MCP Server

The 1Password SaaS Manager APIs are available through an MCP server. 

To use this, first log in to SaaS Manager as an administrator and create an API client using Client-credentials.

You can use the MCP server through a Remote or Local connection. 

If you're running the AI tool locally on your laptop, we strongly recommend using Local MCP. Although this involves running a small executable, it makes token management and configuration with various desktop and command-line clients much easier.

Remote MCP

The Remote server only allows read-only actions.

The underlying MCP specification supports either Bearer token authentication or OAuth DCR (Dynamic Client Registration). You must select Bearer token as SaaS Manager does not currently support DCR.

For security reasons, SaaS Manager does not directly issue a Bearer token. Instead it supports OAuth Client-credentials authentication which is a two-step process to authenticate. First, the long-lived credentials are presented, and then a short-lived Bearer token is returned. This Bearer token is valid for approximately 1 hour, and must be manually generated, for example using curl:

curl -s -u "<CLIENT_ID>:<CLIENT_SECRET>" -d grant_type=client_credentials \
    https://trelica.app/connect/token | jq -r .access_token

or, if your credentials are in 1Password:

curl -s -u "<CLIENT_ID>:$(op read --account MyCompanyAccount
    'op://employee/SM MCP Creds/password')" \
    -d grant_type=client_credentials \
    https://trelica.app/connect/token | jq -r .access_token

Substitute trelica.app for trelica.eu if your tenant is running in our European hosting environment.

This token can then be used with your the AI tool. Some installed clients, like Claude Desktop require a bridge such as the mcp-remote tool to work with remote server.

Configure your tool to connect to either

• https://mcp.1password.com/trelica/mcp
• https://mcp.1password.eu/trelica/mcp

The disadvantage of this approach is that the token will need re-generating every hour, and the AI tool will need reconfiguring.

A more practical alternative is to use a local MCP server.

Local MCP

You need to install a small MCP server locally.

For Windows, this downloads a Zip which expands sm-mcp.exe. On macOS, there's a small installer which will install the sm-mcp tool to /usr/local/bin/sm-mcp. 

Open your Terminal (macOS) or command line (Windows) and run the steps below.

1. Authenticate

   sm-mcp login --host trelica.app --client-id <CLIENT_ID>

   You'll be prompted to enter the Client secret.

   Alternatively, you can use --client-secret-stdin to securely pass credentials using the command line:

   echo '<secret>' | sm-mcp login --host trelica.app \
       --client-id <client_id> --client-secret-stdin

   This is a one-off step. The credentials will be securely stored in your macOS Keychain or in Windows Credential Manager.

   If you have your API credentials already in 1Password, you can combine this with the op tool as follows:

   OP_ACCOUNT=MyCompanyAccount sm-mcp login --host trelica.app \
       --client-id <client_id> \
       --client-secret-op "op://employee/SM MCP Creds/password"

   Notice how we're using the OP_ACCOUNT environment variable to specify the account if you've got several 1Password accounts, such as Work and Family.

2. Connect the MCP to your AI client using the sm-mcp install <ai-client> command.

   Currently supported clients:

   • claude (desktop)
   • claude-code
   • cursor
   • vscode
   • codex
   • copilot
   • factory-droid
   • opencode

   For example, for Claude Desktop use:

   sm-mcp install claude

   Then fully restart the AI client.

   If your client is not in the list, you'll need to check the documentation for how to configure local studio MCP servers.

Under the hood this will configure the AI client to call sm-mcp serve --enable-writes.