feat(app-connections): 1Password App Connection

backend/src/lib/api-docs/constants.ts

@@ -2084,6 +2084,10 @@ export const AppConnections = {
       region: "The region identifier in Oracle Cloud Infrastructure where the vault is located.",
       fingerprint: "The fingerprint of the public key uploaded to the user's API keys.",
       privateKey: "The private key content in PEM format used to sign API requests."
+    },
+    ONEPASS: {
+      instanceUrl: "The URL of the 1Password Connect Server instance to authenticate with.",
+      apiToken: "The API token used to access the 1Password Connect Server."
     }
   }
 };
@@ -2237,6 +2241,9 @@ export const SecretSyncs = {
       compartmentOcid: "The OCID (Oracle Cloud Identifier) of the compartment where the vault is located.",
       vaultOcid: "The OCID (Oracle Cloud Identifier) of the vault to sync secrets to.",
       keyOcid: "The OCID (Oracle Cloud Identifier) of the encryption key to use when creating secrets in the vault."
+    },
+    ONEPASS: {
+      vaultId: "The ID of the 1Password vault to sync secrets to."
     }
   }
 };

backend/src/server/routes/v1/app-connection-routers/1password-connection-router.ts

@@ -0,0 +1,60 @@
+import z from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import {
+  CreateOnePassConnectionSchema,
+  SanitizedOnePassConnectionSchema,
+  UpdateOnePassConnectionSchema
+} from "@app/services/app-connection/1password";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerOnePassConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.OnePass,
+    server,
+    sanitizedResponseSchema: SanitizedOnePassConnectionSchema,
+    createSchema: CreateOnePassConnectionSchema,
+    updateSchema: UpdateOnePassConnectionSchema
+  });
+
+  // The following endpoints are for internal Infisical App use only and not part of the public API
+  server.route({
+    method: "GET",
+    url: `/:connectionId/vaults`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string(),
+            name: z.string(),
+            type: z.string(),
+            items: z.number(),
+
+            attributeVersion: z.number(),
+            contentVersion: z.number(),
+
+            // Corresponds to ISO8601 date string
+            createdAt: z.string(),
+            updatedAt: z.string()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+      const vaults = await server.services.appConnection.onepass.listVaults(connectionId, req.permission);
+      return vaults;
+    }
+  });
+};

backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts

@@ -4,6 +4,10 @@ import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApiDocsTags } from "@app/lib/api-docs";
 import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import {
+  OnePassConnectionListItemSchema,
+  SanitizedOnePassConnectionSchema
+} from "@app/services/app-connection/1password";
 import { Auth0ConnectionListItemSchema, SanitizedAuth0ConnectionSchema } from "@app/services/app-connection/auth0";
 import { AwsConnectionListItemSchema, SanitizedAwsConnectionSchema } from "@app/services/app-connection/aws";
 import {
@@ -78,7 +82,8 @@ const SanitizedAppConnectionSchema = z.union([
   ...SanitizedWindmillConnectionSchema.options,
   ...SanitizedLdapConnectionSchema.options,
   ...SanitizedTeamCityConnectionSchema.options,
-  ...SanitizedOCIConnectionSchema.options
+  ...SanitizedOCIConnectionSchema.options,
+  ...SanitizedOnePassConnectionSchema.options
 ]);
 
 const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
@@ -100,7 +105,8 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
   WindmillConnectionListItemSchema,
   LdapConnectionListItemSchema,
   TeamCityConnectionListItemSchema,
-  OCIConnectionListItemSchema
+  OCIConnectionListItemSchema,
+  OnePassConnectionListItemSchema
 ]);
 
 export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {

backend/src/server/routes/v1/app-connection-routers/index.ts

@@ -1,5 +1,6 @@
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";
 
