Skip to main content
TechnologyJul 17, 2026· 3 min read

Claude logs in on your behalf, without ever knowing the password

1Password has made available on Mac 1Password for Claude, an integration that allows Anthropic's agent to access user accounts on their behalf without the password or one-time code ever entering the model. It is an attempt to untie a knot that has accompanied agents since they began acting in the browser: faced with a login page, there were only two paths left, either surrender your password to the AI or take back the keyboard and do it yourself.

The mechanism that 1Password calls zero exposure architecture circumvents both. When Claude needs to authenticate, the app shows which credential it is asking for and why; after a biometric approval from the user, 1Password injects the data directly into the page. Claude does not see the vault entry, the password, or the one-time code, and the permission only applies to the current activity, expiring when it concludes. Passwords and MFA codes do not touch the model, its memory, or Anthropic's systems.

After autofilling, 1Password checks that no secrets remain exposed on the page; if the form submission fails, it clears the entered values before returning control to the agent.

The manager can also mediate access across multiple sites in the same session: an activity comprising multiple steps, such as booking a trip or managing an online account, proceeds without stopping at each login screen.

"A security model designed for agents is needed, not just for humans," said Nancy Wang, CTO of 1Password. "The answer is not to hand agents your secrets, but to allow the user to give an agent permission to use a credential without letting it see it. Claude knows it has used your access, but it does not need the password or the one-time code in its context. It is in this distinction that trust in agents is born."

Agentic Mode secures the vault Along with the integration comes Agentic Mode, a feature of the extension that addresses a distinct problem: what happens when an agent takes control of a browser where 1Password is installed. When a compatible agent takes over, the extension automatically secures itself, hides its interface, and only makes available the approved accesses and codes for that activity; the rest of the vault remains unreachable. The protection activates even if the integration with Claude is not configured, and 1Password anticipates that it will work with other agents beyond Claude as the ecosystem grows.

The secret is protected, the account remains accessible Keeping the password out of the model solves a specific problem but does not close all of them. Once Claude is authenticated, it is free to move within the account: it can read private data, change settings, place orders, perform any action that access allows. The barrier protects the secret, not what can be done after using it, and it is advisable to keep the integration on low-risk activities until the behavior of agents in the browser becomes more predictable.

The launch comes shortly after demonstrations where some researchers recently showed how AI browsers could be induced to reveal user credentials through prompt injection, with the Claude extension among those affected; the connection is made by The Next Web. Whether 1Password's protected channel can withstand this type of attack remains an open question.

1Password for Claude is immediately available on Mac for business, family, and individual plans, and requires both the desktop app and the 1Password extension along with Claude's desktop app and extension. According to MacRumors, a paid Claude plan is also required, among Pro, Max, Team, or Enterprise. Support for payment cards and identification data, currently excluded, is expected post-launch.