op-mcp
An MCP server that provides secure access to 1Password secrets and item management through the 1Password CLI. It enables MCP clients like Claude and Cursor to read, create, edit, and delete password vault items with biometric authentication handled by the 1Password desktop app.
README
op-mcp
MCP server that wraps the 1Password CLI
(op), exposing secret access and item management to MCP clients
(Cowork, Claude Code, Claude Desktop).
Architecture
MCP client (Cowork, Claude Code, Claude Desktop)
↓ stdio (MCP protocol)
op-mcp (this Python server)
↓ subprocess per tool call
op CLI (1Password CLI)
↓ biometric prompt (Touch ID) + 1Password desktop app
1Password vaults
The Python server is deliberately thin. Every tool handler shells out
to the op CLI and either parses JSON or returns the raw output. The
CLI handles biometric auth, session caching, and all vault access.
The Python side handles MCP protocol and argv construction.
This design is stateless by construction: each tool call spawns a
fresh CLI process. op caches its own session inside the 1Password
desktop app — we don't manage sessions, tokens, or credentials. See
docs/design-notes.md for the full rationale.
Prerequisites
- Python 3.11 or newer
- The
opCLI installed and on PATH. Install via Homebrew:brew install --cask 1password-cli(tested with v2.33.1). - The 1Password desktop app installed and CLI integration enabled: 1Password → Settings → Developer → ✓ "Integrate with 1Password CLI".
- Touch ID enabled for CLI authorization (same settings pane).
Install
uv tool install .
This creates an isolated venv and puts op-mcp on PATH. To upgrade
after code changes:
uv tool install --force .
--force overwrites the existing entry point and rebuilds from source.
(--reinstall re-downloads PyPI dependencies — not needed for a local
path install.)
Run
The server communicates over stdio, so it's normally launched by an MCP client rather than invoked by hand. For local smoke testing:
op-mcp
The server logs to stderr and waits for MCP protocol messages on stdin. Press Ctrl-C to exit.
Configure an MCP client
Claude Desktop: Settings → Connectors → Add → enter op-mcp
as the command. Or edit claude_desktop_config.json directly:
{
"mcpServers": {
"op": {
"command": "op-mcp"
}
}
}
Claude Code: Add to .mcp.json (project) or ~/.claude/mcp.json
(global) with the same shape.
Cowork: Add via Cowork's MCP server configuration.
Recommended permissions
Reads are safe to allow; writes should ask for confirmation.
{
"permissions": {
"allow": [
"mcp__op__op_ping",
"mcp__op__op_version",
"mcp__op__op_whoami",
"mcp__op__op_list_vaults",
"mcp__op__op_get_item",
"mcp__op__op_read_secret",
"mcp__op__op_list_items"
],
"ask": [
"mcp__op__op_create_item",
"mcp__op__op_edit_item",
"mcp__op__op_delete_item"
]
}
}
Development
uv sync --extra dev
make test # uv run pytest (fake `op` binary)
RUN_LIVE_OP_TESTS=1 uv run pytest -m live # live tests against real op CLI
make lint # ruff + pyright
make install-mcp # reinstall after code changes
Tests use a fake op binary (temporary shell scripts), so they
don't require the real CLI or 1Password access. Live tests (marked
@pytest.mark.live) run against the real CLI, trigger Touch ID,
and are skipped by default.
Tools
10 tools total: 3 infrastructure, 4 read, 3 write.
Infrastructure
| Tool | Description |
|---|---|
op_ping |
MCP server liveness check |
op_version |
op CLI binary version |
op_whoami |
Currently authenticated 1Password account |
Read tools
| Tool | Description |
|---|---|
op_list_vaults |
List all accessible vaults (names and IDs) |
op_get_item |
Get all fields of an item by name or ID |
op_read_secret |
Read a secret by op://vault/item/field reference |
op_list_items |
List items in a vault (or across all vaults) |
Write tools
| Tool | Description |
|---|---|
op_create_item |
Create a new item |
op_edit_item |
Edit an existing item |
op_delete_item |
Archive or permanently delete an item |
Out of scope (for now)
op signin/op signout— session management isop's job.op document/op vault— add when use cases emerge.op inject/op run— template injection and env-loading workflows are command-line conveniences without a clean MCP equivalent.- Service account tokens — this server assumes biometric desktop auth.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.