+import { registerOnePassConnectionRouter } from "./1password-connection-router";
 import { registerAuth0ConnectionRouter } from "./auth0-connection-router";
 import { registerAwsConnectionRouter } from "./aws-connection-router";
 import { registerAzureAppConfigurationConnectionRouter } from "./azure-app-configuration-connection-router";
@@ -42,5 +43,6 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
     [AppConnection.HCVault]: registerHCVaultConnectionRouter,
     [AppConnection.LDAP]: registerLdapConnectionRouter,
     [AppConnection.TeamCity]: registerTeamCityConnectionRouter,
-    [AppConnection.OCI]: registerOCIConnectionRouter
+    [AppConnection.OCI]: registerOCIConnectionRouter,
+    [AppConnection.OnePass]: registerOnePassConnectionRouter
   };

backend/src/services/app-connection/1password/1password-connection-enums.ts

@@ -0,0 +1,3 @@
+export enum OnePassConnectionMethod {
+  ApiToken = "api-token"
+}

backend/src/services/app-connection/1password/1password-connection-fns.ts

@@ -0,0 +1,66 @@
+import { AxiosError } from "axios";
+
+import { request } from "@app/lib/config/request";
+import { BadRequestError } from "@app/lib/errors";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+
+import { OnePassConnectionMethod } from "./1password-connection-enums";
+import { TOnePassConnection, TOnePassConnectionConfig, TOnePassVault } from "./1password-connection-types";
+
+export const getOnePassInstanceUrl = async (config: TOnePassConnectionConfig) => {
+  const instanceUrl = removeTrailingSlash(config.credentials.instanceUrl);
+
+  await blockLocalAndPrivateIpAddresses(instanceUrl);
+
+  return instanceUrl;
+};
+
+export const getOnePassConnectionListItem = () => {
+  return {
+    name: "1Password" as const,
+    app: AppConnection.OnePass as const,
+    methods: Object.values(OnePassConnectionMethod) as [OnePassConnectionMethod.ApiToken]
+  };
+};
+
+export const validateOnePassConnectionCredentials = async (config: TOnePassConnectionConfig) => {
+  const instanceUrl = await getOnePassInstanceUrl(config);
+
+  const { apiToken } = config.credentials;
+
+  try {
+    await request.get(`${instanceUrl}/v1/vaults`, {
+      headers: {
+        Authorization: `Bearer ${apiToken}`,
+        Accept: "application/json"
+      }
+    });
+  } catch (error: unknown) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to validate credentials: ${error.message || "Unknown error"}`
+      });
+    }
+    throw new BadRequestError({
+      message: "Unable to validate connection: verify credentials"
+    });
+  }
+
+  return config.credentials;
+};
+
+export const listOnePassVaults = async (appConnection: TOnePassConnection) => {
+  const instanceUrl = await getOnePassInstanceUrl(appConnection);
+  const { apiToken } = appConnection.credentials;
+
+  const resp = await request.get<TOnePassVault[]>(`${instanceUrl}/v1/vaults`, {
+    headers: {
+      Authorization: `Bearer ${apiToken}`,
+      Accept: "application/json"
+    }
+  });
+
+  return resp.data;
+};

backend/src/services/app-connection/1password/1password-connection-schemas.ts

@@ -0,0 +1,64 @@
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { OnePassConnectionMethod } from "./1password-connection-enums";
+
+export const OnePassConnectionAccessTokenCredentialsSchema = z.object({
+  apiToken: z.string().trim().min(1, "API Token required").describe(AppConnections.CREDENTIALS.ONEPASS.apiToken),
+  instanceUrl: z
+    .string()
+    .trim()
+    .url("Invalid Connect Server instance URL")
+    .min(1, "Instance URL required")
+    .describe(AppConnections.CREDENTIALS.ONEPASS.instanceUrl)
+});
+
+const BaseOnePassConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.OnePass) });
+
+export const OnePassConnectionSchema = BaseOnePassConnectionSchema.extend({
+  method: z.literal(OnePassConnectionMethod.ApiToken),
+  credentials: OnePassConnectionAccessTokenCredentialsSchema
+});
+
+export const SanitizedOnePassConnectionSchema = z.discriminatedUnion("method", [
+  BaseOnePassConnectionSchema.extend({
+    method: z.literal(OnePassConnectionMethod.ApiToken),
+    credentials: OnePassConnectionAccessTokenCredentialsSchema.pick({
+      instanceUrl: true
+    })
+  })
+]);
+
+export const ValidateOnePassConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z.literal(OnePassConnectionMethod.ApiToken).describe(AppConnections.CREATE(AppConnection.OnePass).method),
+    credentials: OnePassConnectionAccessTokenCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.OnePass).credentials
+    )
+  })
+]);
+
+export const CreateOnePassConnectionSchema = ValidateOnePassConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.OnePass)
+);
+
+export const UpdateOnePassConnectionSchema = z
+  .object({
+    credentials: OnePassConnectionAccessTokenCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.OnePass).credentials
+    )
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.OnePass));
+
+export const OnePassConnectionListItemSchema = z.object({
+  name: z.literal("1Password"),
+  app: z.literal(AppConnection.OnePass),
+  methods: z.nativeEnum(OnePassConnectionMethod).array()
+});

