1Password
When you connect 5 MCPs, you accumulate 5 tokens in your ~/.bashrc, scripts, env vars. It's a time bomb. 1Password centralizes everything: tokens, SSH keys, passwords, 2FA. Its CLI (op) lets you inject a secret into a command without ever writing it in plain text, which protects your credentials from accidental leaks (git commits, screenshares, logs).
Installation
Prérequis.1Password subscription required ($2.99/month personal). Family or team plan recommended if you share secrets. The desktop app and CLI install in a single command.
$ brew install --cask 1password 1password-cliAfter install: `op signin`, then enable CLI integration in 1Password (Settings → Developer → Integrate with 1Password CLI).
Configs and workflows worth knowing
Store all your MCP tokens in a dedicated vault
Create a vault 'AI Stack' (or 'Claude Code'), store each MCP token with a clear name: PostHog API Key, Slack Bot Token, HubSpot Private App, etc. Each entry should have the service URL and required scopes (to remind you what the token can do).
Inject a secret into a command without ever displaying it
With `op read`, you get a secret in plain text only during execution. It doesn't appear in shell history, logs, or screenshares. Useful to install an MCP with a token without pasting the token into the command.
# Au lieu de ça (le token se retrouve dans ton history) claude mcp add posthog -- npx -y @posthog/mcp-server --api-key=phc_xyz... # Fais ça (le token reste dans 1Password) claude mcp add posthog -- npx -y @posthog/mcp-server \ --api-key=$(op read "op://AI Stack/PostHog/api_key")
Replace ssh-agent + .gitconfig with 1Password
1Password can store your SSH keys and sign your Git commits. No more exposed ~/.ssh/id_rsa files, and each signature asks for Touch ID. Protects against compromised repos trying to siphon your keys.