/#authentication
Secret Example: eyJhbGciOiJFUzI1NiIsImtpZCI6InNlcnZlci0xMjM0NTY3OCJ9.eyJhdWQiOlsiY29tLjFwYXNzd29yZC5jb25uZWN0Il0sImV4cCI6MTY0MDk5NTIwMCwiaWF0IjoxNjA5NDU5MjAwLCJpc3MiOiJjb20uMXBhc3N3b3JkLmIyYiIsImp0aSI6ImFiY2RlZjEyMzQ1Njc4OTAiLCJzdWIiOiJzZXJ2ZXItMTIzNDU2NzgifQ.EXAMPLE_SIGNATURE
Suspicious Activity Investigation Instructions:
-
Review 1Password Connect Server logs for unusual API access patterns or unauthorized vault access.
-
Check for unexpected API calls or access to vaults that shouldn't be accessed by the application.
-
Monitor for increased frequency of API calls that might indicate credential harvesting.
-
Verify if the token is being used from unexpected IP addresses or outside normal operating hours.
-
Review the audit logs in 1Password to identify any unusual activity.
Mitigation Instructions:
-
Immediately revoke the compromised Connect API token from the 1Password administration console.
-
Generate a new Connect API token with appropriate permissions.
-
Update the token in all legitimate applications that require access.
-
Consider implementing more restrictive IP allow lists for the Connect Server.
-
Review and potentially reduce the scope of vaults and items accessible via the Connect API.
-
Implement additional monitoring for Connect API usage.
-
Consider rotating Connect API tokens on a regular schedule as a security best practice.