backend/src/services/app-connection/1password/1password-connection-service.ts

@@ -0,0 +1,28 @@
+import { OrgServiceActor } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import { listOnePassVaults } from "./1password-connection-fns";
+import { TOnePassConnection } from "./1password-connection-types";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<TOnePassConnection>;
+
+export const onePassConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
+  const listVaults = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.OnePass, connectionId, actor);
+
+    try {
+      const vaults = await listOnePassVaults(appConnection);
+      return vaults;
+    } catch (error) {
+      return [];
+    }
+  };
+
+  return {
+    listVaults
+  };
+};

backend/src/services/app-connection/1password/1password-connection-types.ts

@@ -0,0 +1,35 @@
+import z from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  CreateOnePassConnectionSchema,
+  OnePassConnectionSchema,
+  ValidateOnePassConnectionCredentialsSchema
+} from "./1password-connection-schemas";
+
+export type TOnePassConnection = z.infer<typeof OnePassConnectionSchema>;
+
+export type TOnePassConnectionInput = z.infer<typeof CreateOnePassConnectionSchema> & {
+  app: AppConnection.OnePass;
+};
+
+export type TValidateOnePassConnectionCredentialsSchema = typeof ValidateOnePassConnectionCredentialsSchema;
+
+export type TOnePassConnectionConfig = DiscriminativePick<TOnePassConnectionInput, "method" | "app" | "credentials"> & {
+  orgId: string;
+};
+
+export type TOnePassVault = {
+  id: string;
+  name: string;
+  type: string;
+  items: number;
+
+  attributeVersion: number;
+  contentVersion: number;
+
+  createdAt: string;
+  updatedAt: string;
+};

backend/src/services/app-connection/1password/index.ts

@@ -0,0 +1,4 @@
+export * from "./1password-connection-enums";
+export * from "./1password-connection-fns";
+export * from "./1password-connection-schemas";
+export * from "./1password-connection-types";

backend/src/services/app-connection/app-connection-enums.ts

@@ -17,7 +17,8 @@ export enum AppConnection {
   HCVault = "hashicorp-vault",
   LDAP = "ldap",
   TeamCity = "teamcity",
-  OCI = "oci"
+  OCI = "oci",
+  OnePass = "1password"
 }
 
 export enum AWSRegion {

backend/src/services/app-connection/app-connection-fns.ts

@@ -8,6 +8,11 @@ import {
 } from "@app/services/app-connection/shared/sql";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 
+import {
+  getOnePassConnectionListItem,
+  OnePassConnectionMethod,
+  validateOnePassConnectionCredentials
+} from "./1password";
 import { AppConnection } from "./app-connection-enums";
 import { TAppConnectionServiceFactoryDep } from "./app-connection-service";
 import {
@@ -93,7 +98,8 @@ export const listAppConnectionOptions = () => {
     getHCVaultConnectionListItem(),
     getLdapConnectionListItem(),
     getTeamCityConnectionListItem(),
-    getOCIConnectionListItem()
+    getOCIConnectionListItem(),
+    getOnePassConnectionListItem()
   ].sort((a, b) => a.name.localeCompare(b.name));
 };
 
@@ -163,7 +169,8 @@ export const validateAppConnectionCredentials = async (
     [AppConnection.HCVault]: validateHCVaultConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.LDAP]: validateLdapConnectionCredentials as TAppConnectionCredentialsValidator,
     [AppConnection.TeamCity]: validateTeamCityConnectionCredentials as TAppConnectionCredentialsValidator,
-    [AppConnection.OCI]: validateOCIConnectionCredentials as TAppConnectionCredentialsValidator
+    [AppConnection.OCI]: validateOCIConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.OnePass]: validateOnePassConnectionCredentials as TAppConnectionCredentialsValidator
   };
 
