Support 1Password op:// secret references in settings.json env section

Open 💬 12 comments Opened Feb 6, 2026 by ei-grad

Feature Request

Support op:// secret references in the env section of settings.json (and .claude/settings.json), so that API keys and other secrets can be resolved from 1Password at startup without wrapper scripts.

Desired behavior

{
  "env": {
    "ANTHROPIC_API_KEY": "op://Private/Claude API Key/credential"
  }
}

Claude Code would detect op:// prefixed values and resolve them via op read (1Password CLI) before use.

Current workarounds

  1. apiKeyHelper script that calls op read — works for ANTHROPIC_API_KEY only, not for arbitrary env vars (e.g., MCP server tokens).
  2. op run -- claude wrapper — works but requires a separate .env file and remembering to always launch Claude Code through the wrapper.

Why this would be useful

  • 1Password CLI (op) is widely adopted for secret management in developer workflows
  • Many tools already support op:// references natively (e.g., Docker, various CI systems)
  • It would allow secure, declarative secret injection for both API keys and MCP server environment variables without wrapper scripts
  • The env section in settings.json is the natural place to configure this

Implementation notes

  • Only resolve op:// references if op CLI is available in $PATH
  • Could generalize to a pluggable secret resolution mechanism (e.g., aws-secretsmanager://, vault://) in the future
  • Should fail with a clear error message if op is not installed or not authenticated

---
This issue was generated with Claude Code

View original on GitHub ↗

This issue has 12 comments on GitHub. Read the full discussion on GitHub ↗