diff --git a/docs/assets/creds.json.tpl-example.txt b/docs/assets/creds.json.tpl-example.txt
new file mode 100644
index 000000000..1e493c375
--- /dev/null
+++ b/docs/assets/creds.json.tpl-example.txt
@@ -0,0 +1,14 @@
+{
+  "bind": {
+    "TYPE": "BIND"
+  },
+  "cloudflare": {
+    "TYPE": "CLOUDFLAREAPI",
+    "apitoken": "op://Secrets/Cloudflare DNSControl/credential",
+    "accountid": "op://Secrets/Cloudflare DNSControl/username"
+  },
+  "linode": {
+    "TYPE": "LINODE",
+    "token": "op://Secrets/Linode DNSControl/credential"
+  }
+}
diff --git a/docs/creds-json.md b/docs/creds-json.md
index a7e759e48..1d0778a14 100644
--- a/docs/creds-json.md
+++ b/docs/creds-json.md
@@ -152,7 +152,7 @@ Message: `ERROR: creds.json entry ... is missing ...: ...`
 
 However no `TYPE` subkey was found in an entry in `creds.json`.
 In 3.16 forward, it is required if new-style `NewRegistrar()` or `NewDnsProvider()` was used.
-In 4.0 this is required. 
+In 4.0 this is required.
 
 The fix is to add a `TYPE` subkey to the `creds.json` entry.
 
@@ -198,6 +198,12 @@ Following commands would execute a shell command:
 dnscontrol preview --creds "!op inject -i creds.json.tpl"
 ```
 
+This example requires the [1Password command-line tool](https://developer.1password.com/docs/cli/)
+but works with any shell command that returns a properly formatted `creds.json`.
+In this case, the 1Password CLI is used to inject the secrets from
+a 1Password vault, rather than storing them in environment variables.
+An example of a template file containing Linode and Cloudflare API credentials is available here: [creds.json.tpl-example.txt]({{ site.github.url }}/assets/creds.json.tpl-example.txt))
+
 ## Don't store secrets in a Git repo!
 
 Do NOT store secrets in a Git repository. That is not secure. For example,