   return VALIDATE_APP_CONNECTION_CREDENTIALS_MAP[appConnection.app](appConnection);
@@ -192,6 +199,7 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
     case HumanitecConnectionMethod.ApiToken:
     case TerraformCloudConnectionMethod.ApiToken:
     case VercelConnectionMethod.ApiToken:
+    case OnePassConnectionMethod.ApiToken:
       return "API Token";
     case PostgresConnectionMethod.UsernameAndPassword:
     case MsSqlConnectionMethod.UsernameAndPassword:
@@ -255,5 +263,6 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
   [AppConnection.HCVault]: platformManagedCredentialsNotSupported,
   [AppConnection.LDAP]: platformManagedCredentialsNotSupported, // we could support this in the future
   [AppConnection.TeamCity]: platformManagedCredentialsNotSupported,
-  [AppConnection.OCI]: platformManagedCredentialsNotSupported
+  [AppConnection.OCI]: platformManagedCredentialsNotSupported,
+  [AppConnection.OnePass]: platformManagedCredentialsNotSupported
 };

backend/src/services/app-connection/app-connection-maps.ts

@@ -19,5 +19,6 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
   [AppConnection.HCVault]: "Hashicorp Vault",
   [AppConnection.LDAP]: "LDAP",
   [AppConnection.TeamCity]: "TeamCity",
-  [AppConnection.OCI]: "OCI"
+  [AppConnection.OCI]: "OCI",
+  [AppConnection.OnePass]: "1Password"
 };

backend/src/services/app-connection/app-connection-service.ts

@@ -17,6 +17,8 @@ import {
 import { auth0ConnectionService } from "@app/services/app-connection/auth0/auth0-connection-service";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 
+import { ValidateOnePassConnectionCredentialsSchema } from "./1password";
+import { onePassConnectionService } from "./1password/1password-connection-service";
 import { TAppConnectionDALFactory } from "./app-connection-dal";
 import { AppConnection } from "./app-connection-enums";
 import { APP_CONNECTION_NAME_MAP } from "./app-connection-maps";
@@ -88,7 +90,8 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
   [AppConnection.HCVault]: ValidateHCVaultConnectionCredentialsSchema,
   [AppConnection.LDAP]: ValidateLdapConnectionCredentialsSchema,
   [AppConnection.TeamCity]: ValidateTeamCityConnectionCredentialsSchema,
-  [AppConnection.OCI]: ValidateOCIConnectionCredentialsSchema
+  [AppConnection.OCI]: ValidateOCIConnectionCredentialsSchema,
+  [AppConnection.OnePass]: ValidateOnePassConnectionCredentialsSchema
 };
 
 export const appConnectionServiceFactory = ({
@@ -468,6 +471,7 @@ export const appConnectionServiceFactory = ({
     hcvault: hcVaultConnectionService(connectAppConnectionById),
     windmill: windmillConnectionService(connectAppConnectionById),
     teamcity: teamcityConnectionService(connectAppConnectionById),
-    oci: ociConnectionService(connectAppConnectionById)
+    oci: ociConnectionService(connectAppConnectionById),
+    onepass: onePassConnectionService(connectAppConnectionById)
   };
 };

backend/src/services/app-connection/app-connection-types.ts

@@ -2,6 +2,12 @@ import { TAppConnectionDALFactory } from "@app/services/app-connection/app-conne
 import { TSqlConnectionConfig } from "@app/services/app-connection/shared/sql/sql-connection-types";
 import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
 
+import {
+  TOnePassConnection,
+  TOnePassConnectionConfig,
+  TOnePassConnectionInput,
+  TValidateOnePassConnectionCredentialsSchema
+} from "./1password";
 import { AWSRegion } from "./app-connection-enums";
 import {
   TAuth0Connection,
@@ -132,6 +138,7 @@ export type TAppConnection = { id: string } & (
   | TLdapConnection
   | TTeamCityConnection
   | TOCIConnection
+  | TOnePassConnection
 );
 
 export type TAppConnectionRaw = NonNullable<Awaited<ReturnType<TAppConnectionDALFactory["findById"]>>>;
@@ -158,6 +165,7 @@ export type TAppConnectionInput = { id: string } & (
   | TLdapConnectionInput
   | TTeamCityConnectionInput
   | TOCIConnectionInput
+  | TOnePassConnectionInput
 );
 
 export type TSqlConnectionInput = TPostgresConnectionInput | TMsSqlConnectionInput;
@@ -189,7 +197,8 @@ export type TAppConnectionConfig =
   | THCVaultConnectionConfig
   | TLdapConnectionConfig
   | TTeamCityConnectionConfig
-  | TOCIConnectionConfig;
+  | TOCIConnectionConfig
+  | TOnePassConnectionConfig;
 
