A way to generate a 'Share Link' for items

[hwilliamsoctopus]

Use Case

Be able to programatically create a vault item, and generate a share link to this vault item with a set expiry, so this can be forwarded on to necessary parties without manual interaction through the 1password app.

Requirements and desired behavior

The items interface should expose an api to create_share_link which behaves almost identically to:
https://developer.1password.com/docs/cli/reference/management-commands/item/#item-share

Additional information

No response

[hculea]

Hey @hwilliamsoctopus, thank you for your feature request! I think this would be a great addition for the SDKs.

To be able to log it in our internal tracker, can you give me a bit of context about your use-case, for using item sharing programatically?

Thanks!

[hwilliamsoctopus]

Sure thing @hculea!

So currently we have an onboarding platform which allows third parties to integrate with our product.

This platform has exclusive invite-only access, and when we create accounts for the third parties, a series of complex setup already needs to be done programmatically. This means that when one of our team members wants to create an invite, it is already done through a simple interface to hide the complexity and set things up correctly.

After the invite is created, we need to share with the third party a number of properties/credentials related to it so that they can get it set up. We also need to make some of these available to the wider team and therefore 1password is the ideal place for us to store these:

• wider team members can view details specific to this account
• we can share this link with the account holder

Therefore we already use the SDK now to save to 1password, however after using our interface, the person generating the link has to now:

• go to 1password app
• find it (amongst the numerous daily generated invites)
• create a share link which is set for a specific email to access for a set number of days.
• email the account owner

This last manual step is the bit I was hoping to to solve with this issue, meaning the interface could return the exact share link to be passed back to the 3rd party in an email immediately.

So as a rough flow our system is:

1. 3rd Party wants Access
2. Team member triggers invite flow
3. Invite flow creates invite and associated properties
4. Properties are saved in 1password for tracking and wider team awareness
5. 1password shared with 3rd party in an email with setup instructions and an expiry.

And it is the part between step 4-5 that would be solved here as it could be automated.

[sadiaazmal]

Hi @hwilliamsoctopus,
I'm Sadia, the product manager leading the SDK initiative, thank you for all the additional context this is incredibly helpful. I just want to follow up with a quick question, have you tried using 1Password CLI op item share to automate the generation of sharing links? Would this solution address your long-term needs?

[jelleholtkamp]

+1 on this request. We have system that monitors expiring secrets (not in 1Password) and messages the secret owner, asking if they want to create a new secret or if it is no longer relevant and can be deleted. We would like to use 1Password to deliver the new secret, should the secret owner choose to create a new secret.

@sadiaazmal I think it may be possible with the CLI commands you mentioned. I will try it out and get back.

[sadiaazmal]

Hi @jelleholtkamp,
Thank you for upvoting the feature request and explaining your use-case. The CLI supports 1Password service accounts so give it a shot and let me know how it goes!

Also, I would love to hear more about your external system that monitors expiring secrets. How do you currently run and manage this system?

[jelleholtkamp]

@sadiaazmal I got it working with the CLI. Would still like to see this implemented in the SDK though, because using a native SDK makes error handling easier and better.

To provide a bit more context, we have a script that checks for expiring secrets in a third party system. When those secrets are about to expire, that script will trigger an approval flow which basically asks the secret owner and IT if the secret needs to be renewed. If both approve the renewal, another script will be triggered which renews the secret and delivers it to the secret owner. The delivery part needs to be secure, so this is handled by 1Password. The script puts the secret in a vault, creates a share link and sends the share link to the secret owner.

[sadiaazmal]

I'm glad to hear it's working with the CLI @jelleholtkamp! We’re also planning to introduce the ability to generate sharing links directly through the SDK in the near future.

Thank you for providing additional details about your use case. If you're open to it, I’d love to discuss your workflows and any challenges you're encountering with rotating and managing secrets over a brief call. This insight would help our team identify areas for improvement to better support your security and development needs. Feel free to schedule a time that suits you using this link.

Thank you again for feedback and clarification!

[hwilliamsoctopus]

Thanks for getting back @sadiaazmal

I haven't tried through the CLI but am aware it will most likely be possible there, however for this use case it would not work well. This is in a deployed environment, and managing the interface with 1password would be ideal if it sat within our codebase as opposed to having to add CLI installation to the pipeline and then create ad-hoc scripts to call the CLI. This would then not be in line with the rest of our codebase and be more difficult to maintain. Hope that makes sense

[davidseeber-roo]

+1 on this request. Similar to @hwilliamsoctopus we would also like to be able to create share links directly with the SDK since we'd like to set up an cloud automation to generate keys in a 3rd-party application via API and immediately share keys with the requestor. Using the CLI means this needs to be re-authenticated whenever a session expires, which is not useful for an unattended service account flow.