Do secrets appear in chat?

No. The model sees op://Vault/Item/field — the MCP resolves it at call time and substitutes the cleartext only inside the outbound tool invocation. The conversation history stays clean.

Service account vs personal token?

Service accounts. The MCP is meant to be a non-human identity with scoped vault access. Personal tokens are explicitly discouraged for this use case.

Can I scope to one vault?

Yes — the service account itself is scoped. Create one service account per use case, grant it access to only the vaults it needs, and rotate on the same cadence as any other credential.

Does it work with 1Password Connect (self-hosted)?

Yes. Set OP_CONNECT_HOST + OP_CONNECT_TOKEN instead of the service-account token to route through a self-hosted Connect server.

1Password

Name: Top MCPs — curated MCP directory
Creator: Top MCPs
License: https://creativecommons.org/licenses/by/4.0/

Official

Inject 1Password secrets into an AI agent's tool calls without exposing them in chat.

Score 64(?)Community (takescake)MITVerified May 31, 2026Top MCPs for Security →

Install View on GitHub

Quick answer

What it does

Resolves 1Password secret references at MCP tool-call time so cleartext credentials never enter the conversation context.

Best for

Reference-only secret injection
Multi-credential workflows
Team-shared vaults for AI tools
Audit trails on agent secret use

Not for

Workflows with one local API key in env
Cases where the downstream tool cannot accept a runtime-resolved secret

Setup recipe

Pick your client, then follow the three steps.

Install

claude_desktop_config.jsonjson

{
  "mcpServers": {
    "1password": {
      "command": "npx",
      "args": [
        "-y",
        "@takescake/1password-mcp"
      ],
      "env": {
        "OP_SERVICE_ACCOUNT_TOKEN": "${OP_SERVICE_ACCOUNT_TOKEN}"
      }
    }
  }
}

Paste under mcpServers. Fully quit and reopen Claude after editing.

CLI or .mcp.jsonshell

# export OP_SERVICE_ACCOUNT_TOKEN=ops_eyJ...
claude mcp add 1password -- npx -y @takescake/1password-mcp

Run from your repo. Commit .mcp.json to share with your team.

.cursor/mcp.jsonjson

{
  "mcpServers": {
    "1password": {
      "command": "npx",
      "args": [
        "-y",
        "@takescake/1password-mcp"
      ],
      "env": {
        "OP_SERVICE_ACCOUNT_TOKEN": "${OP_SERVICE_ACCOUNT_TOKEN}"
      }
    }
  }
}

Global path: ~/.cursor/mcp.json. Reload window after editing.

.vscode/mcp.jsonjsonc

{
  "servers": {
    "1password": {
      "command": "npx",
      "args": [
        "-y",
        "@takescake/1password-mcp"
      ],
      "env": {
        "OP_SERVICE_ACCOUNT_TOKEN": "${OP_SERVICE_ACCOUNT_TOKEN}"
      }
    }
  }
}

VS Code uses the "servers" key (not "mcpServers").

~/.codeium/windsurf/mcp_config.jsonjson

{
  "mcpServers": {
    "1password": {
      "command": "npx",
      "args": [
        "-y",
        "@takescake/1password-mcp"
      ],
      "env": {
        "OP_SERVICE_ACCOUNT_TOKEN": "${OP_SERVICE_ACCOUNT_TOKEN}"
      }
    }
  }
}

Open via Cascade → hammer icon → Configure.

cline_mcp_settings.jsonjson

{
  "mcpServers": {
    "1password": {
      "command": "npx",
      "args": [
        "-y",
        "@takescake/1password-mcp"
      ],
      "env": {
        "OP_SERVICE_ACCOUNT_TOKEN": "${OP_SERVICE_ACCOUNT_TOKEN}"
      }
    }
  }
}

Open via the Cline sidebar → MCP Servers → Edit.

~/.continue/config.jsonjson

{
  "experimental": {
    "modelContextProtocolServers": [
      {
        "transport": {
          "type": "stdio",
          "command": "npx",
          "args": [
            "-y",
            "@takescake/1password-mcp"
          ],
          "env": {
            "OP_SERVICE_ACCOUNT_TOKEN": "${OP_SERVICE_ACCOUNT_TOKEN}"
          }
        }
      }
    ]
  }
}

Continue uses modelContextProtocolServers with a transport block.

~/.codex/config.tomlshell

# ~/.codex/config.toml
[mcp_servers.1password]
command = "npx"
args = [
  "-y",
  "@takescake/1password-mcp",
]
env = { OP_SERVICE_ACCOUNT_TOKEN = "${OP_SERVICE_ACCOUNT_TOKEN}" }

Codex uses TOML. Each server is a [mcp_servers.<name>] subtable.

~/.config/zed/settings.jsonjsonc

{
  "context_servers": {
    "1password": {
      "command": {
        "path": "npx",
        "args": [
          "-y",
          "@takescake/1password-mcp"
        ]
      },
      "env": {
        "OP_SERVICE_ACCOUNT_TOKEN": "${OP_SERVICE_ACCOUNT_TOKEN}"
      }
    }
  }
}

Zed calls them "context_servers". Settings live-reload on save.