 export type TValidateAppConnectionCredentialsSchema =
   | TValidateAwsConnectionCredentialsSchema
@@ -210,7 +219,8 @@ export type TValidateAppConnectionCredentialsSchema =
   | TValidateHCVaultConnectionCredentialsSchema
   | TValidateLdapConnectionCredentialsSchema
   | TValidateTeamCityConnectionCredentialsSchema
-  | TValidateOCIConnectionCredentialsSchema;
+  | TValidateOCIConnectionCredentialsSchema
+  | TValidateOnePassConnectionCredentialsSchema;
 
 export type TListAwsConnectionKmsKeys = {
   connectionId: string;

frontend/src/helpers/appConnections.ts

@@ -26,6 +26,7 @@ import {
   PostgresConnectionMethod,
   TAppConnection,
   TeamCityConnectionMethod,
+  OnePassConnectionMethod,
   TerraformCloudConnectionMethod,
   VercelConnectionMethod,
   WindmillConnectionMethod
@@ -63,7 +64,8 @@ export const APP_CONNECTION_MAP: Record<
   [AppConnection.HCVault]: { name: "Hashicorp Vault", image: "Vault.png", size: 65 },
   [AppConnection.LDAP]: { name: "LDAP", image: "LDAP.png", size: 65 },
   [AppConnection.TeamCity]: { name: "TeamCity", image: "TeamCity.png" },
-  [AppConnection.OCI]: { name: "OCI", image: "Oracle.png" }
+  [AppConnection.OCI]: { name: "OCI", image: "Oracle.png" },
+  [AppConnection.OnePass]: { name: "1Password", image: "1Password.png" }
 };
 
 export const getAppConnectionMethodDetails = (method: TAppConnection["method"]) => {
@@ -89,6 +91,7 @@ export const getAppConnectionMethodDetails = (method: TAppConnection["method"])
     case HumanitecConnectionMethod.ApiToken:
     case TerraformCloudConnectionMethod.ApiToken:
     case VercelConnectionMethod.ApiToken:
+    case OnePassConnectionMethod.ApiToken:
       return { name: "API Token", icon: faKey };
     case PostgresConnectionMethod.UsernameAndPassword:
     case MsSqlConnectionMethod.UsernameAndPassword:

frontend/src/hooks/api/appConnections/1password/index.ts

@@ -0,0 +1,2 @@
+export * from "./queries";
+export * from "./types";

frontend/src/hooks/api/appConnections/1password/queries.tsx

@@ -0,0 +1,37 @@
+import { useQuery, UseQueryOptions } from "@tanstack/react-query";
+
+import { apiRequest } from "@app/config/request";
+
+import { appConnectionKeys } from "../queries";
+import { TOnePassVault } from "./types";
+
+const onePassConnectionKeys = {
+  all: [...appConnectionKeys.all, "1password"] as const,
+  listVaults: (connectionId: string) =>
+    [...onePassConnectionKeys.all, "vaults", connectionId] as const
+};
+
+export const useOnePassConnectionListVaults = (
+  connectionId: string,
+  options?: Omit<
+    UseQueryOptions<
+      TOnePassVault[],
+      unknown,
+      TOnePassVault[],
+      ReturnType<typeof onePassConnectionKeys.listVaults>
+    >,
+    "queryKey" | "queryFn"
+  >
+) => {
+  return useQuery({
+    queryKey: onePassConnectionKeys.listVaults(connectionId),
+    queryFn: async () => {
+      const { data } = await apiRequest.get<TOnePassVault[]>(
+        `/api/v1/app-connections/1password/${connectionId}/vaults`
+      );
+
+      return data;
+    },
+    ...options
+  });
+};

frontend/src/hooks/api/appConnections/1password/types.ts

@@ -0,0 +1,12 @@
+export type TOnePassVault = {
+  id: string;
+  name: string;
+  type: string;
+  items: number;
+
+  attributeVersion: number;
+  contentVersion: number;
+
+  createdAt: string;
+  updatedAt: string;
+};

frontend/src/hooks/api/appConnections/enums.ts

@@ -17,5 +17,6 @@ export enum AppConnection {
   HCVault = "hashicorp-vault",
   LDAP = "ldap",
   TeamCity = "teamcity",
-  OCI = "oci"
+  OCI = "oci",
+  OnePass = "1password"
 }

