Crate corteq_onepassword

Crate corteq_onepassword 

Source
Expand description

§corteq-onepassword

Secure 1Password SDK wrapper for Rust applications.

This crate provides a safe, ergonomic interface to 1Password secrets using FFI bindings to the official 1Password SDK Core library.

§Features

  • Secure by default - Secrets are wrapped in SecretString with automatic memory zeroization
  • Simple API - Retrieve secrets with a single function call
  • Thread-safe - Client is Send + Sync for use in async applications
  • Builder pattern - Flexible configuration with sensible defaults

§Quick Start

use corteq_onepassword::{OnePassword, ExposeSecret};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Create client from OP_SERVICE_ACCOUNT_TOKEN environment variable
    let client = OnePassword::from_env()?
        .integration("my-app", "1.0.0")
        .connect()
        .await?;

    // Resolve a secret
    let api_key = client.secret("op://vault/item/api-key").await?;

    // Use the secret (expose only when needed)
    println!("API key length: {}", api_key.expose_secret().len());

    Ok(())
}

§Authentication

This crate uses 1Password service account tokens for authentication. Personal account tokens are not supported.

Set the OP_SERVICE_ACCOUNT_TOKEN environment variable:

export OP_SERVICE_ACCOUNT_TOKEN="ops_..."

Then use OnePassword::from_env():

use corteq_onepassword::OnePassword;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let client = OnePassword::from_env()?.connect().await?;
    Ok(())
}

§Explicit Token

For testing or special deployments, use OnePassword::from_token():

use corteq_onepassword::OnePassword;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let token = std::env::var("MY_TOKEN")?;
    let client = OnePassword::from_token(&token)?
        .connect()
        .await?;
    Ok(())
}

§Secret References

Secrets are referenced using the op://vault/item/field format:

  • op://Production/Database/password - Simple reference
  • op://Production/Database/admin/password - Section-scoped reference

§Batch Operations

Resolve multiple secrets efficiently:

use corteq_onepassword::{OnePassword, ExposeSecret};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let client = OnePassword::from_env()?.connect().await?;

    // Batch resolution (returns Vec)
    let secrets = client.secrets(&[
        "op://prod/db/host",
        "op://prod/db/user",
        "op://prod/db/pass",
    ]).await?;

    // Named resolution (returns SecretMap)
    let secrets = client.secrets_named(&[
        ("host", "op://prod/db/host"),
        ("user", "op://prod/db/user"),
        ("pass", "op://prod/db/pass"),
    ]).await?;

    let host = secrets.get("host").expect("host secret").expose_secret();
    Ok(())
}

§Sharing the Client

The client is thread-safe and can be shared via Arc:

use std::sync::Arc;
use corteq_onepassword::OnePassword;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let client = Arc::new(OnePassword::from_env()?.connect().await?);

    let client1 = Arc::clone(&client);
    let client2 = Arc::clone(&client);

    tokio::join!(
        async move { client1.secret("op://vault/item/field1").await },
        async move { client2.secret("op://vault/item/field2").await },
    );
    Ok(())
}

§Feature Flags

§Security

This crate is designed with security as a primary concern:

  • Tokens are wrapped in SecretString and zeroized on drop
  • Secrets are never logged or included in error messages
  • Debug implementations redact sensitive data
  • Native library is verified via SHA256 checksum at build time

§Platform Support

PlatformArchitectureStatus
Linuxx86_64✅ Supported
Linuxaarch64✅ Supported
macOSx86_64✅ Supported
macOSaarch64✅ Supported
Windows-❌ Not supported
Alpine-❌ Not supported (musl)

Structs§

OnePassword
1Password client for retrieving secrets.
OnePasswordBuilder
Builder for configuring and creating a OnePassword client.
SecretMap
A named collection of secrets.
SecretReference
A parsed 1Password secret reference.

Enums§

Error
Errors that can occur when using the 1Password client.

Traits§

ExposeSecret
Expose a reference to an inner secret

Type Aliases§

Result
Result type alias using the crate’s Error type.
SecretString
Secret string type.