1Password · Rate Limits

1Password Rate Limits

Rate limits for 1Password developer APIs. The Events API publishes hard request ceilings (per-minute and per-hour). The Connect Server is self-hosted, so externally observed limits only apply to its initial fetch from the 1Password backend; otherwise it operates locally and caches results. SCIM Bridge and Service Accounts are subject to internal fair-use limits but no published numeric thresholds.

1Password Rate Limits is the machine-readable rate-limit profile for 1Password on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 4 rate-limit definitions, measuring requests_per_minute, requests_per_hour, and varies.

The profile also includes 4 backoff/retry policies defined and response codes documented for throttled and quotaExceeded.

Tagged areas include Password Manager, Passwords, Security, Secrets, and Rate Limiting.

4 Limits Throttle: 429 Quota: 429
Password ManagerPasswordsSecuritySecretsRate Limiting

Limits

Events API per-minute account
requests_per_minute · minute
600
Applies across all Events API endpoints (sign-in attempts, item usage, audit events).
Events API per-hour account
requests_per_hour · hour
30000
Hard ceiling per account regardless of plan.
Connect Server fair-use account
varies
internal fair-use limits on initial secret fetch from 1Password
Self-hosted; subsequent requests are served from local cache. No published numeric ceiling.
SCIM Bridge fair-use account
varies
internal fair-use limits, no public numeric threshold
Provisioning calls follow SCIM 2.0 patterns; bursts beyond fair use can be throttled.

Policies

Retry on 429
Treat 429 as throttling; back off and retry. 1Password does not document a Retry-After header for the Events API, so use exponential backoff with jitter.
Pagination
Use cursor-based pagination for Events API to keep request volumes inside the per-minute ceiling rather than fetching large batches in tight loops.
Caching for Connect Server
After first fetch, secrets are cached locally; re-requests do not consume the upstream rate budget. Long-running deployments benefit by minimizing cold starts.
Account-scoped enforcement
Limits are evaluated per 1Password account, not per token, so multiple integrations under one account share the same ceiling.

Sources