frontend/src/hooks/api/appConnections/types/1password-connection.ts

@@ -0,0 +1,14 @@
+import { AppConnection } from "@app/hooks/api/appConnections/enums";
+import { TRootAppConnection } from "@app/hooks/api/appConnections/types/root-connection";
+
+export enum OnePassConnectionMethod {
+  ApiToken = "api-token"
+}
+
+export type TOnePassConnection = TRootAppConnection & { app: AppConnection.OnePass } & {
+  method: OnePassConnectionMethod.ApiToken;
+  credentials: {
+    apiToken: string;
+    instanceUrl: string;
+  };
+};

frontend/src/hooks/api/appConnections/types/index.ts

@@ -1,5 +1,6 @@
 import { AppConnection } from "../enums";
 import { TAppConnectionOption } from "./app-options";
+import { TOnePassConnection } from "./1password-connection";
 import { TAuth0Connection } from "./auth0-connection";
 import { TAwsConnection } from "./aws-connection";
 import { TAzureAppConfigurationConnection } from "./azure-app-configuration-connection";
@@ -20,6 +21,7 @@ import { TTerraformCloudConnection } from "./terraform-cloud-connection";
 import { TVercelConnection } from "./vercel-connection";
 import { TWindmillConnection } from "./windmill-connection";
 
+export * from "./1password-connection";
 export * from "./auth0-connection";
 export * from "./aws-connection";
 export * from "./azure-app-configuration-connection";
@@ -59,7 +61,8 @@ export type TAppConnection =
   | THCVaultConnection
   | TLdapConnection
   | TTeamCityConnection
-  | TOCIConnection;
+  | TOCIConnection
+  | TOnePassConnection;
 
 export type TAvailableAppConnection = Pick<TAppConnection, "name" | "id">;
 
@@ -106,4 +109,5 @@ export type TAppConnectionMap = {
   [AppConnection.LDAP]: TLdapConnection;
   [AppConnection.TeamCity]: TTeamCityConnection;
   [AppConnection.OCI]: TOCIConnection;
+  [AppConnection.OnePass]: TOnePassConnection;
 };

frontend/src/pages/organization/AppConnections/AppConnectionsPage/components/AppConnectionForm/1PasswordConnectionForm.tsx

