A woman taking notes in a paper notebook beside her open laptop at a sunny desk

Claude + 1Password: What the Integration Can (and Can't) Do in 2026

No — there’s no official Claude 1Password connector, and 1Password’s official MCP server is deliberately not a “read my passwords into chat” tool. 1Password ships a local Environments MCP server (beta) that lets MCP clients manage dev secret bundles and inject credentials into processes at runtime without exposing the secret values to the model — that’s the whole design goal. There’s no hosted 1Password MCP endpoint, and vault-item access from a chat only exists through unofficial community servers. Separately, 1Password and Anthropic announced an autofill partnership in March 2026 (Claude browser extension, Cowork, and Claude Code) — human-approved, with raw credentials never entering the model. And whatever route you take, it only works inside a conversation you start.

Here’s what actually exists, how to try it, where the limits bite, and what to use if you want 1Password-adjacent work that runs on its own.


What’s real: a secrets tool that keeps secrets out of the model

1Password’s design principle is that secrets never enter the LLM context. Its official MCP work reflects that:

  • 1Password Environments MCP Server (beta) — a local MCP server packaged with 1Password’s developer tooling. It lets an MCP client manage Environments (bundles of dev secrets) and inject them into processes at runtime, referencing values via op:// URIs that resolve at execution — the model never sees the raw secret. It was marketed hardest for OpenAI Codex (announced May 20, 2026) but it’s a standard MCP server usable from Claude Code or Claude Desktop. Available to business and personal accounts.
  • MCP Server for 1Password SaaS Manager (Trelica) — an official server (listed on AWS Marketplace) for SaaS-governance data, not vault items.

Community servers that DO expose vault items to an agent via a Service Account token exist — @takescake/1password-mcp, goodwokdev/op-mcp (wraps the op CLI), jon-the-dev/1password-mcp-server — but they’re unofficial, and they run against 1Password’s stated pattern. Vet any of them carefully before handing over a token.

Two facts that get misread as “Claude works with 1Password”:

  • The 1Password × Anthropic story is autofill with human approval (March 17, 2026 Unified Access launch) — Claude’s browser extension, Cowork, and Claude Code autofilling vault items with a person in the loop. It is not a connectors-directory listing, and whether the Claude-side integration is fully live may vary.
  • The well-known “Securing MCP servers with 1Password” blog post is about storing other MCPs’ credentials in 1Password — it is not a 1Password MCP server.

How to try the official server with Claude

This is a developer flow:

  1. Set up 1Password Environments in your developer tooling and define the secret bundle you want available.
  2. Run the Environments MCP server locally and add it to Claude Desktop or Claude Code as a local MCP server (custom MCP connectors require a paid Claude plan).
  3. Have Claude run a task that needs those secrets — they’re injected at runtime via op:// references, and the values never appear in the conversation.

Useful for letting a coding agent run commands that need credentials. Not a way to browse your vault in chat.


The limits that actually matter

Even working, the shape is “a secrets-injection helper,” not “an agent that runs.” Three limits define it:

  • By design, it won’t read your vault into chat. The official server injects credentials without exposing them. If you want an agent literally reading vault items, that’s community-server territory, against 1Password’s own guidance.
  • No triggers, no monitoring. MCP tools only run inside a conversation you start. There’s no “alert me when a shared vault changes” or “rotate this credential on a schedule.” Nothing fires on a 1Password event — you have to be there, prompting.
  • Laptop-bound. The server is local, so nothing runs while your machine is off. Even Claude Cowork’s scheduled tasks fire only “while your computer is awake and the Claude Desktop app is open.”

So Claude is great for “run this task with the right secrets injected” and not built for “watch our vaults and act when something changes.”


If you want 1Password-adjacent work that runs on its own: Carly

The moment you want something to happen around 1Password without you in the chat — flag when a sign-in looks risky, notify the right owner about item usage, kick off an offboarding checklist when someone leaves — you’ve crossed past what Claude’s local MCP server is for.

