1Password

1Password Events API

The 1Password Events API provides programmatic access to event data generated within a 1Password account. It enables security teams and administrators to retrieve sign-in attempts, item usage records, and audit events for monitoring, compliance, and security analysis. The API uses cursor-based pagination with POST requests to efficiently stream large volumes of event data.

GitHub OpenAPI

Documentation

📖
Documentation
https://developer.1password.com/docs/events-api/reference/

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/1password/refs/heads/main/openapi/1password-events-openapi.yml

Schemas & Data

📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/1password/refs/heads/main/json-schema/1password-events-sign-in-attempt-schema.json
📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/1password/refs/heads/main/json-schema/1password-events-item-usage-schema.json

Other Resources

🔗
JSONLD
https://raw.githubusercontent.com/api-evangelist/1password/refs/heads/main/json-ld/1password-events-context.jsonld

OpenAPI Specification

1password-events-openapi.yml Raw ↑ 
openapi: 3.1.0
info:
  title: 1Password Events API
  description: The 1Password Events API provides programmatic access to event data
    generated within a 1Password account. It enables security teams and administrators
    to retrieve sign-in attempts, item usage records, and audit events for monitoring,
    compliance, and security analysis. The API uses cursor-based pagination with POST
    requests to efficiently stream large volumes of event data.
  version: 2.0.0
  contact:
    name: 1Password Support
    url: https://support.1password.com/
  termsOfService: https://1password.com/legal/terms-of-service/
externalDocs:
  description: 1Password Events API Reference
  url: https://developer.1password.com/docs/events-api/reference/
servers:
- url: https://events.1password.com
  description: 1Password Events API server (US). Replace with the appropriate base
    URL for your 1Password account region.
tags:
- name: Audit Events
  description: Retrieve information about actions performed by team members within
    a 1Password account, including when an action was performed and by whom, along
    with details about the type and object of the action.
- name: Introspection
  description: Retrieve information about the authentication token being used, including
    its features and permissions.
- name: Item Usages
  description: Retrieve information about items in shared vaults that have been modified,
    accessed, or used, including the user who accessed the item, when it was accessed,
    and the vault where the item is stored.
- name: Sign-In Attempts
  description: Retrieve information about sign-in attempts to 1Password accounts,
    including the name and IP address of the user who attempted to sign in, when the
    attempt was made, and for failed attempts the cause of failure.
security:
- bearerAuth: []
paths:
  /api/v2/signinattempts:
    post:
      operationId: listSignInAttemptsV2
      summary: 1Password List Sign-in Attempts
      description: Returns information about sign-in attempts to 1Password accounts.
        Each record includes the name and IP address of the user who attempted to
        sign in, when the attempt was made, the type of sign-in, the country, and
        for failed attempts the cause of failure. The request must include either
        a cursor from a previous response or a ResetCursor object with a start time.
      tags:
      - Sign-In Attempts
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/EventRequest'
      responses:
        '200':
          description: Successfully retrieved sign-in attempts
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/SignInAttemptResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '429':
          $ref: '#/components/responses/TooManyRequests'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /api/v2/itemusages:
    post:
      operationId: listItemUsagesV2
      summary: 1Password List Item Usages
      description: Returns information about items in shared vaults that have been
        modified, accessed, or used. Each record includes the name and IP address
        of the user who accessed the item, when the item was accessed, the action
        performed, the vault where the item is stored, and item details. The request
        must include either a cursor from a previous response or a ResetCursor object
        with a start time.
      tags:
      - Item Usages
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/EventRequest'
      responses:
        '200':
          description: Successfully retrieved item usages
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ItemUsageResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '429':
          $ref: '#/components/responses/TooManyRequests'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /api/v2/auditevents:
    post:
      operationId: listAuditEventsV2
      summary: 1Password List Audit Events
      description: Returns information about actions performed by team members within
        a 1Password account. Each record includes when an action was performed and
        by whom, along with details about the type and object of the action. The request
        must include either a cursor from a previous response or a ResetCursor object
        with a start time.
      tags:
      - Audit Events
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/EventRequest'
      responses:
        '200':
          description: Successfully retrieved audit events
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuditEventResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '429':
