Skip to content

Add macOS Keychain fallback for 1Password service account token#6

Merged
CakeRepository merged 3 commits intomasterfrom
copilot/feature-support-macos-keychain
Apr 26, 2026
Merged

Add macOS Keychain fallback for 1Password service account token#6
CakeRepository merged 3 commits intomasterfrom
copilot/feature-support-macos-keychain

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 26, 2026
edited
Loading

Today the server expects OP_SERVICE_ACCOUNT_TOKEN to be present directly in MCP client config or process env, which leaves a plaintext credential in a predictable local config file for common setups. This change adds a native macOS Keychain lookup path so the server can start without embedding the token in config.

  • Config resolution

    • Adds macOS-only Keychain lookup when OP_SERVICE_ACCOUNT_TOKEN is absent.
    • Supports:
      • OP_KEYCHAIN_SERVICE — required to identify the Keychain item
      • OP_KEYCHAIN_ACCOUNT — optional account filter for disambiguation
    • Keeps precedence explicit and unchanged for existing users:
      1. --service-account-token / --token
      2. OP_SERVICE_ACCOUNT_TOKEN
      3. macOS Keychain lookup

  • Server behavior

    • Resolves the token via the security find-generic-password CLI on darwin only.
    • Extends tokenSource reporting to include keychain.
    • Updates the missing-token error message to mention the new Keychain path.

  • Docs and metadata

    • Documents the new macOS env vars and precedence in README.md.
    • Adds a JSON config example for Keychain-backed startup.
    • Updates server.json so OP_SERVICE_ACCOUNT_TOKEN is no longer described as the only required path.

  • Example

    {
  "mcpServers": {
    "1password": {
      "command": "npx",
      "args": ["-y", "@takescake/1password-mcp"],
      "env": {
        "OP_KEYCHAIN_SERVICE": "op-service-account-claude-automation",
        "OP_KEYCHAIN_ACCOUNT": "your-macos-username"
      }
    }
  }
}

    With this configuration, the server reads the token from macOS Keychain at startup instead of requiring a plaintext OP_SERVICE_ACCOUNT_TOKEN in the MCP config.

Copilot AI linked an issue Apr 26, 2026 that may be closed by this pull request
Feature Request: Support macOS Keychain as alternative to plaintext token in config #5
Closed
Copilot AI and others added 2 commits April 26, 2026 03:44
@CakeRepository
feat: support macos keychain token lookup
fd5f533 
Agent-Logs-Url: https://github.com/CakeRepository/1Password-MCP/sessions/4c5b132a-69be-40e9-ad6d-742b25bca276

Co-authored-by: CakeRepository <27045642+CakeRepository@users.noreply.github.com>
@CakeRepository
docs: clarify keychain token precedence
a6c051a 
Agent-Logs-Url: https://github.com/CakeRepository/1Password-MCP/sessions/4c5b132a-69be-40e9-ad6d-742b25bca276

Co-authored-by: CakeRepository <27045642+CakeRepository@users.noreply.github.com>
Copilot AI changed the title [WIP] Add support for macOS Keychain to store service account token Add macOS Keychain fallback for 1Password service account token Apr 26, 2026
@CakeRepository CakeRepository marked this pull request as ready for review April 26, 2026 03:46
Copilot AI requested a review from CakeRepository April 26, 2026 03:46
@CakeRepository CakeRepository merged commit 9e31fbe into master Apr 26, 2026
3 checks passed
@CakeRepository CakeRepository deleted the copilot/feature-support-macos-keychain branch April 26, 2026 03:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@CakeRepository CakeRepository Awaiting requested review from CakeRepository

Assignees

@CakeRepository CakeRepository

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature Request: Support macOS Keychain as alternative to plaintext token in config

2 participants

@CakeRepository