1Password, a leader in identity security, announced 1Password Credential Broker, a new product that securely brokers credentials, tokens, and federated access from 1Password to trusted requesters. The 1Password Credential Broker is available in private beta today, with support for GitHub Actions and a roadmap that extends trusted access across humans, machine workloads, and AI agents through a common identity fabric.
For two decades, 1Password has helped consumers and businesses protect the credentials they use to access critical systems. But credentials are no longer requested only by people signing in through a browser. Modern enterprises now depend on employees, CI/CD pipelines, cloud workloads, service accounts, and AI agents, each of which needs credentials to get work done. Those credentials are often copied into applications, repositories, configuration files, environment variables, and pipelines where they are difficult to govern, rotate, and audit.
The 1Password Credential Broker extends the role of 1Password from storing secrets to brokering credentials for the humans, machines, and agents that need them. Instead of distributing long-lived secrets across tools and environments, organizations can keep credentials protected in 1Password and release only the approved credential, token, or access artifact to a trusted requester when work needs to happen.
Also Read: Zenity Extends AI Agent Security and Governance to Claude Enterprise
“1Password has always been the place enterprises trust to keep credentials safe. The next step is making that same source of truth work for every credential, whether it is requested by a person, a workflow, or an AI agent,” said Nancy Wang, CTO at 1Password. “The 1Password Credential Broker is about closing the gap between where credentials are protected and where access happens. It helps organizations move away from credentials copied across environments and toward credentials brokered from 1Password, based on trusted identity and logged delivery.”
From Stored Secrets to Brokered Credentials
The 1Password Credential Broker acts as a trusted intermediary between an actor that needs a credential and the system where that credential is stored or issued. In the initial private beta flow, the 1Password Credential Broker uses GitHub Actions identity signals to verify a specific workflow before releasing an approved credential to that workload.
For organizations already using 1Password to manage credentials and secrets, the 1Password Credential Broker provides a path from vaulting credentials to brokering credentials at the moment of use. It helps teams keep credentials protected in 1Password while making them available to trusted requesters when work needs to happen.
Designed to Keep Credentials out of Plaintext and Secured in 1Password Vaults
The 1Password Credential Broker is built around a simple principle: credentials should stay protected in 1Password until they are needed by a trusted requester. In the initial GitHub Actions flow, a workflow presents trusted identity signals to 1Password. The 1Password Credential Broker validates those signals against the configured workload identity before delivering the approved credential to the requesting workflow. This model is designed to reduce the operational burden and security risk created by static credentials. If a credential does not need to be copied into an app, pipeline, or environment file, there are fewer places for that credential to sprawl, leak, or persist beyond its intended use. The 1Password Credential Broker also adds visibility into credential delivery. Each credential request and delivery event can be logged with identity context, giving security teams a clearer record of which actor requested which credential and under what configured trust relationship.
Extending 1Password’s Zero-Knowledge Security Architecture
The 1Password Credential Broker is built on 1Password’s security architecture and is designed so 1Password’s infrastructure does not have persistent access to customer secrets. Customer-managed key material and trusted identity signals both play a role in the access flow: cryptography helps protect credentials from unilateral access, while identity verification helps ensure credentials are released only to approved requesters. Before an approved credential is delivered, the 1Password Credential Broker verifies the requester using trusted identity signals and releases only the credential configured for that requester.
SOURCE: Businesswire