Skip to content

How to Fix 1Password CLI Token Issues

DodaTech Updated 2026-06-24 2 min read

In this tutorial, you'll learn about How to Fix 1Password CLI Token Issues. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

The op command returns "You are not currently signed in" or "invalid token." The 1Password CLI session token is missing or expired.

The Wrong Way

op item list
# Error: You are not currently signed in.

Running CLI commands without an active session always fails.

The Right Way

Step 1: Create a service account token

# Log into 1Password web console
# Settings → Developer → Service Accounts
# Create a new service account
# Grant access to specific vaults
# Copy the token (starts with "op_")

Step 2: Authenticate with the token

# Set as environment variable:
export OP_SERVICE_ACCOUNT_TOKEN="op_xxxxxxxxxxxx"

# Or authenticate directly:
op signin --account myteam.1password.com
# This starts an interactive session (expires after 30 minutes)

Step 3: Use the token in CI/CD

# GitHub Actions example:
# In repository secrets:
# OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SA_TOKEN }}

# In workflow:
- name: Authenticate 1Password
  run: |
    export OP_SERVICE_ACCOUNT_TOKEN="${{ secrets.OP_SA_TOKEN }}"
    op run --no-masking -- op item get "Production DB" --fields password

Step 4: Refresh the session token

# For CLI session (not service account):
op signin --account myteam.1password.com --raw
# Copy the session token and set:
export OP_SESSION="token_here"
CLI authenticated — op item list returns 47 items, op read retrieves secrets, CI pipeline passes.

Prevention

  • Use service account tokens for automation — they do not expire.
  • Do not use personal 1Password sessions in CI/CD — service accounts have scoped permissions.
  • The token-based auth model mirrors Doda Browser's automation API — machine tokens with scoped permissions for CI/CD pipelines.

Common Mistakes with cli token

  1. Using head and tail instead of pattern matching, causing runtime errors on empty lists
  2. Forgetting that lazy evaluation defers computation until the value is forced, causing space leaks with unevaluated thunks
  3. Using return to exit a function early instead of wrapping a pure value in the monad

These mistakes appear frequently in real-world 1PASSWORD code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### What is the difference between a CLI session and a service account token?

CLI sessions last 30 minutes and require interaction. Service account tokens are long-lived, non-interactive, and scoped to specific vaults. Use service accounts for automation; use CLI sessions for manual admin tasks.

How do I create a 1Password service account?

Log into your 1Password business account on the web → Settings → Developer → Service Accounts → "Create Service Account." Name it, select vault access, and copy the generated token. The token is shown only once.

Why does my 1Password CLI show "token is invalid"?

The token was revoked, expired, or belongs to a deleted service account. Service account tokens can be revoked from the 1Password web console. Generate a new token and update your environment variables or CI/CD secrets.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro