1Password Connector
Use 1Password as the source of truth while keeping Cuitty Safe references stable.
1Password Connector
The 1Password connector is a pass-through provider. Cuitty Safe stores the Safe index and mapping metadata; 1Password stores the secret value.
Mapping model
acme/dev/database-url -> op://Development/Database/url
The Cuitty reference remains account/safe/secret. Vault names, item titles, field names, and stable 1Password object IDs belong in connector metadata.
Auth modes
| Mode | Use case |
|---|---|
| Desktop app | Local development and desktop UI flows with human approval |
| Service account | CI/CD, headless workers, and automation with scoped vault access |
| 1Password Connect | Self-hosted deployments that already run Connect and want cached private REST access |
Service account auth should load from OP_SERVICE_ACCOUNT_TOKEN unless configured otherwise. Do not ask users to paste a 1Password account password into Cuitty Safe.
Setup sketch
cuitty-safe connector 1password login --account acme
cuitty-safe connector 1password map acme/dev/database-url --op-ref op://Development/Database/url
cuitty-safe connector 1password map acme/ci/github-token --op-ref op://CI/GitHub/token
cuitty-safe connector 1password test --scope acme/dev
The op://... examples above are references, not values.
Least privilege
- Grant service accounts access only to required vaults and fields.
- Prefer read-only permission for CI jobs that only resolve values.
- Store stable object IDs when available and keep display names for UI fallback.
- Cache metadata, not secret values. Secret value TTL defaults to
0. - Emit metadata-only audit events for reads, writes, and auth-required states.
Marketplace status
The first milestone is a product connector. A 1Password Marketplace listing is a separate partner-readiness track with its own review, docs, support link, logo, and security checklist.