Advanced Commands
Advanced
auths publish
Publish a signed artifact attestation to the Auths registry.
| Flag |
Default |
Description |
--signature <PATH> |
— |
Path to an existing .auths.json signature file. Defaults to .auths.json |
--package <PACKAGE> |
— |
Package identifier for registry indexing (e.g., npm:react@18.3.0) |
--registry <REGISTRY> |
https://registry.auths.dev |
Registry URL to publish to [env: AUTHS_REGISTRY_URL=] |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths artifact sign
Sign an artifact file with your Auths identity
| Flag |
Default |
Description |
<FILE> |
— |
Path to the artifact file to sign. |
--sig-output <PATH> |
— |
Output path for the signature file. Defaults to .auths.json |
--key <KEY> |
— |
Local alias of the identity key. Omit for device-only CI signing. |
--device-key <DEVICE_KEY> |
— |
Local alias of the device key. Auto-detected when only one key exists. |
--expires-in <N> |
— |
Duration in seconds until expiration (per RFC 6749) |
--note <NOTE> |
— |
Optional note to embed in the attestation |
--commit <COMMIT> |
— |
Git commit SHA to embed in the attestation (auto-detected from HEAD if omitted) |
--no-commit |
— |
Do not embed any commit SHA in the attestation |
--ci |
— |
Use ephemeral CI signing (no keychain needed). Requires --commit |
--ci-platform <CI_PLATFORM> |
— |
CI platform override when --ci is used outside a detected CI environment |
--log <LOG_ID> |
— |
Transparency log to submit to (overrides default from trust config) |
--allow-unlogged |
— |
Skip transparency log submission (local testing only). Produces an unlogged attestation that verifiers reject by default |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths artifact publish
Sign and publish an artifact attestation to a registry
| Flag |
Default |
Description |
--signature <PATH> |
— |
Path to an existing .auths.json signature file. Defaults to .auths.json |
--package <PACKAGE> |
— |
Package identifier for registry indexing (e.g., npm:react@18.3.0) |
--registry <REGISTRY> |
https://registry.auths.dev |
Registry URL to publish to [env: AUTHS_REGISTRY_URL=] |
--key <KEY> |
— |
Local alias of the identity key. Omit for device-only CI signing |
--device-key <DEVICE_KEY> |
— |
Local alias of the device key. Auto-detected when only one key exists |
--expires-in <N> |
— |
Duration in seconds until expiration |
--note <NOTE> |
— |
Optional note to embed in the attestation |
--commit <COMMIT> |
— |
Git commit SHA to embed in the attestation (auto-detected from HEAD if omitted) |
--no-commit |
— |
Do not embed any commit SHA in the attestation |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths artifact verify
Verify an artifact's signature against an Auths identity
| Flag |
Default |
Description |
<FILE> |
— |
Path to the artifact file to verify. |
--signature <PATH> |
— |
Path to the signature file. Defaults to .auths.json |
--identity-bundle <IDENTITY_BUNDLE> |
— |
Path to identity bundle JSON (for CI/CD stateless verification) |
--witness-signatures <WITNESS_RECEIPTS> |
— |
Path to witness signatures JSON file |
--witness-keys <WITNESS_KEYS>... |
— |
Witness public keys as DID:hex pairs (e.g., "did z6Mk...:abcd1234...") |
--witnesses-required <WITNESS_THRESHOLD> |
1 |
Number of witnesses required (default: 1) |
--verify-commit |
— |
Also verify the source commit's signing attestation |
--offline |
— |
Verify an air-gapped org bundle entirely offline (no network access) |
--roots <PATH> |
— |
Override the pinned trust roots path (default: .auths/roots) |
--member <MEMBER> |
— |
(offline) Member did:keri to classify authority for [aliases: --member-did] |
--signed-at <SIGNED_AT> |
— |
(offline) The artifact's in-band signing KEL position |
--json |
— |
(offline) Emit the typed verdict as JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths reset
Remove Auths identity and git signing configuration
| Flag |
Default |
Description |
--force |
— |
Skip confirmation prompt |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths error list
List all known error codes
| Flag |
Default |
Description |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths error show
Show explanation for an error code
| Flag |
Default |
Description |
<CODE> |
— |
|
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths id create
Create a new signing identity
| Flag |
Default |
Description |
--metadata-file <METADATA_FILE> |
— |
Path to JSON file with arbitrary identity metadata. |
