1Password
1Passwordsaas7 credentials
1Password User / Administrator Password
1password / user-or-admin-password
1Password users and administrators authenticate to 1Password accounts, admin consoles, CLI sign-in flows, browser extensions, and SSO/federated login flows with user-defined account passwords or identity-provider credentials.
Location
/signin, /sign-in, /admin1Password web sign-in, admin console, and identity-provider login contexts
~/.config/op/config, ~/.op/config, ~/.config/1Password/1Password.sqlite, ~/.config/1Password/logs/1Password_rCURRENT.logUnix-like 1Password CLI, desktop, account, and log files where sign-in context may appear
%USERPROFILE%\.config\op\config, %USERPROFILE%\.op\config, %APPDATA%\1Password\1Password.sqlite, %LOCALAPPDATA%\1Password\logs\1Password_rCURRENT.logWindows 1Password CLI, desktop, account, and log files where sign-in context may appear
Enterprise identity provider stores, break-glass admin vaults, password managers, and SSO connector secrets
1Password application, CLI, audit, and support logs may contain sign-in context but should not contain raw account passwords
Notes
This block catalogs ordinary operational login locations and does not claim a static vendor default password.
1Password Account Secret Key
1password / account-secret-key
1Password account Secret Keys are user/account enrollment secrets with a stable A3-formatted value. Betterleaks detects these with the 1password-secret-key rule. Exposure may assist account compromise when combined with the account password and other sign-in factors.
Looks like
exampleA3-ABC123-ABCDEFGHIJK-ABCDE-ABCDE-ABCDEA3-ABC123-ABC123-ABCDE-ABCDE-ABCDE-ABCDELocation
~/.config/op/config, ~/.op/config, ~/.config/1Password/1Password.sqlite, ~/Downloads/1Password Emergency Kit.pdfUnix-like account configuration, local app data, CLI config, and Emergency Kit locations where account Secret Keys may appear
%USERPROFILE%\.config\op\config, %USERPROFILE%\.op\config, %APPDATA%\1Password\1Password.sqlite, %USERPROFILE%\Downloads\1Password Emergency Kit.pdfWindows account configuration, local app data, CLI config, and Emergency Kit locations where account Secret Keys may appear
1Password Emergency Kit.pdf, Emergency Kit.pdfExported Emergency Kit, printed recovery artifacts, screenshots, or support attachments containing an A3 Secret Key
README.md, onboarding.md, runbook.md, secrets.txt, credentials.txtProject-local documentation or onboarding material that may accidentally include account Secret Keys
CLI debug output, support bundles, screenshots, and onboarding traces may accidentally expose an account Secret Key
Notes
Betterleaks applies a low-entropy filter to reduce false positives. A scanner should treat A3 Secret Key findings as sensitive only when the full grouped format is present.
1Password Service Account Token
1password / service-account-token
1Password service account tokens authorize non-interactive access to vaults through 1Password CLI and automation. Betterleaks detects these with the 1password-service-account-token rule and validates them using the 1Password Events API auth introspection endpoint.
Looks like
exampleops_eyJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALocation
OP_SERVICE_ACCOUNT_TOKENAuthorizationBearer token used by 1Password service-account-backed automation and validation requests
~/.config/op/config, ~/.op/configUnix-like 1Password CLI configuration files that may reference service account authentication
%USERPROFILE%\.config\op\config, %USERPROFILE%\.op\configWindows 1Password CLI configuration files that may reference service account authentication
.env, docker-compose.yml, docker-compose.yaml, values.yaml, terraform.tfvars, provider.tf, main.tf, Makefile, Taskfile.yml, JenkinsfileAutomation, container, Helm, Terraform, and CI/CD files that may contain OP_SERVICE_ACCOUNT_TOKEN
CI/CD variables, cloud secret managers, Kubernetes Secrets, Terraform variables, and automation vaults
Automation repositories, CI/CD definitions, scripts, examples, and application code that may embed or reference service account tokens
CLI debug logs, CI output, Terraform/provider logs, and exception traces may expose service account tokens
Notes
Betterleaks validates service account tokens via https://events.1password.com/api/v2/auth/introspect. Do not validate automatically unless the scanner's validation mode allows outbound token checks.
1Password Connect API Token
1password / connect-api-token
1Password Connect API tokens authorize clients to read or manage vault items through a 1Password Connect server. Tokens are commonly provided to CLI, SDK, Kubernetes, Terraform, and application integrations.
