Skip to content

feat(onepassword): support service account datasource#280

Merged
siisee11 merged 1 commit into
mainfrom
codex/onepassword-service-account
Jun 12, 2026
Merged

feat(onepassword): support service account datasource#280
siisee11 merged 1 commit into
mainfrom
codex/onepassword-service-account

Conversation

@siisee11

@siisee11 siisee11 commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

One-Line Summary

1Password data sources can now connect with Service Account tokens for read-only vault, item, and secret-reference access.

User-Facing Changes

  • 1Password credentials can use authMethod: "service_account" with serviceAccountToken instead of requiring a Connect Server URL.
  • Service Account sources expose list_vaults, list_items, get_item, and resolve_secret source API operations.
  • Existing Connect Server credentials still work with authMethod: "connect", apiBaseUrl, and accessToken.

Why This Changed

The previous 1Password provider only modeled the self-hosted Connect Server REST API. 1Password Service Accounts authenticate through the official SDK/CLI flow rather than a Connect-style cloud apiBaseUrl, so users could not add the cloud Service Account datasource without standing up Connect Server.

How It Changed

  • Added a union credential schema for Connect Server and Service Account modes.
  • Kept the existing Connect Server simple REST adapter path for backwards compatibility.
  • Added an SDK-backed Service Account adapter with read-only structured operations and test-injectable client creation.
  • Updated connection guide metadata to default to Service Account setup while documenting Connect Server as the REST fallback.

Extra Context / Decisions

  • The Service Account adapter intentionally rejects raw fetch_api requests, request bodies, and custom headers so the token only enables the supported read-only operations.

Verification

  • bun run typecheck in packages/server
  • bun run test src/source-api/adapters/simple-rest-providers.test.ts in packages/server
  • bun run test src/credentials.test.ts in packages/db
  • bunx turbo typecheck --filter=@onequery/server --filter=@onequery/db --filter=@velen/web --filter=@velen/db --json from Velen root
  • bunx turbo test --filter=@onequery/server --filter=@onequery/db --filter=@velen/web --filter=@velen/db --json from Velen root

Video / Screenshot (Optional)

  • N/A

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 12, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 onequery-landing 935314b Commit Preview URL

Branch Preview URL		 Jun 12 2026, 08:37 AM

@siisee11 siisee11 enabled auto-merge (squash) June 12, 2026 08:37
@siisee11 siisee11 merged commit e81948e into main Jun 12, 2026
9 checks passed
@siisee11 siisee11 deleted the codex/onepassword-service-account branch June 12, 2026 08:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@siisee11 siisee11

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@siisee11