I had some head-scratching moments setting up Claude to work with the GitHub CLI and 1Password on my MacBook. I had the gh wrapped in a 1Password plugin in /Users/bep/.config/op/plugins.sh:
alias gh="op plugin run -- gh"This made gh work great when doing manual terminal work with fingerprint authentication and all. But UI popups doesn't work in Claude, Claude needs a GH_TOKEN.
So, following some sketchy guides online, I created a new vault in 1Password named Claude, and added my GitHub token to that vault:
In my example, if you click "Copy Secret Reference", you get op://Claude/github-cli/credential in the clipboard, which is what you need below.
In my ~/.zshrc, I created an alias for claude:
alias claude='CLAUDE_SESSION=1 \
GH_TOKEN=$(op read op://Claude/github-cli/credential) \
command claude'
The above triggers authentication in the "local 1Password" (e.g. fingerprint) when I start claude, which is what I want:
If that's not your cup of tea, or if you need to run this in a CI environment, you can create a service account in the vault, and then use that account's token when running op:
alias claude='CLAUDE_SESSION=1 \
GH_TOKEN=$(OP_SERVICE_ACCOUNT_TOKEN="<TOKEN>" op read op://Claude/github-cli/credential) \
command claudeAnd, finally, make sure the 1Password gh wrapper isn't created when running claude, in e.g. /Users/bep/.config/op/plugins.sh:
export OP_PLUGIN_ALIASES_SOURCED=1
if [[ -z "$CLAUDE_SESSION" ]]; then
alias gh="op plugin run -- gh"
fi