I’ve been digging into 1Password’s command-line client, op, lately. Back in the day, I’d have private shell configuration files where I’d export API tokens or export tokens into my shell as needed. This wasn’t a great situation. First, it was a security risk — if someone got access to my Macs or malicious code started scanning my environment. Second, it created security token management and provenance issues.

But now, by prefixing my shell commands with op run, I can run those commands with exactly the credentials that they need, with credentials that are stored and managed in 1Password.

Securing access for GitHub MCP

Today, I was trying out the GitHub MCP server in VS Code. The server needs a GitHub Personal Access Token, which is added to the server’s container through an environment variable. This is my VS Code configuration that sources the Personal Access Token through a field called GitHub MCP in my GitHub item in 1Password:

"mcp": {
  "servers": {
    "github": {
      "command": "op",
      "args": [
        "--account",
        "my.1password.com",
        "run",
        "--",
        "docker",
        "run",
        "-i",
        "--rm",
        "-e",
        "GITHUB_PERSONAL_ACCESS_TOKEN",
        "ghcr.io/github/github-mcp-server"
      ],
      "env": {
        "GITHUB_PERSONAL_ACCESS_TOKEN": "op://Private/GitHub/GitHub MCP"
      }
    }
  }
}

Using .env files

In our software repos, I’ve also started leaving .env files referencing passwords in our team’s vaults. Here’s an example in our Kubernetes deployment repository. With those .env files, which are shareable on GitHub because they only reference secrets, we can now streamline commands that need secrets, like:

op run --env-file="op/idfprod.env" -- phalanx secrets audit idfprod

These sorts of .env files are also helpful for setting up local development servers to use real credentials, like for the Ook application. Now I can spin up an Ook service for local development using secrets like this:

op run --env-file="./square.env" -- nox -s run

1Password is still worth it for me

For over a year, there’s been a lot of talk in the Apple community about dropping 1Password in favour of Keychain, especially now that Apple has spun it out into its own app. And for a lot of people, that’s probably the best choice. However, for a developer, 1Password’s CLI can make life much easier and more secure. Besides secret insertion in the environment, I also use 1Password’s SSH agent for things like signing my Git commits and authenticating with GitHub.