1Password is now a trusted access layer for OpenAI’s Codex
by Dennis Kromhout van der Meer and Robert Menke
May 20, 2026 - 6 min
Related Categories
Coding agents like Codex are helping developers write, execute, and prepare code for production. Every action that AI coding agents take against a database, an API, or a deployment pipeline requires access to credentials. Today, these credentials typically live in .env files, scripts, or hardcoded in repositories, where they can be easily exfiltrated and are difficult to govern and audit. The shift from AI assistance to AI execution has outpaced how teams manage the secrets needed for execution.
1Password and OpenAI are working together to close this gap. The 1Password Environments MCP Server for Codex makes 1Password the trusted access layer for Codex: credentials are issued just-in-time and scoped to the task, while keeping them outside the model’s context window. Developers get the access they need to build and ship, while secrets stay where they belong. The same integration helps catch secrets at the source. Codex can be prompted to use 1Password and the 1Password MCP to store and use credentials that it needs.
Why secrets should stay out of prompts, code, and model context
Every credential placed inside an agent's context is a credential at risk of easily being exfiltrated. It can be logged, cached, reused across sessions, or surfaced in unexpected outputs. A secure architecture treats a coding agent as a tenant, not a vault: it gets secure access to do its job, but never custody of the secret itself. 1Password Environments is built on that principle. Instead of sharing .env files or hardcoding credential values, teams work from a shared environment where secrets are made available at runtime to the application, without the values ever appearing in code, terminals, or model context.
This secure access model is built on the same vault technology and security architecture used across 1Password. Secrets remain end-to-end encrypted and centrally managed, with access limited to authorized users and groups, and through custom permissions.
This architecture matters more as coding agents take on a bigger share of the development workflow. Any agent that executes code needs credentials, and any credential copied into local files or prompts, or hardcoded into repositories is a credential at risk. 1Password Environments gives teams a way to support these workflows without trading security for developer velocity.
Connecting 1Password Environments to Codex
The integration uses a local MCP server – packaged inside our Password Manager and developer tools – to connect Codex and 1Password Environments, and is available to both 1Password business and personal accounts. MCP connects models to tools and context, specifically with 1Password’s MCP Server for Codex, developers can grant Codex access to credentials directly inside their coding workflows while keeping secrets outside of code. That last part is key: the MCP server here is designed so that Codex can act on secrets without ever seeing them.
Here's what happens when a developer or builder asks Codex to configure an environment:
Start a task in Codex: For example, ask Codex to create an app and configure the environment it needs.
Codex connects to the 1Password MCP server: This happens over a local MCP server connection, where Codex can discover and invoke available actions from instructions the MCP is providing.
Requests are validated through 1Password: The MCP server communicates with the 1Password desktop app, which handles identity, authorization, and secure access.
A user always needs to approve access: Every interaction requires explicit 1Password user auth prompt approval before Codex can proceed.
Codex creates and manages an environment: It can create environments, list and manage variable names, and prepare configuration without accessing raw secrets.
Secrets are used at runtime: Applications run using secrets from 1Password, without copying credentials into prompts, local files, or repositories.
It’s important to note the architectural guarantee: secrets never leave 1Password and are always secure. The MCP server does not read or return secret values through the MCP channel, surface secrets in the model’s context window, or write them to disk. Codex can create environments, list variable names, and invoke applications that use those secrets, but the values themselves never leave 1Password.
Here’s what actually happens at runtime: 1Password injects the required variables directly into the application process when it runs. The values exist in memory only for the authorized process, and only for as long as the process needs them. Codex orchestrates, the application executes, and 1Password issues the credentials.
This integration reflects 1Password’s approach to MCP and agentic workflows. Secrets are securely injected at runtime for an authorized process and users must explicitly authorize access for the scoped task. MCP works best when access is scoped, user-approved, and keeps credentials out of the agent context.
What builders can do with Codex and 1Password Environments
If you’re a developer or builder, this integration is designed to fit into how you already work, while reducing the need to handle secrets directly or copy them into prompts, local files, or repositories. With this integration, developers can:
Bootstrap new projects with 1Password-managed environments so you don't have to create or share .env files.
Allow Codex to create and manage environments so your code runs with the right configuration, while underlying secrets stay in 1Password.
Stay in control of every access since each Codex interaction with 1Password requires explicit user approval.
Use Codex to scan repositories for secrets in plain text, then move these secrets into 1Password for secure storage, and replace them with references in code.
Use Codex to extend environments across stages. Use your local environment as a baseline to help bootstrap staging and production environments.
What this unlocks for engineering and security teams
This integration reduces the overhead of managing secrets in AI-driven workflows, while giving teams more control over how those workflows are adopted.
With this integration, teams can:
Eliminate manual secret cleanup and the context switching it requires.
Move existing secrets into secure storage as part of the normal coding workflow, not as a separate hygiene task.
Support Codex adoption while keeping credentials outside the model’s context window.
Give developers a fast path to AI-assisted workflows while security teams retain oversight of how secrets are accessed.
Centralize secrets in 1Password instead of letting them scatter across repositories, files, and local environments.
Get started with 1Password Environments and Codex
We're launching the 1Password Environments MCP Server with Codex as a proof point for a broader thesis about the future of agent access.
Coding agents are the leading edge of a larger shift: AI agents joining the workforce and needing real access to real systems. Every one of them will need credentials, but none of them should have custody of those credentials. 1Password is building the access architecture for a future where every agent: coding, operational, and customer-facing gets access through the same trusted layer. Codex is where that future starts.
How to turn it on
This new feature is available to all joint 1Password and OpenAI customers with access to our Password Managers and 1Password developer tools.
To get started, visit the 1Password Marketplace listing for step-by-step documentation on connecting Codex to 1Password using the local MCP server.