--local-key-alias <LOCAL_KEY_ALIAS> |
— |
Name for the new signing key in secure storage. |
--preset <PRESET> |
default |
Storage layout preset (default, radicle, gitoxide) |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths id show
Show primary identity details (identity ID, metadata) from the Git repository
| Flag |
Default |
Description |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths id list
List identities (currently same as show, forward-compatible for future multi-identity support)
| Flag |
Default |
Description |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths id rotate
Rotate identity keys. Stores the new key under a new alias
| Flag |
Default |
Description |
--alias <ALIAS> |
— |
Name of the key to rotate. |
--current-key-alias <CURRENT_KEY_ALIAS> |
— |
Current signing key name (alternative to --alias). |
--next-key-alias <NEXT_KEY_ALIAS> |
— |
Name for the new signing key after rotation. |
--add-witness <ADD_WITNESS> |
— |
Add a witness server address (repeatable). |
--remove-witness <REMOVE_WITNESS> |
— |
Remove a witness server address (repeatable). |
--witness-threshold <WITNESS_THRESHOLD> |
— |
Number of witnesses required to accept this rotation (e.g., 1). |
--dry-run |
— |
Preview actions without making changes |
--add-device <CURVE> |
— |
Add a device slot on this rotation (repeatable). Value is the curve for the new slot (P256 or Ed25519) |
--remove-device <INDEX> |
— |
Remove a device slot by index on this rotation (repeatable). Currently rejected — requires CESR indexed-signature support |
--signing-threshold <SIGNING_THRESHOLD> |
— |
New signing threshold (scalar like "2" or fractions like "1/2,1/2,1/2"). Omit to keep the prior kt |
--rotation-threshold <ROTATION_THRESHOLD> |
— |
New rotation (next) threshold, same format as --signing-threshold. Omit to keep the prior nt |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths id export-bundle
Export an identity bundle for stateless CI/CD verification
| Flag |
Default |
Description |
--alias <ALIAS> |
— |
Key alias to include in bundle |
-o, --output <OUTPUT_FILE> |
— |
Output file path for the JSON bundle |
--max-age-secs <MAX_AGE_SECS> |
— |
Maximum bundle age in seconds before it is considered stale |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths id register
Publish this identity to a public registry for discovery
| Flag |
Default |
Description |
--registry <REGISTRY> |
https://registry.auths.dev |
Registry URL to publish to [env: AUTHS_REGISTRY_URL=] |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths id claim
Add a platform claim to an already-registered identity
| Flag |
Default |
Description |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths id migrate
Import existing GPG or SSH keys into Auths
| Flag |
Default |
Description |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths id bind-idp
Bind this identity to an enterprise IdP (Okta, Entra ID, Google Workspace, SAML)
| Flag |
Default |
Description |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths id update-scope
Re-authorize with a platform and optionally upload SSH signing key
| Flag |
Default |
Description |
<PLATFORM> |
— |
Platform name (currently supports 'github') |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths id agent
Manage AI agents delegated by this identity (KERI delegated identifiers)
| Flag |
Default |
Description |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths device list
List all authorized devices for the current identity
| Flag |
Default |
Description |
--include-revoked |
— |
Include devices with revoked or expired authorizations in the output. |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths device add
Add a device as a delegated identifier of the identity
| Flag |
Default |
Description |
--key <KEY> |
— |
Your identity's signing key name. |
--device-key <DEVICE_KEY> |
— |
Keychain alias to store the new device's key under. |
--curve <CURVE> |
p256 |
Curve for the new device key (p256 or ed25519). |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths device link
Authorize a new device to act on behalf of the identity (legacy attestation)
| Flag |
Default |
Description |
--key <KEY> |
— |
Your identity's key name. |
--device-key <DEVICE_KEY> |
— |
The new device's key name (import first with: auths key import). |
--device-did <DEVICE_DID> |
— |
The device's ID (must match --device-key). [aliases: --device] |
