Reversing 1Password's Proprietary SRP Authentication Protocol

dhkts11 pts0 comments

Reversing 1Password's Proprietary SRP Authentication Protocol | Token Security

Use Cases

Resources

Company

Platform

Use Cases

Resources

Company

Back

Platform Overview

The Token Security Agentic AI and Non-Human Identity Security Platform

MCP Server and AI Agent

A real-time natural language interface that lets security teams interact with their environment.

Integrations

Token Security connects with AI, cloud services, CI/CD pipelines, on-prem systems, and more.

Discover

Complete AI Agent Visibility, Inventory, and Context

Understand

Align AI Agent Access to Intent

Enforce

Govern AI Agents at Scale

Agentic AI Security

Shadow ai and mcp server discovery

AI agent ownership and accountability

AI agent access control and right sizing

Traceability in multi agent

Non human identity security

Continuous discovery and contextual visibility

NHI lifecycle management

NHI threat detection and response

NHI remediation at scale

Security programs

Security posture management

Zero trust security

Compliance

Third party security

Mergers and acquisitions

Learn

Blog

Resource Hub

Guides

Token Research

The Agentic Pulse

Glossary

Tools

AI Privilege Guardian

Free interactive tool helps right-size permissions for AI agents

GPTs Compliance Insights (GCI)

Open-source tool to discover Custom GPTs, owners, and access

About

News Center

Careers

Trust Center

Book a Demo

Book a demo

Blog

Jul 16, 2026 | 8 min

Reversing 1Password's Proprietary SRP Authentication Protocol

Multi-Author

Gil Portnoy<br>Core Team Engineer

Henry

What if the credentials you created to access a single vault had broader organizational read visibility than you’d expect from its scope?<br>That’s exactly what we uncovered when a simple customer question led us down a rabbit hole of undocumented APIs, reverse-engineered cryptography, and a proprietary authentication flow built for 1Password’s own clients.<br>Over three days, 960 failed attempts, and one very strange Beatles lyric, we tore apart 1Password’s SRP-based authentication to answer a basic question: what does the CLI actually see that the SDK masks?<br>The answer wasn’t just “more data.” It was everything (users, groups, permissions) accessible with a token whose vault scope leads many practitioners to expect narrower visibility than the org-wide read access it actually carries by design.<br>This isn’t a story about breaking encryption. The encryption is excellent. It’s about what happens when a token’s real reach is objectively broader than its vault label implies, and a defender’s mental model never catches up to the gap.<br>SRP (Secure Remote Password) is an RFC-standardized zero-knowledge password proof protocol (RFC 5054). Both sides compute a shared secret via modular exponentiation without the password ever crossing the wire.<br>One of our customers needed full identity visibility over their 1Password deployment – users, groups, vault access, and permissions. Our existing integration used the SCIM bridge, which required self-hosted infrastructure and couldn’t surface half of what they needed.<br>The customer asked the obvious question:<br>“I can get more data from the CLI than the SDK or SCIM. Why can’t your collector use the CLI’s API directly?”<br>We looked into it. What we found pulled us into three days of binary reversing, MITM captures, ARM64 disassembly, Frida instrumentation, and a Beatles lyric embedded in a cryptographic constant.<br>The Gap Between the CLI and the SDK<br>We audited both the CLI (op v2.32.1) and the Python SDK (v0.4.0). The difference was stark:

Capability<br>CLI (op)<br>SDK (Python)

List users<br>op user list (all org users)<br>Not available

Get user detail<br>op user get (includes last_auth_at)<br>Not available

List groups<br>op group list (all groups)<br>Not available

Group members<br>op group user list<br>Not available

Vault users + permissions<br>op vault user list<br>Not available

Vault groups<br>op vault group list<br>Not available

Rate limits<br>op service-account ratelimit<br>Not available

The same token reaches three very different surfaces, and each shows a different slice of the org:

Diagram 1‍<br>The SDK exposes client.vaults and client.items. No client.users. No client.groups. For our use case (mapping identity relationships across an organization) this gap was a significant limitation.<br>Here’s the part worth sitting with: a service-account token scoped to one vault can read all org users and all groups through the CLI,  not just the members of that vault. Names, emails, states, last_auth_at timestamps, group memberships, vault-level ACL permissions. This is by design: 1Password supports vault-management workflows where a service account legitimately needs to add users or groups to a vault. But it is far more reach than the token’s vault label suggests.<br>The SDK wraps a compiled Rust FFI binary (libop_uniffi_core.dylib). We tried monkey-patching the internal invoke() method with ~35 invocation names guessed from the binary’s symbol table – UsersList, UsersGet, GroupsList,...

vault security token users groups 1password

Related Articles