Secure your secrets: 1Password CLI for Devs.

Security is a cornerstone of good software development. It is essential not just for compliance or peace of mind but also for protecting users and keeping things running smoothly.

At Significa, environment separation and secret management are weaved into our daily workflow. We’ll walk you through how we handle environment-specific configurations and keep secrets secure across teams and introduce you to our tool, 1password-secrets — an open-source CLI utility that integrates with 1Password to make secret management safer and easier.

Why environment separation matters.

Keeping your environments separate isn’t just good practice to keep things tidy; it's absolutely necessary! Each one has a distinct role: local development is where new features are built and tested locally; staging acts as a production-like environment for final checks and production is the live system your users interact with. By clearly defining the purpose of each, you ensure unstable or experimental code doesn't unintentionally affect your users and create safer conditions for testing, debugging, and releasing.

Furthermore, services like databases should never be exposed to the public Internet unless absolutely necessary. Locking down these layers reduces the surface area for potential attacks.

Secrets should stay secret!

When it comes to credentials — like API keys or passwords — reusing the same one across environments is a risky shortcut. A key used in development should never be the same as the one used in production — not even close.

We always recommend using separate accounts for different environments when working with third-party services. Yes, it might mean managing a few extra logins, but the improved traceability and reduced risk are worth it.

So, how do you handle secrets in local development without dumping everything into your .env file and calling it a day? That's where 1password-secrets comes in.

Meet 1password-secrets.

Local development often requires external services — think Firebase, Stripe, or Fly.io. However, syncing those credentials across team members can get messy. Sending .env files in Slack? Nope. Committing secrets to version control? Absolutely not.

To solve this issue, we built 1password-secrets.

It’s a CLI tool that pulls secrets directly from your team’s shared 1Password vault and injects them into your local environment. That means no more .env drift, no sensitive info in Git, and no headaches when onboarding a new developer.

Here’s how it works:

• 1password-secrets local pull fetches the latest secrets from 1Password and populates your local environment.

• 1password-secrets local push updates 1Password with your local changes so everyone stays in sync.

It also integrates with Fly.io, automatically grabbing the right secrets from 1Password and applying them to your Fly apps. Less copy-pasting, more security.

Why we built it.

Before 1password-secrets, our secret management relied on a mix of manual processes — some secure, some... less so. We wanted something simple, safe, and reliable. So we built it.

And since we figured other teams might face the same problem, we made it open-source.

Why 1Password?

There are plenty of secret management tools out there, such as AWS Secrets Manager, HashiCorp Vault, Doppler, and more. However, at Significa, we opted for 1Password because it struck the right balance between security, usability, and team adoption.

As a tool our entire team was already familiar with, it allowed us to skip the learning curve and start sharing credentials securely from day one. It also comes with solid features like end-to-end encryption, item versioning, access control, and team vaults. Crucially, it's not just secure — it’s accessible, even for non-technical teammates who occasionally need credentials too.

By building on top of 1Password, 1password-secrets taps into a system we already trust, extending its functionality in a way that fits naturally into our development workflow.

Easier onboarding and smoother collaboration.

One of the most underrated benefits 1password-secrets is how much it simplifies onboarding new team members. Instead of pinging someone for .env files (DON'T!), manually copying credentials, or checking which version is the latest, new developers just install the CLI and pull the secrets they need. That's it.

It also brings consistency to day-to-day collaboration. When everyone on the team is pulling from the same source of truth, there’s no room for misaligned configs or secrets going stale. It reduces the friction of switching between projects, helps spot inconsistencies faster, and gives everyone peace of mind that sensitive data isn’t floating around in random Slack threads.

A safer workflow for everyone.

Balancing security with ease of use is tricky. You want secrets locked away, but not so much that they get in the way of getting things done. 1password-secrets helps us strike that balance —keeping secrets safe without slowing the team down.

If your team uses 1Password and needs a cleaner way to manage secrets across environments, give it a try. Contributions are always welcome.