Use Case
I use ephemeral service accounts (op service-account create --expires-in 2h) to give AI agents
(Claude, OpenCode) short-lived, least-privilege access to specific vaults for credential retrieval.
This is the pattern recommended in your own blog post "Supercharge your workflow: Use 1Password
service accounts and SDKs to secure agentic AI access."
The problem: after token expiry, the service account entries remain in the Developer dashboard as
dead/inert entries. There is no programmatic way to clean them up — only the web UI at
1password.com. With a limit of 100 service accounts per account, this pattern becomes unsustainable
without constant manual cleanup.
Additionally, there is no way to verify whether expired service accounts are automatically purged
from the 100-account quota, or if they permanently consume a slot until manually deleted.
Requirements and desired behavior
CLI:
op service-account list [--format json] — list all service accounts with UUID, name, status
(active/expired), creation date, expiry dateop service-account delete <uuid> — delete/revoke a service account by UUIDop service-account prune --expired — bulk delete all expired service accounts
SDK (Python/JS/Go):
client.service_accounts.list() → list all service accountsclient.service_accounts.delete(uuid) → delete a service accountclient.service_accounts.prune_expired() → bulk cleanup
Bonus: auto-cleanup of expired service accounts (if --expires-in was set and TTL has passed),
so they don't count against the 100-account limit.
Additional information
Current workaround: manual cleanup via web UI (Developer → Service Accounts → select → Revoke).
Not viable for automation-heavy workflows that create multiple ephemeral tokens per day.
Related: this gap also affects the CLI, which only exposes create and ratelimit subcommands
for service accounts. Ideally the fix would land in both CLI and SDK simultaneously.
Use Case
I use ephemeral service accounts (
op service-account create --expires-in 2h) to give AI agents(Claude, OpenCode) short-lived, least-privilege access to specific vaults for credential retrieval.
This is the pattern recommended in your own blog post "Supercharge your workflow: Use 1Password
service accounts and SDKs to secure agentic AI access."
The problem: after token expiry, the service account entries remain in the Developer dashboard as
dead/inert entries. There is no programmatic way to clean them up — only the web UI at
1password.com. With a limit of 100 service accounts per account, this pattern becomes unsustainable
without constant manual cleanup.
Additionally, there is no way to verify whether expired service accounts are automatically purged
from the 100-account quota, or if they permanently consume a slot until manually deleted.
Requirements and desired behavior
CLI:
op service-account list [--format json]— list all service accounts with UUID, name, status(active/expired), creation date, expiry date
op service-account delete <uuid>— delete/revoke a service account by UUIDop service-account prune --expired— bulk delete all expired service accountsSDK (Python/JS/Go):
client.service_accounts.list()→ list all service accountsclient.service_accounts.delete(uuid)→ delete a service accountclient.service_accounts.prune_expired()→ bulk cleanupBonus: auto-cleanup of expired service accounts (if
--expires-inwas set and TTL has passed),so they don't count against the 100-account limit.
Additional information
Current workaround: manual cleanup via web UI (Developer → Service Accounts → select → Revoke).
Not viable for automation-heavy workflows that create multiple ephemeral tokens per day.
Related: this gap also affects the CLI, which only exposes
createandratelimitsubcommandsfor service accounts. Ideally the fix would land in both CLI and SDK simultaneously.