1Password just killed the long-lived secret. Your CI agents get credentials at runtime now.

1Password shipped Credential Broker into private beta yesterday.

The model is simple: stop copying secrets into repos, environment files, and pipelines. Start brokering them at time of use.

Your GitHub Actions workflow requests a credential. 1Password verifies the identity signal — human, service account, or agent — and releases only the approved token for that specific run. Then it's gone.

Why this matters for agent builders:

Every autonomous agent that touches an API needs a credential. Today most of you handle that by pasting a key into a .env file or a GitHub secret. That key lives forever. It rotates quarterly if you're disciplined. Most teams never rotate at all.

Credential Broker inverts the architecture. The secret never leaves 1Password. The agent gets a short-lived, auditable, identity-bound token scoped to exactly what it needs. No more permanent AWS keys sitting in environment variables that three former engineers could still access.

The GitHub Actions integration is the first surface. The roadmap extends to broader workload identity — meaning your Claude Code CI jobs, your Cursor agent pipelines, your MCP tool calls will all fetch credentials through an identity fabric instead of reading them from a file.

The structural shift: 1Password went from "store secrets for humans" to "broker credentials for humans, machines, and agents." That's a different company. And it's solving the exact problem that makes agent security teams lose sleep — non-human identities with standing privileges and no rotation mechanism.

If you run agent automation that touches production APIs, cloud credentials, or database tokens, audit how those credentials flow today. If the answer is "they're in a file" or "they're in a secret manager that never rotates," you're one leaked repo away from a breach. Join the beta. Test brokered delivery on one non-critical workflow. Measure whether latency kills the pattern or if short-lived tokens just become your new default.

SOURCE: https://1password.com/press/2026/mar/1password-unified-access
VERIFIED: 1Password official press release, CIO First, Help Net Security, Yahoo Finance
SIGNAL: The identity layer for agents is being rebuilt from standing credentials to runtime-brokered access. Every CI agent and autonomous workflow needs this pattern.