9to5mac.com web signal

1Password Lets Claude Sign In to Sites Without Passwords

TL;DR

  • 1Password launched a Mac Claude integration that injects credentials into websites without exposing passwords or one-time codes to Anthropic's systems.
  • A new Agentic Mode restricts the vault to only approved items while an AI agent drives the browser, and biometric approval is required per session.
  • The feature is available on business, family, and individual plans and requires both the 1Password and Claude desktop apps plus browser extensions.

A password manager that lets an AI agent log you into websites without ever handing over the password is a genuinely new bit of plumbing, and it is worth pausing on, because most existing 'let the AI use my browser' setups quietly assume the model will see whatever the human sees. 1Password's new Claude integration for Mac, covered by 9to5Mac, takes a different route.

The mechanics, as reported, are that Claude requests a specific login item, the user approves it with a biometric prompt, and the credential is then injected into the destination form through a channel the model itself cannot read. 1Password's claim is that 'the password, one-time code, and other secrets never enter Claude's context, memory, or Anthropic's systems.' A new Agentic Mode goes further: when an AI agent is driving the browser, the extension 'automatically locks down the vault so that only the credentials explicitly approved for that task remain available,' and if a form submission fails, any filled values are wiped before control returns to the agent. Permission lasts one session.

Why this matters if you are not a 1Password user: the login page is where most agentic browsing plans fall apart. The two ugly alternatives today are pasting the password into the chat so the model can type it, which drops the secret into logs, memory and possibly training paths, or never letting the agent touch anything behind a login at all. 1Password is proposing a third option that keeps the secret on the vault side of a boundary the model never crosses, and that pattern is the interesting bit, not the specific implementation.

The honest caveats. The reporting does not describe the cryptographic details of the 'secure channel,' no independent security review is referenced, and the article contains no named executive on the record, so the framing is largely 1Password's own. Coverage is Mac only for now, tied to the 1Password and Claude desktop apps plus browser extensions on business, family and individual plans, so the real-world surface is narrow. Take the security claim as reported, not settled.

The direction is what other players will copy. If it holds up, expect Bitwarden, Dashlane and the OS-level password managers to ship equivalents for other agents, and expect enterprise IT to start asking why any agent product does not work this way.