Keeping all of our credentials and secrets organized, safe, and easy to access for the right people


1password is our secure vault for credentials and other sensitive information.

1password is the industry leader in password storage. They have a great suite of apps and browser plugins that make it easy to generate and use totally secure credentials.

1password is super helpful for storing sensitive development information like server access and API keys, and business information like financial documentation.

📏 Rules for 1password

✅ Do…

  • Keep all credentials in 1password. Do not store Cantilever credentials in any other services, or browser storage.
  • Manage 2fa tokens in 1pass.
  • Keep all financial information related to Cantilever in 1pass.
  • Keep API keys and other sensitive dev information in 1pass. Use their .env feature to manage these.
  • Install the 1password apps instead of using the browser version. Especially, install the Browser Extension.
  • Use a strong master password.
  • Print out your emergency kit when you first set up your account.

🚫 Don’t…

  • Share 1password credentials to anyone outside of the company
  • Put personal credentials in Cantilever vaults

Naming Conventions


Vaults should be prefixed with “Client: “ or “Contributor: “ if those prefixes apply. Follow the existing naming conventions.

Account Credentials

Use this format to title credentials:

[Account Owner] Account Description

In other words:"[Who] What"

Or... "[Owner] Thing"

Or... "[Person or Company logging in] Thing they are logging in to"

So, if Cantilever is the 'account owner' of a password for a particular client, the naming might go as follows:

[Cantilever] eBeam Imgix

The specific person is not important unless there are multiple accounts associated with a given service, in which case it would be:

[Andrew] eBeam Imgix


[Sherbert] eBeam Imgix

For any given password, the default owners are generally Cantilever or the client. Using eBeam as an example, other naming conventions might look like:

[eBeam] Wordfence

This is an account and service that the client uses, but we have access to.

There is no need for the bracket notation for anything other than logins. Anything that is NOT a login (like a PDF, credit card, or note) should not use the login syntax ("[Owner] Thing").