@@ -0,0 +1,150 @@
+import { Controller, FormProvider, useForm } from "react-hook-form";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+
+import {
+  Button,
+  FormControl,
+  Input,
+  ModalClose,
+  SecretInput,
+  Select,
+  SelectItem
+} from "@app/components/v2";
+import { APP_CONNECTION_MAP, getAppConnectionMethodDetails } from "@app/helpers/appConnections";
+import { OnePassConnectionMethod, TOnePassConnection } from "@app/hooks/api/appConnections";
+import { AppConnection } from "@app/hooks/api/appConnections/enums";
+
+import {
+  genericAppConnectionFieldsSchema,
+  GenericAppConnectionsFields
+} from "./GenericAppConnectionFields";
+
+type Props = {
+  appConnection?: TOnePassConnection;
+  onSubmit: (formData: FormData) => void;
+};
+
+const rootSchema = genericAppConnectionFieldsSchema.extend({
+  app: z.literal(AppConnection.OnePass)
+});
+
+const formSchema = z.discriminatedUnion("method", [
+  rootSchema.extend({
+    method: z.literal(OnePassConnectionMethod.ApiToken),
+    credentials: z.object({
+      apiToken: z.string().trim().min(1, "API Token required"),
+      instanceUrl: z.string().trim().url("Invalid Connect Server instance URL")
+    })
+  })
+]);
+
+type FormData = z.infer<typeof formSchema>;
+
+export const OnePassConnectionForm = ({ appConnection, onSubmit }: Props) => {
+  const isUpdate = Boolean(appConnection);
+
+  const form = useForm<FormData>({
+    resolver: zodResolver(formSchema),
+    defaultValues: appConnection ?? {
+      app: AppConnection.OnePass,
+      method: OnePassConnectionMethod.ApiToken
+    }
+  });
+
+  const {
+    handleSubmit,
+    control,
+    formState: { isSubmitting, isDirty }
+  } = form;
+
+  return (
+    <FormProvider {...form}>
+      <form onSubmit={handleSubmit(onSubmit)}>
+        {!isUpdate && <GenericAppConnectionsFields />}
+        <Controller
+          name="method"
+          control={control}
+          render={({ field: { value, onChange }, fieldState: { error } }) => (
+            <FormControl
+              tooltipText={`The method you would like to use to connect with ${
+                APP_CONNECTION_MAP[AppConnection.OnePass].name
+              }. This field cannot be changed after creation.`}
+              errorText={error?.message}
+              isError={Boolean(error?.message)}
+              label="Method"
+            >
+              <Select
+                isDisabled={isUpdate}
+                value={value}
+                onValueChange={(val) => onChange(val)}
+                className="w-full border border-mineshaft-500"
+                position="popper"
+                dropdownContainerClassName="max-w-none"
+              >
+                {Object.values(OnePassConnectionMethod).map((method) => {
+                  return (
+                    <SelectItem value={method} key={method}>
+                      {getAppConnectionMethodDetails(method).name}{" "}
+                    </SelectItem>
+                  );
+                })}
+              </Select>
+            </FormControl>
+          )}
+        />
+        <Controller
+          name="credentials.instanceUrl"
+          control={control}
+          shouldUnregister
+          render={({ field, fieldState: { error } }) => (
+            <FormControl
+              errorText={error?.message}
+              isError={Boolean(error?.message)}
+              label="Instance URL"
+              tooltipClassName="max-w-sm"
+              tooltipText="The URL of the 1Password Connect Server instance to authenticate with."
+            >
+              <Input {...field} placeholder="https://1pass.example.com" />
+            </FormControl>
+          )}
+        />
+        <Controller
+          name="credentials.apiToken"
+          control={control}
+          shouldUnregister
+          render={({ field: { value, onChange }, fieldState: { error } }) => (
+            <FormControl
+              errorText={error?.message}
+              isError={Boolean(error?.message)}
+              label="API Token"
+            >
+              <SecretInput
+                containerClassName="text-gray-400 group-focus-within:!border-primary-400/50 border border-mineshaft-500 bg-mineshaft-900 px-2.5 py-1.5"
+                value={value}
+                onChange={(e) => onChange(e.target.value)}
+              />
+            </FormControl>
+          )}
+        />
+        <div className="mt-8 flex items-center">
+          <Button
+            className="mr-4"
+            size="sm"
+            type="submit"
+            colorSchema="secondary"
+            isLoading={isSubmitting}
+            isDisabled={isSubmitting || !isDirty}
+          >
+            {isUpdate ? "Update Credentials" : "Connect to 1Password"}
+          </Button>
+          <ModalClose asChild>
+            <Button colorSchema="secondary" variant="plain">
+              Cancel
+            </Button>
+          </ModalClose>
+        </div>
+      </form>
+    </FormProvider>
+  );
+};

frontend/src/pages/organization/AppConnections/AppConnectionsPage/components/AppConnectionForm/AppConnectionForm.tsx

@@ -25,6 +25,7 @@ import { MsSqlConnectionForm } from "./MsSqlConnectionForm";
 import { OCIConnectionForm } from "./OCIConnectionForm";
 import { PostgresConnectionForm } from "./PostgresConnectionForm";
 import { TeamCityConnectionForm } from "./TeamCityConnectionForm";
+import { OnePassConnectionForm } from "./1PasswordConnectionForm";
 import { TerraformCloudConnectionForm } from "./TerraformCloudConnectionForm";
 import { VercelConnectionForm } from "./VercelConnectionForm";
 import { WindmillConnectionForm } from "./WindmillConnectionForm";
@@ -104,6 +105,8 @@ const CreateForm = ({ app, onComplete }: CreateFormProps) => {
       return <TeamCityConnectionForm onSubmit={onSubmit} />;
     case AppConnection.OCI:
       return <OCIConnectionForm onSubmit={onSubmit} />;
+    case AppConnection.OnePass:
+      return <OnePassConnectionForm onSubmit={onSubmit} />;
     default:
       throw new Error(`Unhandled App ${app}`);
   }
@@ -178,6 +181,8 @@ const UpdateForm = ({ appConnection, onComplete }: UpdateFormProps) => {
       return <TeamCityConnectionForm onSubmit={onSubmit} appConnection={appConnection} />;
     case AppConnection.OCI:
       return <OCIConnectionForm onSubmit={onSubmit} appConnection={appConnection} />;
+    case AppConnection.OnePass:
+      return <OnePassConnectionForm onSubmit={onSubmit} appConnection={appConnection} />;
 
     default:
       throw new Error(`Unhandled App ${(appConnection as TAppConnection).app}`);