Skip to main content

Announcing StackOne Defender: leading open-source prompt injection guard for your agent Read More

Connect

Connectors Agent Auth MCP Connector Builder

Optimize

Tool Discovery Falcon Engine

Secure

Defender
Connectors

HRIS / HCM

Employee Onboarding Employee Offboarding

Recruiting

Application Screening Interview Scheduling

Customer Support

Ticket Triage Voice Call Summarization

Sales & CRM

Deal Risk Scoring Lead Qualification

Accounting & Finance

Invoice Processing Month-End Accruals

Marketing

Campaign Reports Lead Nurture Sequences
View All AI Agent Use Cases

Developers

Docs Changelog Status

Learn

Blog Case Studies Events Partners
Pricing
Login Book Demo Start Free

1Password MCP Server
for AI Agents

Production-ready 1Password MCP server with 23 extensible actions — plus built-in authentication, security, and optimized execution.

Start Free Book Demo Read Docs →
1Password logo
1Password MCP Server
Built by StackOne StackOne
DrataGPLocalyzeFlipMindtoolsScreenloop

Coverage

23 Agent Actions

Create, read, update, and delete across 1Password — and extend your agent's capabilities with custom actions.

MCP Actions → Create Actions →

Authentication

Agent Tool Authentication

Per-user OAuth in one call. Your 1Password MCP server gets session-scoped tokens with zero credentials stored on your infra.

Agent Auth →

Security

Agent Protection

Every 1Password tool response scanned for prompt injection in milliseconds — 88.7% accuracy, all running on CPU.

Prompt Injection Defense →

Performance

Max Agent Context. Min Cost.

Free up to 96% of your agent's context window to enhance reasoning and reduce cost, on every 1Password call.

Tools Discovery →

What is the 1Password MCP Server?

A 1Password MCP server lets AI agents read and write 1Password data through the Model Context Protocol — Anthropic's open standard for connecting LLMs to external tools. StackOne's 1Password MCP server ships with 23 pre-built actions, fully extensible via the Connector Builder — plus managed authentication, prompt injection defense, and optimized agent context. Connect it from MCP clients like Claude Desktop, Claude Code, Cursor, Goose, and VS Code, or from agent frameworks like OpenAI Agents SDK, LangChain, and Vercel AI SDK.

All 1Password MCP Tools and Actions

Every action from 1Password's API, ready for your agent. Create, read, update, and delete — scoped to exactly what you need.

Items

  • Create Item

    Create a new item in a vault

  • List Items

    Retrieve all items within a specific vault

  • Get Item

    Retrieve detailed information about a specific item

  • Delete Item

    Delete an item from a vault

Vaults

  • List Vaults

    Retrieve all vaults accessible by the Connect server

  • Get Vault

    Retrieve detailed information about a specific vault

Other (17)

  • List API Activity

    Retrieve API request activity logs from the Connect server

  • List Files

    Retrieve all files attached to an item

  • Get File Details

    Retrieve metadata and optionally content of a specific file

  • Download File Content

    Download the binary content of a file

  • Get Heartbeat

    Check if the Connect server is alive and responsive

  • Get Server Health

    Retrieve Connect server health status and dependencies

  • Get Prometheus Metrics

    Retrieve Prometheus metrics from the Connect server

  • Get IAM Credentials (1Password SCIM)

    Return connection identity for the current 1Password SCIM bridge integration. The SCIM bridge token is a service-level credential with no named user identity — name is derived from the configured SCIM bridge URL. auth_type is "service_user". Uses the SCIM bearer token and URL.

  • List IAM Groups (1Password SCIM)

    List all groups in the 1Password account via the SCIM bridge, mapped to the IAM unified group schema. Each entry surfaces the group's stable SCIM id and display name. User membership is not mapped in this action — use unified_list_resource_users with resource_type=group. Uses the SCIM bearer token and URL (not the Connect Server credentials).

  • Get IAM Group (1Password SCIM)

    Retrieve a single 1Password group by SCIM ID via the SCIM bridge, mapped to the IAM unified group schema. Returns group name, type, and timestamps. User membership is not mapped — use unified_list_resource_users with resource_type=group. Uses the SCIM bearer token and URL (not the Connect Server credentials).

  • List Resource Users — 1Password Group Members

    List the users who are members of a specific 1Password group. Pass resource_type="group" and resource_id=<SCIM group id>. Returns group members from the SCIM group endpoint; status and email may be unavailable as the members array only includes id and display name. resource_id must be the raw SCIM group ID (remote_id from unified_list_groups), not the StackOne-encoded id.

  • List IAM Resource Types (1Password)

    Return the static list of resource types supported for unified_list_resource_users on this connector. Only "group" is supported — 1Password groups are the access control unit with user membership lists in SCIM.

  • List IAM Roles (1Password Synthesized)

    Return the four stable 1Password IAM roles (owner / administrator / member / guest) synthesized from 1Password's documented role model. 1Password has no native roles API — the role set is static, closed, and matches role IDs used for cross-action referencing. Uses the SCIM bearer token for the auth probe.

  • Get IAM Role (1Password Synthesized)

    Retrieve a single synthesized 1Password IAM role by id (owner, administrator, member, or guest). Returns role name, description, type, and scope. No upstream API call is made for the role data itself — the role catalog is static.

