1Password setup - Configview Support

ConfigView pulls 1Password data through three separate credentials that you create in your own 1Password account. Each one unlocks a different slice of data:

Credential	Required for	1Password plan
Events Reporting API token	Sign-in attempts, item usages, audit events	Business or Enterprise
SCIM Bridge bearer token	Users, groups, group membership, SCIM schema	Business or Enterprise with SCIM Bridge deployed
Service Account token	Account info, vaults, vault items metadata, vault permissions	Business or Enterprise

The credentials are intentionally separate because 1Password issues them through three different admin surfaces, each with its own scope. ConfigView can run with any subset — if you only have the Events Reporting API enabled, just create that one and enable only the Events scripts. You will end up with 5 secrets in ConfigView (OP_EVENTS_HOST, OP_EVENTS_TOKEN, OP_SCIM_URL, OP_SCIM_TOKEN, OP_SERVICE_ACCOUNT_TOKEN) when all three parts are complete.

Part 1: Events Reporting API

Set up an Events Reporting integration so ConfigView can pull sign-in attempts, item usages, and audit events.

Step 1: Create the Events Reporting Integration

Sign in to your 1Password account as an Owner or Administrator at https://my.1password.com
Click Integrations in the sidebar
Under Events Reporting, click Add Integration and choose Other
Name: ConfigView
Pick which event streams to enable. ConfigView uses all three:
- Sign-in attempts
- Item usages
- Audit events
Click Add Integration
Copy the bearer token that appears. You will not be able to see it again — store it somewhere safe.

Note: The Events Reporting API requires a Business or Enterprise plan. If you do not see Events Reporting under Integrations, contact your 1Password account rep to confirm your plan tier.

Step 2: Note your Events API host

The Events API host depends on your 1Password tenancy:

Tenancy	Host
1Password.com (US, default)	`https://events.1password.com`
1Password.ca	`https://events.1password.ca`
1Password.eu	`https://events.1password.eu`
Enterprise (custom)	Use the host shown on your Events Reporting integration page

Copy the host that matches your tenancy.

Step 3: Add the Events secrets to ConfigView

Go to your ConfigView dashboard: https://{companyname}.configview.com/admin/secret/
Click Add Secret and create:
- OP_EVENTS_HOST: the host from Step 2 (e.g. https://events.1password.com)
- OP_EVENTS_TOKEN: the bearer token from Step 1
Click Save

Part 2: SCIM Bridge

Set up SCIM Bridge access so ConfigView can pull users, groups, and group membership.

Skip this section if you do not have a SCIM Bridge deployed. SCIM Bridge is an optional 1Password component used for IdP provisioning (Okta, Azure AD, etc.). If you have not deployed it, skip to Part 3.

Step 1: Locate (or create) the SCIM bearer token

If your SCIM Bridge is already provisioning users from your IdP, a bearer token already exists. You can either reuse it or create a dedicated one for ConfigView. To create a dedicated token:

Sign in to your SCIM Bridge admin UI (e.g. https://scim.yourcompany.com) using the recovery code
Click Generate to produce a new bearer token
Copy the token — store it somewhere safe

To reuse the existing token: retrieve it from wherever your IdP integration stores it (Okta admin, Azure AD enterprise app, etc.).

Step 2: Note your SCIM Bridge URL

This is the public URL of your SCIM Bridge deployment, e.g. https://scim.yourcompany.com. No trailing slash; ConfigView normalizes it either way.

Step 3: Add the SCIM secrets to ConfigView

Go to: https://{companyname}.configview.com/admin/secret/
Click Add Secret and create:
- OP_SCIM_URL: your SCIM Bridge URL (e.g. https://scim.yourcompany.com)
- OP_SCIM_TOKEN: the bearer token from Step 1
Click Save

Part 3: Service Account (vault inventory)

Set up a 1Password service account so ConfigView can list vaults, items metadata, and per-vault permissions via the op CLI.

ConfigView reads metadata only — item titles, tags, vault membership. It never reads or stores secret values from your vaults. To enforce this, scope the service account read-only and grant access only to the vaults you want inventoried.

Step 1: Create the Service Account

Sign in to your 1Password account as an Owner at https://my.1password.com
Click Integrations in the sidebar
Under Service Accounts, click Create Service Account (or Other → Service Account)
Name: ConfigView
Pick the vaults the service account should have access to. ConfigView will inventory exactly these — anything you don’t grant remains invisible.
For each vault, choose the Read Items permission only.
Click Create Account
Copy the service account token (starts with ops_...). You will not be able to see it again — store it somewhere safe.

Note: If you want ConfigView to inventory every vault in your account, grant the service account access to all vaults. New vaults created after this point will not be visible until you explicitly grant the service account access to them.

