1Password is now a trusted access layer for OpenAI’s Codex | 1PasswordSkip to Main Content

by Dennis Kromhout van der Meer and Robert Menke<br>May 20, 2026 - 6 min

Related Categories<br>AI<br>Developers

Coding agents like Codex are helping developers write, execute, and prepare code for production. Every action that AI coding agents take against a database, an API, or a deployment pipeline requires access to credentials. Today, these credentials typically live in .env files, scripts, or hardcoded in repositories, where they can be easily exfiltrated and are difficult to govern and audit. The shift from AI assistance to AI execution has outpaced how teams manage the secrets needed for execution.<br>1Password and OpenAI are working together to close this gap. The 1Password Environments MCP Server for Codex makes 1Password the trusted access layer for Codex: credentials are issued just-in-time and scoped to the task, while keeping them outside the model’s context window. Developers get the access they need to build and ship, while secrets stay where they belong. The same integration helps catch secrets at the source. Codex can be prompted to use 1Password and the 1Password MCP to store and use credentials that it needs.<br>Why secrets should stay out of prompts, code, and model context<br>Every credential placed inside an agent's context is a credential at risk of easily being exfiltrated. It can be logged, cached, reused across sessions, or surfaced in unexpected outputs. A secure architecture treats a coding agent as a tenant, not a vault: it gets secure access to do its job, but never custody of the secret itself. 1Password Environments is built on that principle. Instead of sharing .env files or hardcoding credential values, teams work from a shared environment where secrets are made available at runtime to the application, without the values ever appearing in code, terminals, or model context.<br>This secure access model is built on the same vault technology and security architecture used across 1Password. Secrets remain end-to-end encrypted and centrally managed, with access limited to authorized users and groups, and through custom permissions.

This architecture matters more as coding agents take on a bigger share of the development workflow. Any agent that executes code needs credentials, and any credential copied into local files or prompts, or hardcoded into repositories is a credential at risk. 1Password Environments gives teams a way to support these workflows without trading security for developer velocity.<br>Connecting 1Password Environments to Codex<br>The integration uses a local MCP server – packaged inside our Password Manager and developer tools – to connect Codex and 1Password Environments, and is available to both 1Password business and personal accounts. MCP connects models to tools and context, specifically with 1Password’s MCP Server for Codex, developers can grant Codex access to credentials directly inside their coding workflows while keeping secrets outside of code. That last part is key: the MCP server here is designed so that Codex can act on secrets without ever seeing them.<br>Here's what happens when a developer or builder asks Codex to configure an environment:<br>li:last-child>p]:mb-0 [&>li>ul>li:first-child>p]:mt-6 [&>li>ul]:list-[circle] [&>li>ul]:pt-0 article-last-before-heading">Start a task in Codex : For example, ask Codex to create an app and configure the environment it needs.

Codex connects to the 1Password MCP server : This happens over a local MCP server connection, where Codex can discover and invoke available actions from instructions the MCP is providing.

Requests are validated through 1Password : The MCP server communicates with the 1Password desktop app, which handles identity, authorization, and secure access.

A user always needs to approve access : Every interaction requires explicit 1Password user auth prompt approval before Codex can proceed.

Codex creates and manages an environment : It can create environments, list and manage variable names, and prepare configuration without accessing raw secrets.

Secrets are used at runtime : Applications run using secrets from 1Password, without copying credentials into prompts, local files, or repositories.

It’s important to note the architectural guarantee: secrets never leave 1Password and are always secure. The MCP server does not read or return secret values through the MCP channel, surface secrets in the model’s context window, or write them to disk. Codex can create environments, list variable names, and invoke applications that use those secrets, but the values themselves never leave 1Password.<br>Here’s what actually happens at runtime: 1Password injects the required variables directly into the application process when it runs. The values exist in memory only for the authorized process, and only for as long as the process needs them. Codex orchestrates, the application executes, and 1Password issues the credentials.<br>This integration...