DocumentationGuides1Password

Use dotenvx with 1Password

Load dotenvx private keys from 1Password at runtime.

Store your DOTENV_PRIVATE_KEY* values in 1Password, then load them into the environment before running dotenvx.

Read a Private Key

Use op read to resolve a 1Password secret reference into DOTENV_PRIVATE_KEY_PRODUCTION.

DOTENV_PRIVATE_KEY_PRODUCTION="$(op read op://Engineering/my-app/DOTENV_PRIVATE_KEY_PRODUCTION)" dotenvx run -- npm start

dotenvx run sees DOTENV_PRIVATE_KEY_PRODUCTION, decrypts .env.production, and injects the decrypted values into your process.

Use an Environment File

You can also keep 1Password secret references in .env.keys.

.env.keys

# .env.keys - DO NOT commit to source control
DOTENV_PRIVATE_KEY_PRODUCTION="op://Engineering/my-app/DOTENV_PRIVATE_KEY_PRODUCTION"

Then use op run to resolve the secret reference before dotenvx run starts.

op run --env-file .env.keys -- dotenvx run -- npm start

This keeps the plaintext private key out of .env.keys; 1Password resolves it at runtime.

Team Workflows

1Password works well for developers who already use 1Password locally. For teams that want private keys stored off-device, shared by project, and available without each developer wiring local 1Password access, use Armor.