          $ref: '#/components/responses/TooManyRequests'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /api/v1/introspect:
    get:
      operationId: introspectToken
      summary: 1Password Introspect Authentication Token
      description: Returns information about the token used for authentication, including
        its UUID, features, and the account it belongs to.
      tags:
      - Introspection
      responses:
        '200':
          description: Successfully retrieved token information
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenIntrospection'
        '401':
          $ref: '#/components/responses/Unauthorized'
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      description: An Events API bearer token generated from 1Password. Each request
        must include this token in the Authorization header. The token must have the
        appropriate feature permissions for the endpoint being accessed.
  responses:
    Unauthorized:
      description: Authentication credentials are missing or invalid
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    TooManyRequests:
      description: Rate limit exceeded
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
  schemas:
    EventRequest:
      type: object
      description: The request body for fetching events. Must include either a cursor
        string from a previous response to continue pagination, or a ResetCursor object
        to start fetching from a specific time.
      properties:
        limit:
          type: integer
          description: The maximum number of event records to return per page.
          minimum: 1
          maximum: 1000
          default: 100
        cursor:
          type: string
          description: A cursor from a previous response to continue fetching events
            from where the last request left off.
        start_time:
          type: string
          format: date-time
          description: An ISO 8601 timestamp to begin fetching events from a specific
            time. Used to create a new cursor starting from this point.
    SignInAttemptResponse:
      type: object
      description: The response containing sign-in attempt records and a cursor for
        pagination.
      properties:
        cursor:
          type: string
          description: A cursor to use in the next request to continue fetching events.
        has_more:
          type: boolean
          description: Whether there are more events available to fetch using the
            cursor.
        items:
          type: array
          description: The list of sign-in attempt records.
          items:
            $ref: '#/components/schemas/SignInAttempt'
    SignInAttempt:
      type: object
      description: Represents a single sign-in attempt to a 1Password account.
      properties:
        uuid:
          type: string
          format: uuid
          description: The unique identifier for the sign-in attempt.
        session_uuid:
          type: string
          format: uuid
          description: The UUID of the session associated with the sign-in attempt.
        timestamp:
          type: string
          format: date-time
          description: When the sign-in attempt occurred.
        category:
          type: string
          description: The category of the sign-in attempt.
          enum:
          - success
          - credentials_failed
          - mfa_failed
          - modern_version_required
          - sso_failed
        type:
          type: string
          description: The type of sign-in method used.
          enum:
          - credentials_ok
          - mfa_ok
          - password_secret_bad
          - mfa_missing
          - totp_disabled
          - totp_bad
          - u2f_failed
          - duo_failed
          - duo_native_failed
          - sso_failed
        country:
          type: string
          description: The two-letter ISO country code of the sign-in location.
          minLength: 2
          maxLength: 2
        target_user:
          $ref: '#/components/schemas/EventUser'
        client:
          $ref: '#/components/schemas/EventClient'
    ItemUsageResponse:
      type: object
      description: The response containing item usage records and a cursor for pagination.
      properties:
        cursor:
          type: string
          description: A cursor to use in the next request to continue fetching events.
        has_more:
          type: boolean
          description: Whether there are more events available to fetch using the
            cursor.
        items:
          type: array
          description: The list of item usage records.
          items:
            $ref: '#/components/schemas/ItemUsage'
    ItemUsage:
      type: object
      description: Represents a record of an item in a shared vault being accessed,
        modified, or used.
      properties:
        uuid:
          type: string
          format: uuid
          description: The unique identifier for the item usage record.
        timestamp:
          type: string
          format: date-time
          description: When the item was accessed.
        used_version:
          type: integer
          description: The version of the item that was used.
        vault_uuid:
          type: string
          format: uuid
          description: The UUID of the vault containing the item.
        item_uuid:
          type: string
          format: uuid
          description: The UUID of the item that was used.
        action:
          type: string
          description: The type of action performed on the item.
          enum:
          - fill
          - copy
          - reveal
          - sso-fill
          - secure-copy
        user:
          $ref: '#/components/schemas/EventUser'
        client:
