> ## Documentation Index
> Fetch the complete documentation index at: https://tbd-6fc993ce-mintlify-add-deploy-button-docs-27400.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.
# 1Password
> Use credentials from your 1Password vaults for Agent Auth
Connect 1Password to automatically use credentials from your existing vaults with [Agent Auth](/auth/agent/overview). No need to manually create credentials in Kernel—1Password items are discovered by domain matching.
## How It Works
1. **Connect a service account** — Add your 1Password service account token in the dashboard
2. **Domain matching** — When Agent Auth needs credentials, it searches your connected vaults for items matching the target domain
3. **Automatic fill** — Credentials (including TOTP secrets) are used to complete authentication
Credentials are retrieved securely at authentication time. Values are never stored in Kernel—they remain in 1Password.
## Setup
In 1Password, create a [service account](https://developer.1password.com/docs/service-accounts/) with access to the vaults containing your login credentials.
Copy the service account token.
Go to **Agent Auth** in the Kernel dashboard, click the **settings icon**, then select **Integrations**. Click **Connect 1Password**.
Paste your service account token. Kernel will validate the connection and show which vaults are accessible.
Start an auth invocation without specifying a `credential_id`. If 1Password has a matching item for the domain, it will be used automatically.
```typescript TypeScript theme={null}
const agent = await kernel.agents.auth.create({
domain: 'github.com',
profile_name: 'my-github-profile',
// No credential_name needed—1Password will provide credentials
});
const invocation = await kernel.agents.auth.invocations.create({
auth_agent_id: agent.id,
});
// Credentials for github.com are automatically retrieved from 1Password
```
```python Python theme={null}
agent = await kernel.agents.auth.create(
domain="github.com",
profile_name="my-github-profile",
# No credential_name needed—1Password will provide credentials
)
invocation = await kernel.agents.auth.invocations.create(
auth_agent_id=agent.id,
)
# Credentials for github.com are automatically retrieved from 1Password
```
## Domain Matching
1Password items are matched by their website/URL field:
| 1Password Item URL | Matches Domain |
| -------------------------- | ------------------------------------ |
| `github.com` | `github.com` |
| `https://github.com/login` | `github.com` |
| `*.example.com` | `app.example.com`, `api.example.com` |
If multiple items match a domain, the first match is used. Organize your vaults to ensure the correct credentials are selected.
## TOTP Support
If your 1Password item has a one-time password (TOTP) field configured, it will be used automatically for 2FA—no additional setup needed.
## Priority
When both Kernel credentials and 1Password are available for a domain:
1. **Explicit credential** — If `credential_name` or `credential_id` is specified, that credential is used
2. **1Password** — If no explicit credential, 1Password is searched
3. **Request input** — If no credentials found, the auth agent waits for input
## Security
| Feature | Description |
| ------------------------- | ------------------------------------------------------ |
| **Token encrypted** | Service account token encrypted with per-org keys |
| **No credential storage** | Credentials stay in 1Password, retrieved at auth time |
| **Vault access control** | Limit access via 1Password service account permissions |
| **Audit trail** | 1Password logs all credential access |