1Password debuts Credential Broker to release secrets only when needed - SiliconANGLE

1Password debuts Credential Broker to release secrets only when needed

1Password LLC today announced the launch of 1Password Credential Broker, a new product that hands out credentials, tokens and federated access from its vaults to trusted requesters only when they are needed, rather than leaving secrets scattered across apps, code and pipelines.

The launch reflects how credential use inside enterprises has changed. For two decades 1Password has stored the logins people type into a browser. Now machines need them too.

In 2026, software does much of the requesting now. Continuous integration/continuous deployment or CI/CD pipelines, cloud workloads, service accounts and artificial intelligence agents all pull credentials to do their jobs. To make that work, teams paste the secrets into repositories, drop them in config files, or leave them in environment variables, never to be cleaned up.

Credential Broker leaves the secret in the vault. It verifies who is asking, then releases only the one credential that the requester is cleared for. In the GitHub Actions flow, a workflow sends identity signals to 1Password, which matches them against a configured workload identity before handing over the credential. The credential itself is never copied into the pipeline or an environment file.