--payload <PAYLOAD_PATH> |
— |
Optional path to a JSON file containing arbitrary payload data for the authorization. |
--schema <SCHEMA_PATH> |
— |
Optional path to a JSON schema for validating the payload (experimental). |
--expires-in <SECS> |
— |
Optional number of seconds until this device authorization expires. |
--note <NOTE> |
— |
Optional description/note for this device authorization. |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths device remove
Remove a device from the shared identity's controller set by signing a rotation on the shared KEL
| Flag |
Default |
Description |
--device-did <DEVICE_DID> |
— |
The controller DID to remove. [aliases: --device] |
--key <KEY> |
— |
Your identity's signing key name. |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths device revoke
Revoke an existing device authorization using the identity key
| Flag |
Default |
Description |
--device-did <DEVICE_DID> |
— |
The device's ID to revoke. [aliases: --device] |
--key <KEY> |
— |
Your identity's key name. |
--note <NOTE> |
— |
Optional note explaining the revocation. |
--dry-run |
— |
Preview actions without making changes. |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths device resolve
Resolve a device to its owner identity
| Flag |
Default |
Description |
--device-did <DEVICE_DID> |
— |
The device ID to resolve (e.g. did z6Mk...). [aliases: --device] |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths device pair
Link devices to your identity via QR code or short code
| Flag |
Default |
Description |
--join <CODE> |
— |
Join an existing pairing session using a short code |
--registry <URL> |
— |
Registry URL for pairing relay (omit for LAN mode) |
--timeout <SECONDS> |
300 |
Custom timeout in seconds for the pairing session (default: 300 = 5 minutes) [aliases: --expiry] |
--verify |
— |
Prompt to manually verify the short-authentication-string (SAS) codes match between devices before completing the pair |
--recover <OLD_DID> |
— |
Lost/stolen-device recovery: pair a replacement delegated device, then revoke the old device's delegation (by did:keri:). The replacement is authorized before the old one is revoked, so the identity is never left with zero usable devices. Supported over the relay path (with --registry) |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths device verify
Verify device authorization signatures (attestation)
| Flag |
Default |
Description |
--attestation <ATTESTATION> |
— |
Path to authorization JSON file, or "-" to read from stdin |
--signer-key <ISSUER_PK> |
— |
Signer public key in hex format (64 hex chars = 32 bytes) |
--signer <ISSUER_DID> |
— |
Signer identity ID for trust-based key resolution [aliases: --issuer-did] |
--trust <TRUST> |
— |
Trust policy for unknown identities |
--roots-file <ROOTS_FILE> |
— |
Path to roots.json file for explicit trust |
--witness-signatures <WITNESS_RECEIPTS> |
— |
Path to witness signatures JSON file |
--witnesses-required <WITNESS_THRESHOLD> |
1 |
Number of witnesses required (default: 1) |
--witness-keys <WITNESS_KEYS>... |
— |
Witness public keys as DID:hex pairs (e.g., "did z6Mk...:abcd1234...") |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths device extend
Extend the expiration date of an existing device authorization
| Flag |
Default |
Description |
--device-did <DEVICE_DID> |
— |
The device's ID to extend. [aliases: --device] |
--expires-in <SECS> |
— |
Number of seconds to extend the expiration by (from now). |
--key <KEY> |
— |
Your identity's key name. |
--device-key <DEVICE_KEY> |
— |
The device's key name. |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths key list
List aliases of all keys stored in the platform's secure storage
| Flag |
Default |
Description |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths key export
Export a stored key in various formats (requires passphrase for some formats)
| Flag |
Default |
Description |
--key-alias <KEY_ALIAS> |
— |
Local alias of the key to export. [aliases: --alias] |
--passphrase <PASSPHRASE> |
— |
Passphrase to decrypt the key (needed for 'pem'/'pub' formats). |
--format <FORMAT> |
— |
Export format: pem (OpenSSH private), pub (OpenSSH public), enc (raw encrypted bytes). |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths key delete
Remove a key from the platform's secure storage by alias
| Flag |
Default |
Description |
--key-alias <KEY_ALIAS> |
— |