Location
OP_CONNECT_TOKENAuthorizationBearer token used for 1Password Connect API calls
~/.config/op/config, ~/.op/config, ~/.op/1password-credentials.jsonUnix-like 1Password Connect and CLI configuration files
%USERPROFILE%\.config\op\config, %USERPROFILE%\.op\config, %USERPROFILE%\.op\1password-credentials.jsonWindows 1Password Connect and CLI configuration files
.env, docker-compose.yml, docker-compose.yaml, values.yaml, connect.json, 1password-credentials.json, provider.tf, main.tfProject, container, Helm, SDK, Terraform, and application files that may contain OP_CONNECT_TOKEN
Kubernetes Secrets, Docker secrets, CI/CD variables, cloud secret managers, and deployment vaults
Application, infrastructure-as-code, and CI/CD files that may embed 1Password Connect tokens
Connect server logs, client debug traces, SDK errors, and CI output may expose Connect tokens
Notes
OP_CONNECT_HOST is Connect server endpoint context and is intentionally not listed as a credential-value environment variable. 1Password Connect token formats may vary and are not modeled here with a stable product-specific regex.
1Password Connect Server Credentials File
1password / connect-server-credentials
1Password Connect Server uses a 1password-credentials.json file. Official Connect configuration documents OP_SESSION as the path to this file or the Base64-encoded contents of the credentials file, with a default path under ~/.op.
Location
OP_SESSIONFor 1Password Connect containers, OP_SESSION can contain the path to or Base64-encoded content of 1password-credentials.json
~/.op/1password-credentials.jsonOfficial default Connect credentials file path on Unix-like systems
%USERPROFILE%\.op\1password-credentials.jsonWindows home-relative equivalent for the Connect credentials file
1password-credentials.json, docker-compose.yml, docker-compose.yaml, values.yaml, deployment.yamlProject, container, Kubernetes, and Helm deployment files for 1Password Connect
Kubernetes Secrets, Docker secrets, CI/CD variables, cloud secret managers, and deployment vaults
Connect startup logs, container environment dumps, CI output, and deployment troubleshooting traces
Notes
OP_SESSION is overloaded: 1Password CLI docs describe it as a CLI session token, while Connect server docs describe it as credentials-file path or Base64 content. This block models the Connect-server credential-file usage.
1Password CLI Session Token
1password / cli-session-token
1Password CLI can use session environment variables for account sessions. These tokens are local authentication artifacts and should be treated as secrets when captured from shells, process environments, logs, or scripts.
Location
OP_SESSION~/.config/op/config, ~/.op/config, ~/.zshrc, ~/.bashrc, ~/.profile, .envUnix-like shell and 1Password CLI configuration files that may persist session-related environment variables
%USERPROFILE%\.config\op\config, %USERPROFILE%\.op\config, %USERPROFILE%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, %USERPROFILE%\.envWindows shell and 1Password CLI configuration files that may persist session-related environment variables
Shell history, CLI debug output, terminal transcripts, and CI output may expose session tokens
Notes
OP_ACCOUNT is contextual rather than secret material, so it is not listed as a credential-value environment location. Use account context near OP_SESSION or other 1Password token material during triage.
1Password SCIM / Integration Secret
1password / scim-or-integration-secret
1Password-related integrations can use SCIM bearer tokens, OAuth app secrets, webhook signing secrets, bot tokens, app install tokens, and third-party connector credentials alongside 1Password automation.
Location
Authorization, X-API-Key, X-Signature, X-Hub-Signature-256Authorization or webhook signature headers used by app integrations and provisioning clients
.env, docker-compose.yml, docker-compose.yaml, values.yaml, scim.env, scim.json, oauth.json, manifest.jsonProject-local OAuth, SCIM, webhook, and integration configuration files
SaaS app secret stores, CI/CD variables, cloud secret managers, password vaults, and enterprise integration vaults
Integration repos, webhooks, app backends, tests, examples, and CI/CD files
OAuth exchange logs, webhook logs, API debug traces, provisioning logs, SCIM bridge logs, and audit events
Notes
Generic names such as SCIM_TOKEN, WEBHOOK_SECRET, and CLIENT_SECRET were not listed as 1Password product-owned environment locations because they are not specific to 1Password. Keep those as generic scanner/context detections unless a concrete 1Password integration documents an exact variable name.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.