1Password Watchtower Feature Review: A Developer’s Guide

1Password Watchtower is worth using: it automatically flags compromised credentials from breach databases, catches weak and reused passwords, and tracks expiring API tokens and certificates across your vaults. For developers, the real value is CLI and API access that lets you integrate vault health checks into CI/CD pipelines and automated audit scripts. Here is how Watchtower works under the hood, what it actually monitors, and how to build it into your security workflow.

What Watchtower Actually Monitors

Watchtower continuously scans your vault and presents findings in three categories: compromised passwords, weak passwords, and items requiring updates. The compromised items check draws from known data breach databases—If your credentials appear in a known breach, Watchtower flags them immediately.

The weak password detection analyzes entropy, length, and character variety. It catches passwords that might pass a basic strength meter but remain vulnerable to dictionary attacks. Reused password detection is straightforward: any item sharing credentials with another item gets flagged.

Beyond these core checks, Watchtower monitors expiration dates, particularly useful for API tokens and service accounts that often have built-in expiry windows. For developers using 1Password to store SSH keys, TLS certificates, or API secrets, understanding what Watchtower actually evaluates helps you interpret its recommendations correctly.

Accessing Watchtower

Watchtower lives in the sidebar of the 1Password desktop and mobile apps. In the web interface, you find it under the vault name. The desktop app provides the most detailed view:

# 1Password CLI: Check Watchtower status
op get vault "Personal" --watchtower

This returns a JSON summary of all issues found in your vault, which you can parse for automation:

{
  "compromised": 3,
  "weak": 7,
  "reused": 2,
  "expiring_soon": 4
}

The CLI approach matters for developers who want to incorporate vault health checks into CI/CD pipelines or daily scripts.

Practical Examples for Developer Workflows

Auditing Development Environment Credentials

When managing multiple environments—staging, production, development—developers often store credentials in 1Password. Watchtower helps identify which credentials need rotation:

Create a dedicated “Development” vault for all non-production credentials
Run weekly Watchtower audits on this vault
Use the CLI to export findings:

op get item "$(op list items | jq -r '.[] | select(.overview.title == "AWS Dev").id')" | jq '.details'

This lets you programmatically compare stored credentials against what your applications actually use.

API Key Management

Many developers store API keys as secure notes in 1Password. Watchtower treats these like any other item, but you can add custom fields to track expiration:

# Add expiration date to an API key item
op edit item "api-key-name" \
  --field "expiry" \
  --value "2026-06-01" \
  --type date

Watchtower then alerts you when items approach their expiration date, which is critical for API keys that invalidate automatically.

SSH Key Security

If you store SSH private keys in 1Password (a common practice for developers who need to access keys across machines), Watchtower provides specific guidance:

Keys shorter than 2048 bits get flagged
Keys without proper passphrase protection trigger warnings
Expired certificates stored as secure notes appear in the expiring items list

Generate new SSH keys with sufficient length:

ssh-keygen -t ed25519 -a 100 -f ~/.ssh/id_ed25519

Store the private key as a Secure Note in 1Password, and add a text field for the public key. This preserves your key while enabling Watchtower to monitor it.

Watchtower Limitations

Watchtower has blind spots that developers should understand. It doesn’t scan password history—only current items. If you previously used a compromised password but updated it, Watchtower won’t flag your history.

The breach database integration requires an active 1Password account with internet access. Offline vaults won’t receive breach updates until syncing occurs. For air-gapped systems or environments with restricted connectivity, Watchtower’s real-time breach alerts won’t function.

Watchtower also doesn’t evaluate the security of your 1Password account itself. Master password strength, two-factor authentication status, and account recovery settings fall outside its scope. You need to verify these independently:

# Check account security settings via 1Password CLI
op signin
op account get

This returns your account details including 2FA status.

Integration with Development Tools

For teams using 1Password in development workflows, several integrations extend Watchtower functionality:

1Password Connect

The 1Password Connect API lets applications query your vault directly. You can build custom dashboards that combine Watchtower insights with application-specific data:

# Example: Fetch vault items with Python
import requests

response = requests.get(
    "https://connect.1password.com/api/v1/vaults/{vault_id}/items",
    headers={"Authorization": "Bearer {service_account_token}"}
)
items = response.json()

Build scripts that cross-reference vault items against your application configuration files to identify discrepancies.

GitHub Actions Integration

Automate credential rotation using GitHub Actions with 1Password:

name: Credential Audit
on: schedule:
    - cron: '0 9 * * 1'  # Weekly Monday audit

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: 1password/action-check-vault@main
        with:
          vault: Production

This runs automatically and alerts you to issues.

Custom Watchtower Scripts

For advanced users, combine the 1Password CLI with external tools:

#!/bin/bash
# Custom vault audit script

VAULT_NAME="Work"

# Get all items from vault
ITEMS=$(op list items --vault "$VAULT_NAME")

# Check each item for issues
echo "Scanning $VAULT_NAME vault..."
echo "$ITEMS" | jq -r '.[] | "\(.overview.title) \(.id)"' | while read title id; do
  ITEM=$(op get item "$id")
  
  # Check for weak passwords (simple heuristic)
  PASSWORD=$(echo "$ITEM" | jq -r '.details.password // empty')
  if [ ${#PASSWORD} -lt 16 ]; then
    echo "Warning: $title has short password"
  fi
done

This custom script catches passwords below 16 characters, which serves as a stricter baseline than the default Watchtower threshold.

Best Practices for Developers

Use Watchtower as part of a layered security approach rather than relying on it exclusively:

Rotate credentials regularly—set calendar reminders, since Watchtower’s expiration alerts supplement but don’t replace rotation schedules. Separate personal, work, and development credentials into distinct vaults so Watchtower reports stay actionable with clear sensitivity levels. Review SSH keys and certificates specifically, as these get overlooked in password-focused security reviews; add custom fields to track issuance and expiry dates. For production applications, use dedicated secret management solutions (HashiCorp Vault, AWS Secrets Manager) alongside 1Password, since Watchtower complements but doesn’t replace those tools.

The key is understanding what Watchtower monitors and supplementing it with practices it doesn’t cover—master password strength, account-level security, and systematic rotation schedules. For developers already using 1Password, reviewing Watchtower findings weekly takes minutes but provides ongoing visibility into credential health, and the CLI and API make it scalable across teams and projects.

More guides coming soon.

Built by theluckystrike — More at zovo.one