Local alias of the key to remove. [aliases: --alias] |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths key import
Import an Ed25519 key from a 32-byte seed file and store it encrypted
| Flag |
Default |
Description |
--key-alias <KEY_ALIAS> |
— |
Local alias to assign to the imported key. [aliases: --alias] |
--seed-file <SEED_FILE> |
— |
Path to the file containing the raw 32-byte Ed25519 seed. |
--controller-did <CONTROLLER_DID> |
— |
Your identity to associate with this key (e.g., did:keri:E...). |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths key copy-backend
Copy a key from the current keychain backend to a different backend
| Flag |
Default |
Description |
--key-alias <KEY_ALIAS> |
— |
Alias of the key to copy from the current (source) keychain [aliases: --alias] |
--dst-backend <DST_BACKEND> |
— |
Destination backend type. Currently supported: "file" |
--dst-file <DST_FILE> |
— |
Path for the destination file keychain (required when --dst-backend is "file") |
--dst-passphrase <DST_PASSPHRASE> |
— |
Passphrase for the destination file keychain. If omitted, the AUTHS_PASSPHRASE environment variable is used |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths approval list
List pending approval requests
| Flag |
Default |
Description |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths approval grant
Grant approval for a pending request
| Flag |
Default |
Description |
--request <REQUEST> |
— |
The request hash to approve (hex-encoded) |
--note <NOTE> |
— |
Optional note for the approval |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths policy lint
Validate policy JSON syntax without full compilation
| Flag |
Default |
Description |
<FILE> |
— |
Path to the policy file (JSON) |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths policy compile
Compile a policy file with full validation
| Flag |
Default |
Description |
<FILE> |
— |
Path to the policy file (JSON) |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths policy explain
Evaluate a policy against a context and show the decision
| Flag |
Default |
Description |
<FILE> |
— |
Path to the policy file (JSON) |
-c, --context <CONTEXT> |
— |
Path to the context file (JSON) |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths policy test
Run a policy against a test suite
| Flag |
Default |
Description |
<FILE> |
— |
Path to the policy file (JSON) |
-t, --tests <TESTS> |
— |
Path to the test suite file (JSON) |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths policy diff
Compare two policies and show semantic differences
| Flag |
Default |
Description |
<OLD> |
— |
Path to the old policy file (JSON) |
<NEW> |
— |
Path to the new policy file (JSON) |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths namespace claim
Claim a namespace in a package ecosystem
| Flag |
Default |
Description |
--ecosystem <ECOSYSTEM> |
— |
Package ecosystem (e.g. npm, crates.io, pypi) |
--package-name <PACKAGE_NAME> |
— |
Package name to claim |
--registry-url <REGISTRY_URL> |
— |
Registry URL (defaults to the public registry) |
--key <KEY> |
— |
Alias of the signing key in keychain |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths namespace delegate
Delegate namespace authority to another identity
| Flag |
Default |
Description |
--ecosystem <ECOSYSTEM> |
— |
Package ecosystem (e.g. npm, crates.io, pypi) |
--package-name <PACKAGE_NAME> |
— |
Package name |
--delegate-did <DELEGATE_DID> |
— |
DID of the identity to delegate to |
--registry-url <REGISTRY_URL> |
— |
Registry URL (defaults to the public registry) |
--key <KEY> |
— |
Alias of the signing key in keychain |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths namespace transfer
Transfer namespace ownership to another identity
| Flag |
Default |
Description |
--ecosystem <ECOSYSTEM> |
— |
Package ecosystem (e.g. npm, crates.io, pypi) |
--package-name <PACKAGE_NAME> |
— |
Package name |
--new-owner-did <NEW_OWNER_DID> |
— |
DID of the new owner |
--registry-url <REGISTRY_URL> |
— |
Registry URL (defaults to the public registry) |
--key <KEY> |
— |
Alias of the signing key in keychain |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths namespace lookup
Look up namespace information
| Flag |
Default |
Description |
--ecosystem <ECOSYSTEM> |
— |
Package ecosystem (e.g. npm, crates.io, pypi) |
--package-name <PACKAGE_NAME> |
— |
Package name |
--registry-url <REGISTRY_URL> |
— |
Registry URL (defaults to the public registry) |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths org create
