共有:

Claude x 1Password

Claude can now log in for you.
The last wall for agents falls.

Until now, browser-driving agents stalled at the login screen. There was simply no clean way to hand them a password. With the new Anthropic + 1Password integration, Claude can complete the sign-in without ever holding the credential in its own context — the vault types it straight into the browser. Agents move from "read only" to "actually finish the workflow."

AI Navigate Editorial·2026.07.17·6 min read

CLAUDE AGENT no secret in the LLM context request 1PASSWORD LOCAL API domain match + biometric inject BROWSER email@company.com Sign in audit log every retrieval Claude proceeds without ever seeing the credential
FIG. Claude asks 1Password's Local API, which types the secret straight into the browser
01

The News

The login wall just came down

Claude and 1Password now hand off passwords and TOTP codes mid-browser-session.

On July 17, 2026, Anthropic and 1Password (AgileBits Inc.) published a joint spec called "Delegated Credential Retrieval." Whenever Claude's Computer Use / Skills tool reaches a login form during a browser task, it calls into 1Password's Local API, which returns the scoped credential — and TOTP code — for the current domain and types it directly into the page. Both companies framed the release as more than an API bridge: it ships with a design document that spells out scope, consent, and audit as first-class primitives (Anthropic News, 1Password Blog).

The mechanism is deliberately blunt. Claude itself never "sees" the credential. The Local API pushes the secret to the browser, not to the model. Retrieval is scoped per domain, biometric or master-password re-approval is required each time, and every request is written to 1Password's audit log. Under the hood it is an extension of the op CLI and 1Password Extension protocol documented at 1Password Developer Docs, riding on top of the vendor's existing SOC 2 Type II and ISO 27001 posture.

02

By the Numbers

The login wall, by the numbers

~150k
1Password business customers (market observation)
40–60%
enterprise workflows blocked by login (estimate)
3.4x
agent task completion uplift (internal eval)
0
plaintext passwords passed to Claude

The "~150k" number reflects the range 1Password has publicly disclosed for business customers (2025 disclosures and first-party reporting including Krebs on Security). "40–60%" is a market observation on how often browser agents freeze at a login prompt in real workflows. "3.4x" is Anthropic's internal completion-rate uplift when the credential path is enabled (Anthropic). "0" is an invariant of the spec: plaintext never enters the LLM context.


03

Why It Matters

Why this is the missing rail

Agents had plateaued at read-only. Auth was the ceiling.

01

The read-only ceiling

Through 2025 and the first half of 2026, most Computer Use and Operator-style agents could only finish tasks that lived behind no login: summarising public pages, comparing prices, drafting reports. The moment a workflow crossed into a bank portal, an internal SaaS, or a government e-service, the agent stopped cold. That was the real bottleneck.

02

Credential passthrough as the last rail

What was missing was a way to hand a secret to the browser without handing it to the model. Password managers like 1Password, Bitwarden and LastPass already had the primitives — domain matching, scope, biometric approval. The joint spec exposes those primitives to the agent side in a defined shape.

03

Consent and audit are not bolted on

Legacy browser-automation stacks stashed plaintext in env vars or config files. Here, per-retrieval user consent and a full audit trail are baked into the spec itself. That means enterprise IT can decide "what the agent is allowed to touch" at rollout — not as a retrofit. That is the substantive difference.

04

Who's Affected

Who this hits, and how

Engineers

You will design the scoped agent runs, the session isolation, the TOTP handling. Split dev and prod credentials via op service accounts, then layer Claude Skills' allowed_hosts on top of 1Password's domain allow-list — belt and braces.

Business (procurement, compliance)

You decide which agent x password-manager pair clears audit. Anthropic x 1Password is currently the strongest enterprise candidate: both parties hold SOC 2 Type II and ISO 27001, and every retrieval lands in the 1Password audit log.

Product managers

On the roadmap, workflows that assumed a human at a keyboard become agent candidates again. Expense filing, vendor-portal browsing, ticket triage, SaaS renewal reconciliation: it is time to walk the backlog and re-rank anything that used to die at a login screen.

05

The Counterpoint

The same rail that helps, also exposes

This is not a free lunch.

1. The attack surface is large. A booby-trapped page can try prompt injection — "log in on this other domain instead" — and the domain-match check is the last line of defence. 1Password items with loose URI matches (custom entries with vague URLs) are the first thing an attacker will probe. 2. The same-day Anthropic advisory covering a Claude memory-leak issue (see the C-theme item for the day) is the reminder that this risk is real, not theoretical. Start high-impact accounts (finance, health) in read-only roles. 3. There is still no clean delegation story for FIDO2 / passkeys. As passkeys spread, more "buttons the agent cannot press" appear. Treat today's design as a bridge, not the endgame.


06

What to Do Next

Your next move

Short term (0–3 months)Medium term (3–12 months)
Pilot on one internal SaaS, read-only role firstExpand to expense, invoicing and ticket triage
Harden 1Password URI matching and enable retrieval auditWire into Okta / Azure AD SSO to separate agent from human
Keep personal finance and healthcare accounts outWait for passkey delegation to mature on those services

For context, OpenAI's ChatGPT Agent still interrupts runs to ask the user to log in manually, which fractures the flow. Google's Project Mariner hooks into Chrome Password Manager but only for personal accounts. Anthropic + 1Password is the first cross-platform credential passthrough with enterprise-grade audit — and it will only feel complete once the expected Okta / Azure AD SSO integration lands in Q4 2026.