Blab Tech
1Password Unveils Credential Broker to Centralize and Secure Secrets for Humans, Machines, and AI
In a move that could reshape how teams handle secrets, 1Password has opened a private beta for its new Credential Broker product. The first supported workload is GitHub Actions, and the company says the broker will later extend to other CI/CD systems, cloud workloads and AI agents as part of a broader identity strategy.
Credential sprawl has become a persistent problem for security teams. Secrets slip into source‑code repositories, environment variables, CI/CD pipelines, service‑account files and scripts. Once a credential is embedded in a workflow or deployment file, it is hard to track where it lives, who accessed it, whether it has been rotated, or if it is still needed. The challenge is amplified by the rise of automated pipelines and AI agents that require tokens and passwords to function.
The Credential Broker keeps secrets inside 1Password’s vault, verifies the identity of the requesting workload, and releases only the credential that has been approved for that job. "What makes 1Password Credential Broker different is that it does not just store or rotate credentials. It brokers access at the exact moment a credential is needed, and no longer," said Jeff Malnick, VP and GM of Developer and AI at 1Password.
Using workload‑identity signals, the broker decides whether a workflow should receive a credential, cutting the number of static secrets that end up in plain text or loosely managed locations. Security teams and managed‑security‑service providers (MSSPs) benefit from the broker’s audit trail: every request and delivery is logged with identity context, including the workflow that requested access, the credential that was delivered and the trust relationship that authorized the request.
Malnick explained that "access requests are evaluated against the authorization that was granted, rather than simply accepting a valid credential." The visibility the broker provides lets teams review machine and human access together, instead of chasing logs across separate systems.
Credential Broker is positioned as a control layer that sits alongside existing secrets‑management, privileged‑access‑management (PAM) and cloud‑infrastructure‑entitlement‑management tools. The company stresses that it is not a replacement for those solutions. Instead, it aims to reduce the number of places credentials need to live. The broker is part of 1Password’s Unified Access strategy, which also includes the Apono access‑governance platform.
The launch comes at a time when automation is driving more credentials into pipelines and AI agents. By keeping secrets out of the systems that consume them, Credential Broker can reduce the blast radius of a compromised credential and help organizations meet compliance requirements that demand auditability of credential usage.
1Password has not yet released pricing for the broker. The product is currently in private beta, with GitHub Actions as the first supported workload. The company says it plans to extend the broker’s reach to other CI/CD systems, cloud workloads and AI agents in the coming months.
In summary, 1Password’s Credential Broker addresses the growing challenge of credential sprawl by delivering secrets only when needed, providing detailed audit logs, and integrating with existing secrets‑management tools. The product is positioned to help MSSPs and security teams reduce risk, improve visibility and streamline the management of credentials across people, machines and AI agents.
Credential sprawl has become a persistent problem for security teams. Secrets slip into source‑code repositories, environment variables, CI/CD pipelines, service‑account files and scripts. Once a credential is embedded in a workflow or deployment file, it is hard to track where it lives, who accessed it, whether it has been rotated, or if it is still needed. The challenge is amplified by the rise of automated pipelines and AI agents that require tokens and passwords to function.
The Credential Broker keeps secrets inside 1Password’s vault, verifies the identity of the requesting workload, and releases only the credential that has been approved for that job. "What makes 1Password Credential Broker different is that it does not just store or rotate credentials. It brokers access at the exact moment a credential is needed, and no longer," said Jeff Malnick, VP and GM of Developer and AI at 1Password.
Using workload‑identity signals, the broker decides whether a workflow should receive a credential, cutting the number of static secrets that end up in plain text or loosely managed locations. Security teams and managed‑security‑service providers (MSSPs) benefit from the broker’s audit trail: every request and delivery is logged with identity context, including the workflow that requested access, the credential that was delivered and the trust relationship that authorized the request.
Malnick explained that "access requests are evaluated against the authorization that was granted, rather than simply accepting a valid credential." The visibility the broker provides lets teams review machine and human access together, instead of chasing logs across separate systems.
Credential Broker is positioned as a control layer that sits alongside existing secrets‑management, privileged‑access‑management (PAM) and cloud‑infrastructure‑entitlement‑management tools. The company stresses that it is not a replacement for those solutions. Instead, it aims to reduce the number of places credentials need to live. The broker is part of 1Password’s Unified Access strategy, which also includes the Apono access‑governance platform.
The launch comes at a time when automation is driving more credentials into pipelines and AI agents. By keeping secrets out of the systems that consume them, Credential Broker can reduce the blast radius of a compromised credential and help organizations meet compliance requirements that demand auditability of credential usage.
1Password has not yet released pricing for the broker. The product is currently in private beta, with GitHub Actions as the first supported workload. The company says it plans to extend the broker’s reach to other CI/CD systems, cloud workloads and AI agents in the coming months.
In summary, 1Password’s Credential Broker addresses the growing challenge of credential sprawl by delivering secrets only when needed, providing detailed audit logs, and integrating with existing secrets‑management tools. The product is positioned to help MSSPs and security teams reduce risk, improve visibility and streamline the management of credentials across people, machines and AI agents.