Step 2: Add the Service Account secret to ConfigView

Go to: https://{companyname}.configview.com/admin/secret/
Click Add Secret
Secret name: OP_SERVICE_ACCOUNT_TOKEN
Secret value: Paste the ops_... token you copied
Click Save

Step 4: Enable the 1Password scripts in ConfigView

Go to: https://{companyname}.configview.com/admin/cron/
You should see 1password in the list of available apps
Select the scripts you want to run. Each script depends on a specific credential — enable only what you have:

Script	Credential	Notes
Sign-in Attempts	Events API	Last 30 days of sign-in events
Item Usages	Events API	Last 30 days of item access events
Audit Events	Events API	Last 30 days of admin/governance actions
Events Token Introspect	Events API	Validates token scope; safe to always enable
Users	SCIM Bridge	All directory-managed users
Groups	SCIM Bridge	All directory-managed groups
Group Members	SCIM Bridge	Which users belong to which groups
SCIM Service Config	SCIM Bridge	SCIM endpoint capabilities
SCIM Resource Types	SCIM Bridge	SCIM resource schemas
SCIM Schemas	SCIM Bridge	SCIM attribute schemas
Account	Service Account	Account name, domain, plan
Vaults	Service Account	All vaults the service account can see
Vault Items (metadata)	Service Account	Item titles, tags, created/updated — no secret values
Vault Users	Service Account	Per-vault user permissions
Vault Groups	Service Account	Per-vault group permissions

Click Save

Note: Group Members depends on Groups; Vault Items / Vault Users / Vault Groups all depend on Vaults. ConfigView wires these dependencies automatically — parent scripts always run first.

Step 5: Verify

Go to: https://{companyname}.configview.com/admin/status/
Run the 1Password health check
The corresponding sections should pass for whichever credentials you configured:
- Events API: secret + token introspection
- SCIM Bridge: secret + /Users and /Groups endpoints
- Service Account: secret + op whoami

If a check fails:

Events API 401 Unauthorized — Token expired or revoked. Re-issue from Part 1 Step 1 and update the OP_EVENTS_TOKEN secret.
SCIM Bridge connection refused — OP_SCIM_URL is wrong, or your SCIM Bridge is not reachable from the ConfigView satellite. Confirm the URL in a browser first.
Service Account op binary not found — The op CLI is not installed on the satellite. Contact your ConfigView administrator (or support) to install it. The Events and SCIM scripts do not require the op binary.
Service Account service account not authorized for this vault — Grant the service account access to that vault in 1Password (Part 3 Step 1), or accept that the vault will not appear in the inventory.

Data Tables

Once the scripts run, the corresponding tables will be created in your database. All tables include a run_at column for historical tracking.

Table	Source	Key Columns
`onepassword_signin_attempts`	Events API	uuid, category, type, country, target_user_email, session_uuid, timestamp
`onepassword_item_usages`	Events API	uuid, used_version, vault_uuid, item_uuid, user_email, action, timestamp
`onepassword_audit_events`	Events API	uuid, action, object_type, object_uuid, actor_email, session_uuid, timestamp
`onepassword_introspect`	Events API	features (JSON), issued_at, expires_at
`onepassword_users`	SCIM Bridge	scim_id, user_name, email, display_name, active, groups_json
`onepassword_groups`	SCIM Bridge	scim_id, display_name, member_count
`onepassword_group_members`	SCIM Bridge	group_scim_id, member_scim_id, member_email
`onepassword_scim_config`	SCIM Bridge	feature, supported, raw_json
`onepassword_resource_types`	SCIM Bridge	resource_id, name, endpoint, schema
`onepassword_schemas`	SCIM Bridge	schema_id, name, attributes_json
`onepassword_account`	Service Account	account_uuid, name, domain
`onepassword_vaults`	Service Account	vault_id, name, content_version, items, type
`onepassword_vault_items`	Service Account	vault_id, item_id, title, category, tags, urls_json, created_at, updated_at
`onepassword_vault_users`	Service Account	vault_id, user_email, permissions_json
`onepassword_vault_groups`	Service Account	vault_id, group_id, group_name, permissions_json

Documentation Index

​Part 1: Events Reporting API

​Step 1: Create the Events Reporting Integration

​Step 2: Note your Events API host

​Step 3: Add the Events secrets to ConfigView

​Part 2: SCIM Bridge

​Step 1: Locate (or create) the SCIM bearer token

​Step 2: Note your SCIM Bridge URL

​Step 3: Add the SCIM secrets to ConfigView

​Part 3: Service Account (vault inventory)

​Step 1: Create the Service Account

​Step 2: Add the Service Account secret to ConfigView

​Step 4: Enable the 1Password scripts in ConfigView

​Step 5: Verify

​Data Tables