Create a new organization identity
| Flag |
Default |
Description |
--name <NAME> |
— |
Organization name |
--key <KEY> |
— |
Alias for the local signing key (auto-generated if not provided) |
--metadata-file <METADATA_FILE> |
— |
Optional metadata file (if provided, merged with org metadata) |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths org attest
| Flag |
Default |
Description |
--subject <SUBJECT_DID> |
— |
[aliases: --subject-did] |
--payload-file <PAYLOAD_FILE> |
— |
|
--note <NOTE> |
— |
|
--expires-at <EXPIRES_AT> |
— |
|
--key <KEY> |
— |
|
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths org revoke
| Flag |
Default |
Description |
--subject <SUBJECT_DID> |
— |
[aliases: --subject-did] |
--note <NOTE> |
— |
|
--key <KEY> |
— |
|
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths org show
| Flag |
Default |
Description |
--subject <SUBJECT_DID> |
— |
[aliases: --subject-did] |
--include-revoked |
— |
|
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths org list
| Flag |
Default |
Description |
--include-revoked |
— |
|
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths org add-member
Add a member to an organization
| Flag |
Default |
Description |
--org <ORG> |
— |
Organization identity ID |
--member <MEMBER_DID> |
— |
Member identity ID to add [aliases: --member-did] |
--role <ROLE> |
— |
Role to assign (admin, member, readonly) |
--capabilities <CAPABILITIES> |
— |
Override default capabilities (comma-separated) |
--key <KEY> |
— |
Alias of the signing key in keychain |
--note <NOTE> |
— |
Optional note for the authorization |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths org revoke-member
Revoke a member from an organization
| Flag |
Default |
Description |
--org <ORG> |
— |
Organization identity ID |
--member <MEMBER_DID> |
— |
Member identity ID to revoke [aliases: --member-did] |
--note <NOTE> |
— |
Reason for revocation |
--key <KEY> |
— |
Alias of the signing key in keychain |
--dry-run |
— |
Preview actions without making changes |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths org list-members
List members of an organization
| Flag |
Default |
Description |
--org <ORG> |
— |
Organization identity ID |
--include-revoked |
— |
Include revoked members |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths org audit
Classify a member's authority at an artifact's signing position (by KEL position)
| Flag |
Default |
Description |
--org <ORG> |
— |
Organization identity ID |
--member <MEMBER_DID> |
— |
Member identity ID to classify [aliases: --member-did] |
--artifact <ARTIFACT> |
— |
Artifact path (shown in the report for context) |
--signed-at <SIGNED_AT> |
— |
The artifact's in-band signing KEL position (e.g. a commit's Auths-Anchor-Seq) |
--json |
— |
Emit the typed verdict as JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths org offboarding-log
auths org offboarding-log
List durable off-boarding records for an organization
| Flag |
Default |
Description |
--org <ORG> |
— |
Organization identity ID |
--member <MEMBER_DID> |
— |
Restrict to a single member [aliases: --member-did] |
--json |
— |
Emit the records as JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths org bundle
Produce a self-contained, air-gapped provenance bundle for an organization
| Flag |
Default |
Description |
--org <ORG> |
— |
Organization identity ID |
--out <OUT> |
— |
Output path for the bundle file |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths org join
Join an organization using an invite code
| Flag |
Default |
Description |
--code <CODE> |
— |
Invite code (e.g. from auths org join --code C23BD59F) |
--registry <REGISTRY> |
https://registry.auths.dev |
Registry URL to contact [env: AUTHS_REGISTRY_URL=] |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths org policy
Manage the org-wide authorization policy (anchored on the org KEL)
| Flag |
Default |
Description |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths org metrics
Show fleet governance metrics for an organization
| Flag |
Default |
Description |
--org <ORG> |
— |
Organization identity ID |
--json |
— |
Emit the metrics as JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths org trace
Trace an agent's delegation chain to the authorizing root + live-at-signing
| Flag |
Default |
Description |
--commit <COMMIT> |
— |
A signed commit SHA — traces its signer (Auths-Device) at its anchor-seq |