          $ref: '#/components/schemas/EventClient'
        location:
          $ref: '#/components/schemas/EventLocation'
    AuditEventResponse:
      type: object
      description: The response containing audit event records and a cursor for pagination.
      properties:
        cursor:
          type: string
          description: A cursor to use in the next request to continue fetching events.
        has_more:
          type: boolean
          description: Whether there are more events available to fetch using the
            cursor.
        items:
          type: array
          description: The list of audit event records.
          items:
            $ref: '#/components/schemas/AuditEvent'
    AuditEvent:
      type: object
      description: Represents an audit event recording an action performed by a team
        member within the 1Password account.
      properties:
        uuid:
          type: string
          format: uuid
          description: The unique identifier for the audit event.
        timestamp:
          type: string
          format: date-time
          description: When the action was performed.
        actor_uuid:
          type: string
          format: uuid
          description: The UUID of the user who performed the action.
        actor_details:
          $ref: '#/components/schemas/EventUser'
        action:
          type: string
          description: The type of action that was performed.
        object_type:
          type: string
          description: The type of object the action was performed on.
        object_uuid:
          type: string
          format: uuid
          description: The UUID of the object the action was performed on.
        object_details:
          type: object
          description: Additional details about the object of the action.
        aux_id:
          type: integer
          description: An auxiliary identifier providing additional context.
        aux_uuid:
          type: string
          format: uuid
          description: An auxiliary UUID providing additional context.
        aux_details:
          type: object
          description: Additional auxiliary details about the event.
        aux_info:
          type: string
          description: Additional auxiliary information about the event.
        session:
          type: object
          description: Information about the session in which the action occurred.
          properties:
            uuid:
              type: string
              format: uuid
              description: The UUID of the session.
            login_time:
              type: string
              format: date-time
              description: When the session was created.
            device_uuid:
              type: string
              format: uuid
              description: The UUID of the device used.
            ip:
              type: string
              description: The IP address of the client.
        location:
          $ref: '#/components/schemas/EventLocation'
    EventUser:
      type: object
      description: Represents a user involved in an event.
      properties:
        uuid:
          type: string
          format: uuid
          description: The unique identifier of the user.
        name:
          type: string
          description: The name of the user.
        email:
          type: string
          format: email
          description: The email address of the user.
    EventClient:
      type: object
      description: Information about the client application used in an event.
      properties:
        app_name:
          type: string
          description: The name of the 1Password application.
        app_version:
          type: string
          description: The version of the application.
        platform_name:
          type: string
          description: The name of the operating system platform.
        platform_version:
          type: string
          description: The version of the operating system.
        os_name:
          type: string
          description: The name of the operating system.
        os_version:
          type: string
          description: The version of the operating system.
        ip:
          type: string
          description: The IP address of the client.
    EventLocation:
      type: object
      description: Geographic location information associated with an event.
      properties:
        country:
          type: string
          description: The two-letter ISO country code.
          minLength: 2
          maxLength: 2
        region:
          type: string
          description: The region or state.
        city:
          type: string
          description: The city name.
        latitude:
          type: number
          format: double
          description: The latitude coordinate.
        longitude:
          type: number
          format: double
          description: The longitude coordinate.
    TokenIntrospection:
      type: object
      description: Information about the bearer token used for authentication.
      properties:
        uuid:
          type: string
          format: uuid
          description: The unique identifier of the token.
        features:
          type: array
          description: The features and permissions the token has access to.
          items:
            type: string
            enum:
            - signinattempts
            - itemusages
            - auditevents
    Error:
      type: object
      description: Represents an error response from the Events API.
      properties:
        status:
          type: integer
          description: The HTTP status code.
        message:
          type: string
          description: A human-readable error message.