better-env better-env Docs

1Password

Resolve environment variables from 1Password vaults using the SDK's batch resolution.

Installation

Install the 1Password SDK peer dependency:

npm install @1password/sdk
pnpm add @1password/sdk
bun add @1password/sdk
yarn add @1password/sdk

Basic usage

import { createEnv, requiredString } from "@ayronforge/better-env"
import { fromOnePassword } from "@ayronforge/better-env/1password"
import { Effect } from "effect"

const envEffect = createEnv({
  server: {
    DATABASE_URL: requiredString,
    API_KEY: requiredString,
  },
  resolvers: [
    fromOnePassword({
      secrets: {
        DATABASE_URL: "op://vault/database/url",
        API_KEY: "op://vault/api/credential",
      },
    }),
  ],
})

const env = await Effect.runPromise(envEffect)

Options

Name Type Default Description
secrets Required Record<string, string> Map of env var names to 1Password secret references (op:// URIs).
serviceAccountToken string 1Password service account token. Falls back to OP_SERVICE_ACCOUNT_TOKEN env var.
Note

Either serviceAccountToken or the OP_SERVICE_ACCOUNT_TOKEN environment variable must be available. If neither is provided, the resolver fails with a ResolverError.

Secret references

1Password secret references use the op:// URI format:

op://vault-name/item-name/field-name

For example:

  • op://Production/Database/password — the password field from the Database item in the Production vault
  • op://Shared/API Keys/credential — the credential field from the API Keys item

Service account token

The resolver authenticates using a 1Password service account token. You can provide it in two ways:

  1. Directly in options:

    fromOnePassword({
  secrets: { ... },
  serviceAccountToken: "ops_...",
})

  2. Via environment variable:

    export OP_SERVICE_ACCOUNT_TOKEN="ops_..."