1Password Events API

Name: 1Password Events API API
Brand: 1Password Events API
Availability: InStock

✓ Official Vendor SpecSecurityThreat Detectionbearer5 EndpointsREST

For Agents

Retrieve 1Password audit events, item usage logs, and sign-in attempts to monitor vault access patterns, detect suspicious activity, and feed security events into SIEM systems.

Quickstart

Get started with 1Password Events API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"monitor password vault access and sign-in attempts"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with 1Password Events API API.

Stream audit events tracking administrative actions like vault creation, policy changes, and group modifications

Query item usage records showing which vault items were accessed, by whom, and from which client

Retrieve sign-in attempt logs with success/failure status, IP addresses, and MFA method details

Introspect bearer tokens to validate service account permissions and scopes

GET STARTED

Start building with 1Password Events API API

Explore with Jentic

View OpenAPI Spec

Use Cases

Patterns agents use 1Password Events API API for, with concrete tasks.

★ AI Agent Security Event Monitoring

An AI agent uses the 1Password Events API through Jentic to monitor vault access patterns and detect anomalous activity. The agent queries item usage logs for unusual access times, checks sign-in attempts for failed authentication spikes, and retrieves audit events for unauthorized policy changes — all without manually configuring JWT service account tokens or determining regional endpoint URLs.

Query POST /api/v1/signinattempts for failed sign-in attempts in the last 24 hours and identify any accounts with more than 5 failures

SIEM Integration for Credential Access

Feed 1Password event data into SIEM systems for centralized security monitoring and correlation with other security signals. The Events API provides paginated access to audit events, item usages, and sign-in attempts with cursor-based pagination for reliable incremental consumption. Security teams correlate credential access events with network activity, endpoint alerts, and identity provider logs to detect compromised accounts.

Retrieve the latest audit events via POST /api/v1/auditevents with a cursor from the last sync, then process all new events and store the returned cursor for next iteration

Insider Threat Detection

Detect potential insider threats by analyzing vault item usage patterns for anomalous behavior. The item usages endpoint reveals which credentials and secrets are being accessed, by which user, from which device, and at what time. Security teams build baselines of normal access patterns and alert on deviations like after-hours access to sensitive vaults, bulk credential retrieval, or access from new geographic locations.

Query POST /api/v1/itemusages for all item access events in the last 7 days, group by user and time-of-day to identify access outside normal business hours

Key Endpoints

5 endpoints — retrieve audit events, item usage logs, and sign-in attempt records from 1password business accounts through 5 focused endpoints.

METHOD

PATH

DESCRIPTION

POST

/api/v1/auditevents

Retrieve audit events with cursor-based pagination

POST

/api/v1/itemusages

Query vault item usage records

POST

/api/v1/signinattempts

List sign-in attempts with success/failure status

POST

/api/auth/introspect

Introspect bearer token to validate permissions

POST

/api/v2/auth/introspect

V2 token introspection with extended metadata

POST

/api/v1/auditevents

Retrieve audit events with cursor-based pagination

POST

/api/v1/itemusages

Query vault item usage records

POST

/api/v1/signinattempts

List sign-in attempts with success/failure status

POST

/api/auth/introspect

Introspect bearer token to validate permissions

POST

/api/v2/auth/introspect

V2 token introspection with extended metadata

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

1Password service account JWT tokens are stored encrypted in the Jentic vault (MAXsystem). Agents receive scoped bearer tokens — raw JWT values never enter the agent's context window.

Intent-based discovery

Agents search by intent (e.g., 'monitor vault item access') and Jentic returns matching 1Password Events API operations with their input schemas, so the agent can call the right endpoint without navigating 1Password's documentation or determining the correct regional URL.

Time to first call

Direct 1Password Events integration: 1-2 days for service account setup, regional endpoint selection, and cursor pagination logic. Through Jentic: under 30 minutes — search, load schema, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Okta API

Identity provider whose authentication events correlate with 1Password credential access patterns

Choose Okta when you need to manage user identities, SSO, and MFA policies rather than monitoring password vault access events

Complementary

Duo Security API

MFA platform whose auth logs correlate with 1Password sign-in attempt data

Choose Duo when you need to manage multi-factor authentication policies and verify user identity rather than monitoring credential vault access

Alternative

Keeper Security API

Competing enterprise password manager with similar vault and audit capabilities

Choose Keeper when the organization uses Keeper instead of 1Password for enterprise credential management

FAQs

Specific to using 1Password Events API API through Jentic.

What authentication does the 1Password Events API use?

The Events API uses bearer token authentication with JWT service account tokens. You generate a service account token in the 1Password Business admin console and supply it in the Authorization header as 'Bearer {token}'. Through Jentic, your JWT is stored encrypted in the MAXsystem vault and agents receive scoped access without raw tokens entering context.

Can I monitor which vault items were accessed with the Events API?

Yes. Use POST /api/v1/itemusages to retrieve item usage records. Each record includes the user who accessed the item, the item name and vault, the client application used, and the timestamp. You can paginate through results using cursor-based pagination to process large datasets incrementally.

What are the rate limits for the 1Password Events API?

The 1Password Events API enforces rate limits per service account token. The API returns 429 status codes when limits are exceeded. Use cursor-based pagination to retrieve events incrementally rather than requesting the full history in a single call, which helps stay within rate limits.

How do I detect failed sign-in attempts through Jentic?

Search Jentic for 'detect failed authentication attempts', which returns the POST /api/v1/signinattempts operation. Query sign-in attempts filtered by timestamp, and check the success field to identify failures. Each record includes the IP address, country, and MFA method used. Install with pip install jentic and sign up at https://app.jentic.com/sign-up.

Which regional endpoints does the 1Password Events API support?

The Events API supports three regional endpoints for data residency compliance: US (events.1password.com), Canada (events.1password.ca), and EU (events.1password.eu). Your service account token determines which region to use based on your 1Password Business account location.

Can I use cursor-based pagination to avoid duplicate events?

Yes. All three event endpoints (auditevents, itemusages, signinattempts) support cursor-based pagination. The response includes a cursor value that marks your position in the event stream. Store this cursor between requests and pass it in subsequent calls to retrieve only new events since your last query, ensuring no duplicates.

Does the Events API provide real-time streaming?

The Events API uses a polling model with cursor-based pagination rather than real-time streaming. Poll the endpoints at regular intervals (recommended 1-5 minutes) using your stored cursor to retrieve new events incrementally. This approach works well for SIEM integrations that process events in batches.