--member <MEMBER> |
— |
A member/agent identity ID to trace directly [aliases: --member-did] |
--signed-at <SIGNED_AT> |
— |
The in-band signing KEL position (used with --member; --commit reads it from the commit's Auths-Anchor-Seq trailer) |
--json |
— |
Emit the chain as JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths compliance report
Produce a compliance evidence pack for a reporting period
| Flag |
Default |
Description |
--org <ORG> |
— |
Organization identity ID (did:keri:…) or bare prefix |
--period <PERIOD> |
— |
Reporting period label (free-form, e.g. 2026-Q3) |
--framework <FRAMEWORK> |
slsa |
Target framework (tags the pack; with --predicate, selects the rendered predicate: SLSA provenance+VSA / SPDX SBOM / CRA mapping) |
--predicate |
— |
Render the framework predicate (in-toto Statement) instead of the raw pack |
--verifier-id <VERIFIER_ID> |
https://auths.dev/compliance |
Verifier id recorded in the SLSA VSA (with --predicate --framework slsa) |
--releases <RELEASES> |
— |
JSON file: array of { artifact_digest, signer, signed_at?, transparency? } |
--offline |
— |
Embed the org KEL bundle so each row verifies offline (no network) |
--sign |
— |
Org-sign the pack as a DSSE-wrapped in-toto statement |
--key <KEY> |
— |
Org signing key alias (defaults to the org slug alias); used with --sign |
--witness-policy <WITNESS_POLICY> |
— |
Pinned witness-policy path (default: $AUTHS_WITNESS_POLICY_PATH, else fail-closed) |
--out <OUT> |
— |
Output file (default: stdout) |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths credential issue
Issue a capability credential to an issuee (its KEL must already exist)
| Flag |
Default |
Description |
--issuer <ISSUER> |
— |
The issuer's signing key name (your identity's key). |
--to <TO> |
— |
The issuee/subject did:keri to credential. |
--cap <CAP> |
— |
Capability to grant (repeatable). |
--role <ROLE> |
— |
Informational role claim (e.g. deployer). |
--expires-in <EXPIRES_IN> |
— |
Expire the credential after N seconds. |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths credential revoke
Revoke a credential (anchors a rev in the issuer's KEL). Idempotent
| Flag |
Default |
Description |
<CREDENTIAL_SAID> |
— |
The credential SAID to revoke. |
--issuer <ISSUER> |
— |
The issuer's signing key name. |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths credential list
List the issuer's live credentials (issued − revoked)
| Flag |
Default |
Description |
--issuer <ISSUER> |
— |
The issuer's signing key name. |
--include-revoked |
— |
Include revoked credentials. |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths credential verify
Verify a credential, resolving the issuer KEL/TEL + witness receipts
| Flag |
Default |
Description |
<CREDENTIAL_SAID> |
— |
The credential SAID to verify. |
--issuer <ISSUER> |
— |
The issuer's signing key name. |
--require-witnesses |
— |
Fail closed unless every lifecycle anchor reaches witness quorum. |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths credential present
Present a credential: prove control of the subject AID and emit an Auths-Presentation header
| Flag |
Default |
Description |
--subject <SUBJECT> |
— |
The subject (holder) keychain alias to sign with. |
--said <SAID> |
— |
The credential SAID to present. |
--audience <AUDIENCE> |
— |
The relying-party audience to bind to. |
--nonce <NONCE> |
— |
The base64url challenge nonce from /v1/auth/challenge. |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths audit
Generate signing audit reports for compliance
| Flag |
Default |
Description |
--repo <REPO> |
. |
Path to the Git repository to audit (defaults to current directory) |
--since <SINCE> |
— |
Start date for audit period (YYYY-MM-DD or YYYY-QN for quarter) |
--until <UNTIL> |
— |
End date for audit period (YYYY-MM-DD) |
--format <FORMAT> |
table |
Output format |
--require-all-signed |
— |
Require all commits to be signed (for CI exit codes) |
--exit-code |
— |
Return exit code 1 if any unsigned commits found |
--author <AUTHOR> |
— |
Filter by author email |
--signer <SIGNER> |
— |
Filter by signing identity/device DID |
-n, --count <COUNT> |
100 |
Maximum number of commits to include |
-o, --output-file <OUTPUT_FILE> |
— |
Output file path (defaults to stdout) |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
auths auth challenge
Sign an authentication challenge for DID-based login
| Flag |
Default |
Description |
--nonce <NONCE> |
