> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up 1Password connector

> C1 provides identity governance and just-in-time provisioning for 1Password. Integrate your 1Password instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.

<Tip>
  **Why does this connector look different from most others?**

  Unlike most of the software C1 integrates with, 1Password doesn’t expose APIs that can be used to connect the two systems. Additionally, 1Password data can only be gathered from unlocked vaults, which means that a user must unlock the vault and manually kick off the data collection process; a periodic automated data pull won’t work.

  To work around these issues, C1’s [1Password Baton connector](https://github.com/conductorone/baton-1password) uses the [1Password CLI](https://developer.1password.com/docs/cli/) to interact with your vaults. Once the CLI is set up, `baton-1password` uses it to interact with your 1Password vaults. The connector will capture user and entitlement data in a file that you upload to C1.
</Tip>

## Capabilities

| Resource | Sync                                                          | Provision                                                     |
| :------- | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Accounts | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |
| Groups   | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Vaults   | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Projects | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |

Note that if you’re using a service account to run the connector, you can only provision access to vaults that were created by that service account.

## Configure the 1Password connector

<Warning>
  **To complete this task, you’ll need:**

  * The **Connector Administrator** or **Super Administrator** role in C1
  * [1Password 8](https://1password.com/downloads/mac/) on a Families, Teams, Business, or Enterprise plan
  * A 1Password vault
</Warning>

<Tabs>
  <Tab title="Cloud-hosted">
    **Follow these instructions to use a built-in, no-code connector hosted by C1.**

    *Cloud-hosted connector not currently available.*
  </Tab>

  <Tab title="Self-hosted">
    **Follow these instructions to use the 1Password connector, hosted and run in your own environment.**

    ### Step 1: Set up the 1Password CLI and locate your sign-in address

    <Steps>
      <Step>
        Install the [1Password CLI](https://developer.1password.com/docs/cli/get-started) and make sure it is upgraded to the current version.
      </Step>

      <Step>
        Locate your 1Password sign-in address by following the [instructions in the 1Password docs](https://support.1password.com/sign-in-troubleshooting#if-youre-asked-for-a-sign-in-address). We’ll use this address in Step 2.
      </Step>
    </Steps>

    ### Step 2: Install and run `baton-1password`

    <Steps>
      <Step>
        Run the relevant source commands shown below to install `baton-1password`, substituting the sign-in address you looked up in Step 1 for `myaddress.1password.com`.
        If using a user account:

        ```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
        go install github.com/conductorone/baton/cmd/baton@main
        go install github.com/conductorone/baton-1password/cmd/baton-1password@main

        BATON_ADDRESS=myaddress.1password.com
        BATON_SECRET_KEY=Secret Key
        BATON_EMAIL=Email
        BATON_PASSWORD=Password
        baton-1password
        baton resources
        ```

        If using a service account:

        ```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
        go install github.com/conductorone/baton/cmd/baton@main
        go install github.com/conductorone/baton-1password/cmd/baton-1password@main

        BATON_ADDRESS=myaddress.1password.com
        BATON_AUTH_TYPE=service
        OP_SERVICE_ACCOUNT_TOKEN=your service account token
        baton-1password
        baton resources
        ```

        If you’re using a service account, its token must be stored in a local environment variable in order for the 1Password CLI to authenticate properly.
      </Step>
    </Steps>

    ### Step 3: Configure the 1Password connector in C1

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
      </Step>

      <Step>
        Search for **Baton** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new 1Password connector:

        * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with C1)
        * Add the connector to a managed app (select from the list of existing managed apps)
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.

        If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        In the **Settings** area of the page, click **Edit**.
      </Step>

      <Step>
        Click **Rotate** to generate a new Client ID and Secret.

        Carefully copy and save these credentials. We’ll use them in Step 2.
      </Step>
    </Steps>

    ### Step 4: Add credentials to your self-hosted connector

    <Steps>
      <Step>
        On the server or VM where your self-hosted connector is running, pass in the Client ID and Secret generated in Step 3 by running `--client-id <CLIENT ID> --client-secret <SECRET>`.

        Run `baton-1password --help` to see the list of flags to be used when passing your credentials to the connector.
      </Step>

      <Step>
        The connector syncs current data, uploads it to C1, and prints a `Task complete!` message when finished.
      </Step>

      <Step>
        Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Baton connector to. The data should be found on the **Resources** and **Accounts** tabs, as appropriate.
      </Step>
    </Steps>

    **That’s it!** Your 1Password connector is now pulling access data into C1
  </Tab>
</Tabs>