  • List IAM Users (1Password SCIM)

    List all users in the 1Password account via the SCIM bridge, mapped to the StackOne IAM unified user schema. Returns identity, status (enabled/disabled), email, and name fields. Uses 1Password SCIM Bridge at /scim/Users with the SCIM bearer token and URL (not the Connect Server credentials).

  • Get IAM User (1Password SCIM)

    Retrieve a single 1Password user by their SCIM ID via the SCIM bridge, mapped to the IAM unified user schema. Groups are always included when the user belongs to groups — the SCIM user record includes groups[] unconditionally. Uses the SCIM bearer token and URL (not the Connect Server credentials).

  • Replace Item

    Replace an existing item with new data

Set Up Your 1Password MCP Server in Minutes

One endpoint. Any framework. Your agent is talking to 1Password in under 10 lines of code.

MCP Clients

Agent Frameworks

Claude Desktop
{
  "mcpServers": {
    "stackone": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote@latest",
        "https://api.stackone.com/mcp?x-account-id=<account_id>",
        "--header",
        "Authorization: Basic <YOUR_BASE64_TOKEN>"
      ]
    }
  }
}

More Security MCP Servers

Cloudflare

137+ actions

OneLogin

109+ actions

Auth0

78+ actions

Sentinel XS

69+ actions

Microsoft Entra ID

67+ actions

JumpCloud

65+ actions

Drata

57+ actions

All Security MCP Servers →

1Password MCP Server Resources

MCP Code Mode: Keeping Tool Responses Out of Agent Context

Anthropic's code_execution processes data already in context. Custom MCP code mode keeps raw tool responses in a sandbox. 14K tokens vs 500.

11 min

Comparing BM25, TF-IDF, and Hybrid Search for MCP Tool Discovery

Benchmarking BM25, TF-IDF, and hybrid search for MCP tool discovery across 916 tools. The 80/20 TF-IDF/BM25 hybrid hits 21% Top-1 accuracy in under 1ms.

10 min

Indirect Prompt Injection Defense for MCP Tools: A Technical Guide

MCP tools that read emails, CRM records, and tickets are indirect prompt injection vectors. Here's how we built a two-tier defense that scans tool results in ~11ms.

12 min

1Password MCP Server FAQ

1Password MCP server vs direct API integration — what's the difference?
A 1Password MCP server and direct API integration serve different use cases. Direct API integration is for software-to-software — backend code calling 1Password. A 1Password MCP server is for AI agents — MCP clients like Claude and Cursor, plus framework agents built with OpenAI, LangChain, or Vercel AI — discovering and calling 1Password at runtime. StackOne provides both.
How does 1Password authentication work for AI agents?
1Password authentication for AI agents works through a StackOne Connect Session. Create one via the dashboard or the SDK — you get an auth link and ready-to-paste config for Claude Desktop, Cursor, and other MCP clients. Your user authenticates their own 1Password account; StackOne handles token exchange, storage, and refresh. Credentials never reach the LLM, and each user is isolated via origin_owner_id.
Are 1Password MCP tools vulnerable to prompt injection?
Yes — 1Password MCP tools can be vulnerable to indirect prompt injection. Any tool that reads user-written content — documents, messages, tickets, records, or free-text fields — is a potential vector. StackOne Defender scans every tool response before it enters the agent's context — regex patterns in ~1ms, then a MiniLM classifier in ~4ms. 88.7% accuracy, CPU-only.
What is the context bloat of a 1Password agent and how do I avoid it?
Context bloat happens when 1Password tool schemas and API responses eat your 1Password agent's memory, preventing it from reasoning effectively. A single 1Password query can return a massive JSON response, and connecting multiple tools compounds the problem. Tools Discovery and Code Mode reduce context bloat — loading only relevant tools per query and keeping raw responses out of the agent's context.
Can I limit which actions my 1Password agent can access?
Yes — you can limit which actions your 1Password agent can access directly from the StackOne dashboard. Toggle actions on or off, or restrict them to specific accounts, with no code changes to your agent. Session tokens can be scoped to exact actions so if one leaks, exposure stays contained.
Can I create custom agent actions for my 1Password MCP server?
Yes — you can create custom agent actions for your 1Password MCP server using Connector Builder. It's an integration agent your coding assistant (Claude Code, Cursor, or Copilot) can invoke to research 1Password's API, generate production-ready connector YAML, test against the live API, and validate before you ship.
When should I NOT use a 1Password MCP server?
Skip a 1Password MCP server if your integration is purely software-to-software — direct 1Password API integration is simpler when no AI agent is involved. For deterministic, compliance-critical operations (financial transactions, regulatory reporting), direct API gives you predictable behavior without agent-driven decision-making. MCP shines when AI agents need to dynamically discover and call 1Password actions at runtime.
What AI frameworks and AI clients does the StackOne 1Password MCP server support?
The StackOne 1Password MCP server supports both. MCP clients (paste-and-go apps): Claude Desktop, Claude Code, Cursor, VS Code, Goose. Agent frameworks (code SDKs you build with): OpenAI Agents SDK, Anthropic, Vercel AI, Google ADK, CrewAI, Pydantic AI, LangChain, LangGraph, Azure AI Foundry.

Put your AI agents to work

All the tools you need to build and scale AI agent integrations, with best-in-class connectivity, execution, and security.

Start Free Book Demo