1Password launched Agentic Mode on July 16, a new feature in its browser extension that lets Claude authenticate into password-protected accounts without the AI model ever seeing the credentials. Passwords and MFA one-time codes are injected directly into the browser page by 1Password through a secure channel outside the agent’s view, according to 1Password’s announcement.

The integration addresses what has been a practical dealbreaker for agentic AI adoption: most useful online tasks sit behind login walls, and giving an AI agent your password creates an unacceptable attack surface.

How It Works

When Claude encounters a login page during a browser task, it requests a credential from 1Password. The user sees which credential is being requested and why, then approves via biometric verification, a password, or Touch ID. 1Password fills the credential directly into the page. Claude never touches the password, the TOTP code, or any vault item.

“We need a new security model that is purpose-built for agents, not just humans,” said Nancy Wang, CTO of 1Password, in the company’s announcement. “The answer isn’t handing agents your secrets. It is to let a user give an agent permission to use a credential without letting the agent see it.”

Access is scoped per task and per session. According to ZDNET’s David Gewirtz, who tested the feature, 1Password confirmed that returning to a site like Stripe after task completion requires a fresh approval. “If the agent goes back to Stripe a second time, it cannot simply reuse the earlier permission,” the company told ZDNET. “It has to request access again, and the user has to approve it again.”

After autofill, 1Password checks that secrets were not exposed on the page. If submission fails, it clears the filled values before returning control to Claude, per the 1Password blog post.

Agentic Mode Locks Down the Vault

Beyond the Claude-specific integration, Agentic Mode activates automatically whenever a compatible browser-based AI agent takes control. When active, the 1Password extension hides its interface and restricts the agent to only the credentials explicitly approved for the current task. The rest of the vault stays inaccessible.

The feature works even when 1Password is not required for the current agentic task, providing passive protection against agents attempting to interact with the extension, according to 1Password. Enterprise customers get the same controls without additional configuration.

Availability and Scope

1Password for Claude is available now on Mac across business, family, and individual plans. It requires the 1Password desktop app, browser extension, Claude desktop app, and Claude in Chrome browser extension. Support for payment cards and identity details will follow after launch. Additional agent platforms beyond Claude are planned.

The Credential Layer Race

1Password is not the only company moving on agent credential security. The company has already shipped integrations for OpenAI’s Codex and Amazon’s Kiro, building what it calls a “trusted access layer” across browsers, IDEs, terminals, and CI/CD pipelines. Okta’s threat intelligence team published testing results on July 13 showing that agentic AI systems readily leak credentials and bypass guardrails, underscoring why infrastructure-level solutions are needed rather than relying on model-level controls.

The pattern 1Password is betting on: treat agents as a new class of identity that needs governed, runtime-scoped access, the same way machines and humans do. Whether that architecture holds as agents get more autonomous and multi-step workflows span dozens of services remains an open question.