App management
Source:
en/cli/apps.md· Live: https://docs.1pass.dev/en/cli/apps LLM-sanitized: internal links absolutized, VitePress containers → admonitions, line numbers in the Jump-to Index reference this rendered file (1-indexed).
📍 Jump-to Index
- L27-L75: ## Create a new app
- L58-L75: ### Options
- L76-L93: ## List apps
- L94-L109: ## Show details
- L110-L121: ## Add or remove a redirect URI
- L122-L154: ## Rotate client_secret
- L155-L163: ## Delete
- L164-L172: ## JSON output (automation)
- L173-L181: ## Next
App management
Every command for creating and managing OAuth apps.
💡 Tip: Looking for one-pass CLI registration? Start with the step-by-step CLI RP registration guide (Korean) if you want one flow for developer registration → RP registration → secret capture → env injection → verification. This page is the reference for the
appssubcommands.
Create a new app
logi apps create \
--name "My Awesome App" \
--redirect-uri https://app.example.com/auth/callbackExample output:
✓ App created
client_id: logi_1ce2d868ff8c8f0e3e8f0abcfac8f4be
status: pending
client_secret: logi_secret_3f290948f9fa6a3cb24bbce...
rp_health_secret: logi_rphs_a71c9e0b4d2f...
Paste these into your RP's environment:
# secrets below are shown ONCE — store them now
LOGI_API_URL=https://api.1pass.dev
LOGI_CLIENT_ID=logi_1ce2d868ff8c8f0e3e8f0abcfac8f4be
LOGI_CLIENT_SECRET=logi_secret_3f290948f9fa6a3cb24bbce...
LOGI_RP_HEALTH_SECRET=logi_rphs_a71c9e0b4d2f...
⚠ The client_secret and rp_health_secret are only shown once. Store them somewhere safe.⚠️ Warning: Secrets are shown once, only in the create response
client_secretandrp_health_secretare exposed in plaintext only in the create response.logi apps list/logi apps showand other GET responses never include them (logi stores only a hash/encrypted value and cannot recover the plaintext). If you lose one, rotate it; see client_secret rotation.
Options
| Option | Default | Description |
|---|---|---|
--name | (required) | The app name shown to users |
--redirect-uri | (required) | One OAuth callback URL. Add more after creation with logi apps add-redirect |
--scope | [] (server default) | Space-separated valid scope names, for example --scope openid profile:basic email. A bare profile is invalid; use profile:basic. If omitted, the server-side default scopes apply |
--client-type | confidential | confidential / public. Cannot be changed after registration (public vs confidential) |
--webhook-url | URL to receive user change notifications | |
--backchannel-logout-uri | OIDC Back-Channel Logout receiver URL (BCL guide). SSRF-checked at registration | |
--health-url | RP health check target host (RP Active Health Check). Use this when a mobile-only RP has a backend host. SSRF-checked at registration | |
--no-health-check | (check enabled) | Turns off RP Active Health Check (health_check_enabled=false). For pure mobile RPs with no backend, and similar cases |
ℹ️ Note: Public clients do not get a client_secret Public (PKCE-only) clients are not issued a
client_secretbecause mobile/SPA binaries cannot hide one. In that case, theclient_secret/LOGI_CLIENT_SECRETline is blank or omitted.rp_health_secretis issued regardless of client type; keep it only in a server-side env.
SSRF validation for --backchannel-logout-uri and --health-url: private/loopback/link-local/metadata IPs (127.x, 10.x, 192.168.x, 169.254.169.254, ::1, and so on) and non-HTTP URLs are rejected with 422 at registration time.
List apps
logi apps listname client_id status redirect_uris
Demo Test App logi_1ce2d868... pending http://localhost:3000/cb
Production Site logi_a39bc01f... approved https://app.example.com/cbAs JSON (the response is wrapped as { "success": true, "data": { "applications": [...] } }):
logi apps list --json | jq '.data.applications[] | select(.status == "approved")'Show details
logi apps show 3Demo Test App (#3)
client_id: logi_1ce2d868ff8c8f0e3e8f0abcfac8f4be
redirect_uris: https://app.example.com/auth/callback
scopes: openid, profile
status: sandbox · test · free
webhook_url: —
created: 2026-04-27 17:55Add or remove a redirect URI
Redirect URIs are managed with separate, positional-argument commands (atomic):
logi apps add-redirect 3 https://staging.example.com/cb
logi apps remove-redirect 3 https://staging.example.com/cb💡 Tip: Editing metadata (
name,webhook_url, and so on) is coming soon The CLI does not yet provide a bulk metadata edit command (apps edit). For now, use the Developer Console or thePATCH /api/v1/applications/:idAPI.
Rotate client_secret
logi apps rotate-secret 3The new secret is printed once. The old secret is invalidated immediately. Any in-flight token request that uses the old secret returns 401.
The more often you rotate, the safer you are. In CI/CD, we recommend automatic rotation once every three months.
⚠️ Warning: ⚠️ When client_secret is blank after re-registering an existing app If you touch a previously registered app again (for example, by re-running with the same
name), the create step returns an emptyclient_secret. The plaintext secret is exposed only at the moment of first creation; afterward, only a hash remains in the logi database and it cannot be recovered.
Symptom:
client_id=logi_xxxxxxxxxxxxx
client_secret= ← emptyFix: issue a new secret with rotate-secret:
logi apps rotate-secret <id>Or do it directly from SSH or a Rails console:
app = OauthApplication.kept.find_by(name: "your_app")
new_secret = app.rotate_client_secret!
puts new_secret # ← copy straight into the RP's envThis pitfall happens often when an automation script uses "create-or-update" logic (the app already exists, so create is a no-op, but the secret output is empty). Split your automation into two branches: "new creation → print secret" and "already exists → rotate explicitly."
Delete
logi apps delete 3⚠️ Warning: Deleted immediately The CLI currently calls DELETE right away, with no confirmation prompt. Every issued token is invalidated, so run this carefully. An interactive confirm and trash recovery (
apps restore) are coming soon.
JSON output (automation)
Use --json or LOGI_OUTPUT=json to get machine-readable output. The JSON create response includes client_secret and rp_health_secret once.
logi apps create --name "App" --redirect-uri https://example.com/cb --json \
| jq '{client_id, client_secret, rp_health_secret}'Next
- Step-by-step CLI RP registration guide (Korean) — developer registration + one-pass RP registration flow + copyable prompt
- Developer registration commands (Korean) —
logi developer register / status / verify-email - RP Active Health Check — implement a health endpoint with
rp_health_secret - Add scopes
- Invite team members
- Automatic secret rotation in CI/CD