ChatGPT → Apps directorynone

1Password doesn't ship a hosted HTTPS endpoint today. ChatGPT supports remote MCP servers only — to use this server in ChatGPT you'll need to deploy it to a public HTTPS URL first (e.g. via Cloudflare Workers or Vercel) or wait for an official remote build.

2
Set required secrets
Set OP_SERVICE_ACCOUNT_TOKEN in your shell environment before launching your MCP client.
3
Try a minimum working prompt
Minimum working prompt pending verification. Try any prompt from the MCP’s README once installed.

Tools & permissions

Tool	Description	Args	Side effects
`resolve_reference`	Resolve an op:// reference and return the cleartext to the calling tool only (never to the model).	reference: string	Read
`list_items`	List items in a vault (metadata only — no secret values).	vault: string	Read

Security & scope

Access scope: Read-only
Sandbox: 1Password service-account token. Scoped to specific vaults at the 1Password side. The MCP itself never persists cleartext — every resolution happens inline at tool-call time.
Gotchas: The service-account token IS a secret. Store it in the OS credential store, not in a config file.
Resolve-only — there is no write tool to create or update items. Use the 1Password app or CLI for that.
Audit logs are at the 1Password side. Pair the MCP with a periodic review of service-account access events.

Agent prompt pack

— copy into Claude, Cursor, or ChatGPT.

Paste into Claude, Cursor, or ChatGPT. Edit the [brackets] before sending.

Recommend the best MCP servers for [task: e.g. security work] in [client: Claude].

Constraints:
- Prefer tools that are [official | open-source | read-only] — pick what matters for my use case.
- Exclude MCPs that require [e.g. a paid plan, OAuth-only flows, remote-only transport].
- Return at most 3 picks, ranked.

For each pick include:
1. One-sentence rationale.
2. The ready-to-paste install snippet for my client.
3. Any required secrets I need to create before installing.

Cross-check the top-mcps.com listing: https://top-mcps.com/top-mcps-for-security

Compare 1Password against a real alternative. Swap the second MCP in [brackets] if you want a different match.

Compare 1Password MCP vs [HashiCorp Vault MCP] for the following job: [describe the job, e.g. "let an agent create GitHub issues on bug triage"].

Judge them on:
- Setup time and complexity (what a new user hits first).
- Auth model (none / API key / OAuth 2.1) and credential risk.
- Transport (stdio / Streamable HTTP / SSE) and where the server runs.
- Required secrets and the blast radius if they leak.
- Operational risk in an unattended agent loop.
- Which one is "good enough" for a weekend prototype vs. production.

End with one sentence: which should I pick for my scenario, which is: [my scenario].

References:
- https://top-mcps.com/mcp/1password
- top-mcps.com listing for HashiCorp Vault

Asks the agent to install and verify. Works inside Claude Code, Cursor Agent, Codex CLI.

Install the 1Password MCP server for my [client: Claude] at the default config path for that client.

Use the exact install snippet published at https://top-mcps.com/mcp/1password (fetch https://top-mcps.com/mcp/1password.json for the canonical server.json if you can read URLs).

Before finishing:
1. Create the required secrets (OP_SERVICE_ACCOUNT_TOKEN) and put them in the appropriate env block — do not hard-code them.
2. Restart or reload the client so it picks up the new server.
3. Verify the server is connected (green / running state) and at least one tool is listed.
4. If anything fails, read the client's MCP logs and report the exact error — do not silently retry.

Confirm when done and list the tools the server now exposes.

Frequently asked questions

What changed

— 2 updates tracked.

May 31, 2026
Refreshed install snippets and fact sheet; verified for 2026.
Apr 8, 2025
Initial directory listing.

More Security MCPs

Other tools in the same category worth evaluating.

Sentry

Official

Triage errors, inspect traces, and query events from Sentry.

sentryerrorsmonitoringobservability

3 minLow

Cloudflare

Official

Manage Workers, R2 buckets, DNS, and edge policies on Cloudflare.

cloudflareedgeworkersdns

10 minMedium

HashiCorp Vault

Read dynamic and static secrets from HashiCorp Vault inside agent workflows.

securitysecretsvaulthashicorp

15 minMedium

Compared with 1Password

Side-by-side breakdowns for the choices people most often weigh against this MCP.

1PasswordvsHashiCorp Vault 1PasswordvsDoppler 1PasswordvsSemgrep 1PasswordvsAWS

Exploring Top MCPs for Security? See all Security MCPs →

Quick answer

What it does

Best for

Not for

Setup recipe

Install

Set required secrets

Try a minimum working prompt

Tools & permissions

Security & scope

Agent prompt pack

Full details

Frequently asked questions

Do secrets appear in chat?

Service account vs personal token?

Can I scope to one vault?

Does it work with 1Password Connect (self-hosted)?

What changed

More Security MCPs

Sentry

Cloudflare

HashiCorp Vault

Compared with 1Password