That’s where Carly fits. Carly is an AI executive assistant built to act on triggers, not just answer in a chat:

  • Fires on events, 24/7, in the cloud — polling the 1Password Events Reporting API (sign-in attempts, item usage, audit events on Business/Enterprise plans), Carly acts when something happens; your laptop doesn’t need to be awake.
  • Ties security signals to the rest of your stack — turn an audit event into a Slack alert, an email to the owner, or a ticket, in one flow.
  • Actually sends and updates — drafts and sends email (Gmail and Outlook) with attachments, files and labels, manages tasks, updates your CRM, and records meetings.
  • Builds the workflow for you — tell it “I’d like a system that emails security whenever a risky sign-in shows up in the 1Password audit log” in plain English; it interviews you, then builds it with you. No prompt engineering.

1Password’s programmatic surface is the CLI/SDKs with Service Accounts (self-serve tokens), a self-hosted Connect Server, and the Events Reporting API on business plans — so 1Password connects to Carly via your own token. Paste it on carlyassistant.com/integrations and Carly can do whatever that access allows, on the same secrets-stay-safe footing 1Password expects.

AI agents start at $35/month, and steps in a workflow that don’t use AI run free and unlimited. Carly connects to 200+ tools across 40+ categories — see integrations.


Claude vs Carly

Claude (1Password MCP)Carly
Inject secrets into a taskYes (local, beta)Yes (via Service Account)
Read vault items in chatNo (community servers only)Via scoped access
Read audit / item-usage eventsNoYes (Events API)
Acts on triggers / eventsNoYes
Alerts the owner on a risky sign-inNoYes
Works while laptop is closedNo (local server)Yes (cloud)
Sends email as part of the flowNo (Gmail draft-only)Yes (Gmail + Outlook)
PricingPro $20 / Max $100–$200AI agents from $35/mo

1Password’s MCP server is a secrets-injection tool for coding agents. Carly is a teammate that acts on security events as they land.


Frequently Asked Questions

Does Claude work with 1Password?

Not through a connector in Anthropic’s directory, and not the way people expect. 1Password’s official MCP server is a local, beta tool that injects dev secrets into a task without exposing their values to the model — by design, it won’t read your passwords into a chat. Reading vault items via MCP is only possible through unofficial community servers, which run counter to 1Password’s own guidance.

Isn’t 1Password partnering with Anthropic?

Yes — on autofill, not a connector. 1Password’s March 2026 Unified Access launch names Anthropic: 1Password will autofill vault items through the Claude browser extension, Cowork, and Claude Code, with a human approving and raw credentials never entering the model. That’s a human-in-the-loop autofill flow, not a data connector Claude reaches into.

Can Claude monitor my 1Password account and alert me automatically?

No. MCP tools respond inside a conversation you start — there are no event triggers, so Claude won’t watch your audit log or flag a risky sign-in on its own. For automatic, trigger-based work off the 1Password Events API, you need an agent platform like Carly.

How do I connect Claude to 1Password?

For secrets injection, run the Environments MCP server locally and add it to Claude Desktop or Claude Code as a local MCP server (paid Claude plan required); secrets resolve via op:// references at runtime. Programmatic access to 1Password more broadly uses the CLI/SDKs with Service Accounts or a self-hosted Connect Server, and the Events Reporting API on business plans.


More: Claude connectors · Claude + Okta · Claude + Supabase · Can Claude send emails · Claude vs Carly · Best AI agents for productivity

Ready to automate your busywork?

Carly schedules, researches, and briefs you—so you can focus on what matters.

See what people say

"Before Carly, I relied on a Calendly link, but the whole process felt impersonal and not very professional. Carly changed that by handling all the back-and-forth, so I'm no longer stuck in endless email threads trying to line up schedules.

Now Carly reaches out to candidates, shares my real-time availability, lets them pick a slot, then sends a Zoom link and drops it straight into my calendar. She sends reminders to both of us before each call, which has significantly reduced no-shows and last-minute confusion.

On top of scheduling, Carly acts like a full executive assistant, sending me my schedule the night before so I can prepare for each call. It reminds me of the old x.ai assistant, but Carly is noticeably smarter, faster, and better suited to my healthcare recruitment business."

Gus Ibrahim, Founder & Director, IHR