Support 1Password op:// secret references in settings.json env section
Open 💬 12 comments Opened Feb 6, 2026 by ei-grad
Feature Request
Support op:// secret references in the env section of settings.json (and .claude/settings.json), so that API keys and other secrets can be resolved from 1Password at startup without wrapper scripts.
Desired behavior
{
"env": {
"ANTHROPIC_API_KEY": "op://Private/Claude API Key/credential"
}
}
Claude Code would detect op:// prefixed values and resolve them via op read (1Password CLI) before use.
Current workarounds
apiKeyHelperscript that callsop read— works forANTHROPIC_API_KEYonly, not for arbitrary env vars (e.g., MCP server tokens).op run -- claudewrapper — works but requires a separate.envfile and remembering to always launch Claude Code through the wrapper.
Why this would be useful
- 1Password CLI (
op) is widely adopted for secret management in developer workflows - Many tools already support
op://references natively (e.g., Docker, various CI systems) - It would allow secure, declarative secret injection for both API keys and MCP server environment variables without wrapper scripts
- The
envsection in settings.json is the natural place to configure this
Implementation notes
- Only resolve
op://references ifopCLI is available in$PATH - Could generalize to a pluggable secret resolution mechanism (e.g.,
aws-secretsmanager://,vault://) in the future - Should fail with a clear error message if
opis not installed or not authenticated
---
This issue was generated with Claude Code
This issue has 12 comments on GitHub. Read the full discussion on GitHub ↗