# Managing Secrets with 1Password CLI
Source: https://docs.chain.link/cre/guides/workflow/secrets/managing-secrets-1password
Last Updated: 2025-11-04


While using a `.env` file or exporting environment variables is convenient for initial testing, the recommended best practice for managing sensitive data like private keys and API tokens is to use a dedicated secrets manager.

This guide explains how to use **1Password CLI** to securely inject secrets into your workflow's environment at runtime, ensuring your secrets are never stored in plaintext on your filesystem.

> **TIP: Works for both simulation and production**
>
> This approach works for:

- **Local simulation**: Inject secrets when running `cre workflow simulate`
- **Deployed workflows**: Inject secrets when running `cre secrets create/update` to upload to the Vault DON

## Prerequisites

Before you begin, ensure you have:

1. **Installed 1Password CLI:** Follow the [1Password CLI installation guide](https://developer.1password.com/docs/cli/get-started/).
2. **Stored Your Secret in 1Password:** Save the secret you need (e.g., your `CRE_ETH_PRIVATE_KEY`) in a vault that your 1Password CLI is configured to access.

## Step 1: Get the secret reference

A secret reference is a unique URI that points to a specific field in an item in your 1Password vault.

1. Open the 1Password desktop app.
2. Find the item containing your secret.
3. Right-click on the specific field (e.g., the `private key` field).
4. Select **Copy Secret Reference**.

Your clipboard will now contain a reference, which is a safe, non-secret string that looks like this: `op://<vault-name>/<item-name>/<field-name>`

## Step 2: Use the secret reference in your `.env` file

Open your project's `.env` file and replace the plaintext secret with the secret reference you just copied.

**Before:**

```bash
# .env
CRE_ETH_PRIVATE_KEY=0x123...abc
```

**After:**

```bash
# .env
CRE_ETH_PRIVATE_KEY="op://Private/Sepolia-Dev-Key/private key"
```

## Step 3: Run commands with `op run`

The `op run` command is a utility that loads the secrets from your references into the environment and then executes your command, ensuring the secrets only exist in memory for the duration of the process.

### For local simulation

To run your workflow simulation, prefix your command with `op run --env-file ../.env --`:

```bash
op run --env-file ../.env -- cre workflow simulate my-workflow --target staging-settings
```

### For deployed workflows

To upload secrets to the Vault DON, use the same pattern:

```bash
op run --env-file .env -- cre secrets create production-secrets.yaml --target production-settings
```

**What's happening here?**

- `op run` scans the `.env` file for any `op://` references.
- It securely authenticates with 1Password to fetch the real secret values.
- It injects these values as environment variables into a new, temporary sub-shell.
- It then executes your `cre` command within that secure sub-shell.
- When the command finishes, the sub-shell is destroyed, and the secrets vanish from the environment.

By following this pattern, you can manage your secrets securely without ever exposing them in plaintext. For more advanced use cases, see the official [1Password CLI documentation](https://developer.1password.com/docs/cli/secret-references).