# 1Password CLI get-started (summary)

- Works on macOS, Windows, and Linux.
  - macOS/Linux shells: bash, zsh, sh, fish.
  - Windows shell: PowerShell.
- Requires a 1Password subscription and the desktop app to use app integration.
- macOS requirement: Big Sur 11.0.0 or later.
- Linux app integration requires PolKit + an auth agent.
- Install the CLI per the official doc for your OS.
- Enable desktop app integration in the 1Password app:
  - Open and unlock the app, then select your account/collection.
  - macOS: Settings > Developer > Integrate with 1Password CLI (Touch ID optional).
  - Windows: turn on Windows Hello, then Settings > Developer > Integrate.
  - Linux: Settings > Security > Unlock using system authentication, then Settings > Developer > Integrate.
- After integration, run any command to sign in (example in docs: `op vault list`).
- If multiple accounts: use `op signin` to pick one, or `--account` / `OP_ACCOUNT`.
- For non-integration auth, use `op account add`.
- Desktop app integration uses a per-user IPC channel the CLI must reach. The transport differs per platform (XPC via the 1Password Browser Helper on macOS, a Unix domain socket on Linux, a named pipe on Windows). Run `op` directly from the gateway's exec environment; wrapping in tmux can move the call into a different environment context where the IPC channel is unreachable, producing `1Password CLI couldn't connect to the 1Password desktop app` errors.
  - macOS: the integration group container lives at `~/Library/Group Containers/2BUA8C4S2C.com.1password/t/` — useful for recognizing the failure mode, not as a reachability test.
  - Service account auth (`OP_SERVICE_ACCOUNT_TOKEN`) does not use the desktop IPC channel and works the same in or out of tmux.
- Standalone interactive signin may use tmux only to preserve the `OP_SESSION_*` export in one persistent shell. The tmux example must start a POSIX shell such as `/bin/sh` before sending `eval "$(op signin ...)"`; do not send that POSIX `eval` form into fish or PowerShell.
