MENU
      Contents x
      1Password
      • 12 Jun 2025
      • 2 Minutes to read
      • Print
      • Dark
      Contents

      1Password

      • Updated on 12 Jun 2025
      • 2 Minutes to read
      • Print
      • Dark
      Article summary

      1Password provides an events API to fetch audit logs. Events can be ingested directly via a cloud-to-cloud or CLI Adapter.

      See 1Password's official API documentation here.

      1Password telemetry can be addressed via the 1password platform.

      Adapter Deployment

      1Password events can be collected directly from the 1Password API, via a cloud-to-cloud Adapter, or via the CLI Adapter. 1Password adapters require the following options:

      • token: the API token provisioned through 1password.

      • endpoint: the API endpoint to use, depending on your 1password plan, see their documentation below.

      You can generate an access token from 1Password at this link.

      Cloud-to-Cloud Adapter

      LimaCharlie offers a 1Password guided configuration in the web UI. From your 1Password instance, you will need:

      • 1Password API Access Token

      • Endpoint; one of the following:

        • 1Password.com (Business)

        • 1Password.com (Enterprise)

        • 1Password.ca

        • 1Password.eu

      After providing an Installation Key, provide the required values and LimaCharlie will establish a Cloud Adapter for 1Password events

      Infrastructure as Code Deployment

      LimaCharlie IaC Adapter can also be used to ingest Slack events.

      # 1Password Specific Docs: https://docs.limacharlie.io/docs/adapter-types-1password

sensor_type: "1password"
"1password":
  # Ingests 1Password audit events.
  token: "YOUR_1PASSWORD_API_TOKEN" # (required) the API token provisioned through 1password.
  endpoint: "https://events.1password.com" # (optional) the API endpoint to use, default is usually fine. Check 1Password docs for your plan.
  client_options:
    identity:
      oid: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # (required)
      installation_key: "YOUR_LC_INSTALLATION_KEY_1PASSWORD" # (required)
    hostname: "1password-audit-adapter.example.com" # (required)
    platform: "saas_api" # (required) Represents the source system.
    architecture: null # (optional) Not applicable for SaaS.
    mapping:
      # 1Password events are typically JSON. parsing_re likely null.
      parsing_re: null
      sensor_key_path: "session.uuid" # (optional) Example path for a unique identifier in 1Password events.
      sensor_hostname_path: null # (optional) Hostname is static.
      event_type_path: "1PASSWORD_AUDIT_{{ .event_type | token | upper }}" # (optional) e.g., 1PASSWORD_AUDIT_ITEM_VIEWED
      event_time_path: "timestamp" # (optional) Path to the event timestamp.
      investigation_id_path: "signin_attempt.uuid" # (optional)
      transform:
        "+service_name": "1Password"
        "+user_email": "{{ .user.email }}"
      drop_fields:
      - "details.app.name" # Example: if too verbose
    # mappings: null
    indexing:
      enabled: true
      default_index: "1password-audit-{{ .identity.oid | substr 0 8 }}"
    is_compressed: false # (optional) API responses are typically not compressed here.
    sensor_seed_key: "SEED_KEY_1PASSWORD_ADAPTER_001" # (required)
    dest_url: "https://input.limacharlie.io" # (optional) The destination URL. Usually defaults correctly.
      YAML

      Was this article helpful?
      Related articles
      What's Next