3 Ways to Delete a User from 1Password

Removing someone from 1Password can feel high-stakes, you need to cut access fast without disrupting the rest of the team. Whether it’s a role change, departure, or a compromised account, timing and method matter.

This guide walks through three ways to delete a user, when each applies, and what happens to shared vaults, groups, and audit records. We’ll cover the admin console, suspend-then-delete workflows, and automated deprovisioning through an identity provider using SCIM.

Table of Contents

• Use 1Password's UI
• Use Torii
• Use 1Password's API

Use 1Password’s UI

Here, you’ll use the 1Password web app to suspend and then permanently delete a user. These steps match what 1Password’s own docs describe for admins and owners.

Confirm your role

Only Owners can permanently delete an account. Admins can suspend accounts but cannot complete the deletion. If you are an Admin, you will need an Owner to finish the last step.

Open the person’s profile in the 1Password web app

• Sign in to your account at my.1password.com with an Owner or Admin account.
• In the sidebar, select People.
• Find the person by name or email, then click their name to open their profile.

Suspend the account to cut off access

Per 1Password’s docs, you must suspend someone before you can delete them.

• Click Suspend on the person’s profile, then confirm.
• This signs them out on all devices and blocks access right away.

Permanently delete the user

• On the same profile, click Delete account. If you do not see it, make sure the person is suspended and that you are signed in as an Owner.
• Review the warning and follow the on-screen prompt to confirm the deletion.

What this removes:

• Their Private vault and anything only they could access is deleted and cannot be recovered.
• Items in shared vaults stay in those vaults. Other people with access keep their access.

Clean up and verify

• Go back to People and confirm the person no longer appears.
• Check any vaults they managed:
  • In the sidebar, open Vaults, pick the vault, and review Access.
  • Add another manager or adjust permissions if needed.
  • Review Groups to make sure critical permissions still have coverage.

Notes for guests

The same flow applies to guests. Find the guest under People, suspend the account, then delete it once you are ready.

Use Torii

Instead of executing this in 1Password itself, you can use Torii, a SaaS Management Platform, to delete a user in 1Password. SMPs let teams manage SaaS subscriptions and integrations from a single hub, making it simple to programmatically onboard/offboard users, view subscription details, and more.

Unlike the manual approach in 1Password, Torii lets you automate the entire process so it runs the moment a trigger occurs. Triggers can include events like a new hire, an employee departure, a contract renewal, and more-saving time when you need to repeat this action regularly.

To delete a user in 1Password directly from Torii, follow these steps:

1. Sign up for Torii

Contact Torii, and ask for your free two-week proof-of-concept.

2. Connect your 1Password account to Torii

Once your account is active, connect 1Password to Torii (assuming you already have an account). Here are the instructions for the 1Password integration.

3. Create a Torii workflow for 1Password

Within Torii, set up an automated workflow to delete a user in 1Password. Go to the Workflows tab, choose your trigger, and add an action that deletes the user in 1Password. After that, whenever the trigger condition is met, 1Password will be updated automatically.

Use 1Password’s API

Here, you’ll use 1Password’s SCIM 2.0 API to find a user and delete them. This removes their access through the SCIM bridge as documented in 1Password’s SCIM API docs.

Prepare your SCIM API access

You need your SCIM base URL and token from your 1Password SCIM Bridge. Set them as environment variables so your commands stay clean.

Example setup is:

export SCIM_BASE_URL="https://scim.your-domain.com/scim/v2"
export SCIM_TOKEN="your_scim_bearer_token"

• You’ll send requests with:
  • Authorization: Bearer
  • For GET: Accept: application/scim+json
  • For DELETE: Content-Type is not required

Find the user’s SCIM ID by email

You’ll search for the user by their username, which is usually the email address in SCIM.

Example curl is:

curl -s -G \
-H "Authorization: Bearer $SCIM_TOKEN" \
-H "Accept: application/scim+json" \
--data-urlencode 'filter=userName eq "[email protected]"' \
"$SCIM_BASE_URL/Users"

Check the response: Look for Resources[0].id. That id is what you’ll delete.

If you want to capture the id in a variable:

USER_ID=$(curl -s -G \
-H "Authorization: Bearer $SCIM_TOKEN" \
-H "Accept: application/scim+json" \
--data-urlencode 'filter=userName eq "[email protected]"' \
"$SCIM_BASE_URL/Users"  jq -r '.Resources[0].id')

Delete the user by SCIM ID

This SCIM delete disables the user in 1Password managed by SCIM. It returns 204 No Content when successful.

Example curl is:

curl -i -X DELETE \
-H "Authorization: Bearer $SCIM_TOKEN" \
"$SCIM_BASE_URL/Users/$USER_ID"

• Expected outcomes:
  • 204 No Content means the user is deleted from SCIM and access is removed.
  • 404 Not Found likely means the id is wrong or the user is already gone.

Verify the deletion

You can confirm by fetching the same user id or repeating the search.

Example curl is:

curl -i \
-H "Authorization: Bearer $SCIM_TOKEN" \
-H "Accept: application/scim+json" \
"$SCIM_BASE_URL/Users/$USER_ID"

• What to expect:
  • 404 Not Found confirms the user no longer exists in SCIM.
  • Or repeat the filtered search and expect an empty Resources list.

Common issues and quick checks

• If the search returns no results:
  • Double check the email. In SCIM, userName must match .
• If you see 401 or 403:
  • Your token or headers are wrong, or the token lacks scope. If your SCIM Bridge is self-hosted:
• Confirm the URL, DNS, and TLS trust. The SCIM base path should end with /scim/v2.