@lockzero/onepassword-sync

Bidirectional sync between LockZero and 1Password Secrets Automation (Connect API).

Prerequisites

You need a running 1Password Connect server. See the 1Password Connect docs to deploy one.

Installation

npm install -g @lockzero/onepassword-sync

Authentication

| Credential | How to provide | |---|---| | LockZero API key | --lz-key <key> or LOCKZERO_API_KEY env var | | 1Password Connect token | --op-token <token> or OP_CONNECT_TOKEN env var | | 1Password Connect host | --op-host <host> or OP_CONNECT_HOST env var |

Item structure

Each LockZero namespace is stored as one 1Password item titled LockZero/<namespace> (e.g. LockZero/openai). All secret fields are stored as CONCEALED (password) type fields.

Commands

push — LockZero → 1Password

lockzero-1password push \
  --namespace openai \
  --vault <vaultId> \
  --lz-key $LOCKZERO_API_KEY \
  --op-token $OP_CONNECT_TOKEN \
  --op-host https://my-1password-connect.example.com

# Preview without writing
lockzero-1password push --namespace openai --vault <vaultId> --dry-run

pull — 1Password → LockZero

lockzero-1password pull \
  --namespace openai \
  --vault <vaultId> \
  --lz-key $LOCKZERO_API_KEY \
  --op-token $OP_CONNECT_TOKEN \
  --op-host https://my-1password-connect.example.com

diff — show what would change

# Show what a push would do
lockzero-1password diff --namespace openai --vault <vaultId> --direction push

# Show what a pull would do
lockzero-1password diff --namespace openai --vault <vaultId> --direction pull

Options

| Flag | Default | Description | |---|---|---| | --namespace | required | LockZero namespace (e.g. openai, stripe) | | --vault | required | 1Password vault ID | | --lz-key | env | LockZero API key | | --lz-base-url | https://api.lockzero.io | LockZero base URL | | --op-token | env | 1Password Connect API token | | --op-host | env | 1Password Connect server URL | | --direction | push | Diff direction: push or pull | | --dry-run | false | Preview changes without writing |