— |
The challenge nonce from the authentication server |
--domain <DOMAIN> |
auths.dev |
The domain requesting authentication |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths multi-sig begin
Create an unsigned-event bundle for distribution to signers
| Flag |
Default |
Description |
--event <EVENT> |
— |
Path to the JSON-encoded finalized SignedEvent (signatures empty) |
--signers <SIGNERS> |
— |
Comma-separated signer aliases, in slot order |
--output <OUTPUT> |
— |
Output path for the unsigned bundle |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths multi-sig sign
Sign an unsigned bundle with a single device key
| Flag |
Default |
Description |
--unsigned <UNSIGNED> |
— |
Path to the unsigned-event bundle |
--keyalias <KEY_ALIAS> |
— |
Keychain alias of the signing key |
--index <INDEX> |
— |
Slot index for the indexed signature (0-based) |
--output <OUTPUT> |
— |
Output path for the partial signature |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths multi-sig combine
Combine partial signatures into a SignedEvent, enforcing the threshold
| Flag |
Default |
Description |
--unsigned <UNSIGNED> |
— |
Path to the unsigned-event bundle |
--partials <PARTIALS> |
— |
Comma-separated paths to partial signature files |
--threshold <THRESHOLD> |
— |
Expected threshold (scalar "2" or fractions "1/2,1/2,1/2") |
--keycount <KEY_COUNT> |
— |
Number of signer slots expected (device_count) |
--output <OUTPUT> |
— |
Output path for the combined SignedEvent JSON |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
Internal
auths emergency revoke-device
auths emergency revoke-device
Revoke a compromised device immediately
| Flag |
Default |
Description |
--device <DEVICE> |
— |
Device ID to revoke |
--key <KEY> |
— |
Local alias of the identity's key (used for signing the revocation) |
--note <NOTE> |
— |
Optional note explaining the revocation |
-y, --yes |
— |
Skip confirmation prompt |
--dry-run |
— |
Preview actions without making changes |
--repo <REPO> |
— |
Path to the Auths repository |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
auths emergency rotate-now
auths emergency rotate-now
Force immediate key rotation
| Flag |
Default |
Description |
--current-alias <CURRENT_ALIAS> |
— |
Local alias of the current signing key |
--next-alias <NEXT_ALIAS> |
— |
Local alias for the new signing key after rotation |
-y, --yes |
— |
Skip confirmation prompt (requires typing ROTATE) |
--dry-run |
— |
Preview actions without making changes |
--reason <REASON> |
— |
Reason for rotation |
--repo <REPO> |
— |
Path to the Auths repository |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
auths emergency freeze
Freeze all signing operations
| Flag |
Default |
Description |
--duration <DURATION> |
24h |
Duration to freeze (e.g., "24h", "7d") |
-y, --yes |
— |
Skip confirmation prompt (requires typing identity name) |
--dry-run |
— |
Preview actions without making changes |
--repo <REPO> |
— |
Path to the Auths repository |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
auths emergency unfreeze
Unfreeze (cancel an active freeze early)
| Flag |
Default |
Description |
-y, --yes |
— |
Skip confirmation prompt |
--repo <REPO> |
— |
Path to the Auths repository |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
auths emergency report
Generate an incident report
| Flag |
Default |
Description |
--events <EVENTS> |
100 |
Include last N events in report |
-o, --output <OUTPUT_FILE> |
— |
Output file path (defaults to stdout) [aliases: --file] |
--repo <REPO> |
— |
Path to the Auths repository |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
auths agent start
Start the SSH agent daemon
| Flag |
Default |
Description |
--socket <SOCKET> |
— |
Custom Unix socket path |
--foreground |
— |
Run in foreground instead of daemonizing |
--timeout <TIMEOUT> |
30m |
Idle timeout before auto-lock |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths agent stop
Stop the SSH agent daemon
| Flag |
Default |
Description |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths agent status
Show agent status
| Flag |
Default |
Description |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths agent env
Output shell environment for SSH_AUTH_SOCK (use with eval)
| Flag |
Default |
Description |
--shell <SHELL> |
bash |
Shell format |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths agent lock
Lock the agent (clear keys from memory)
| Flag |
Default |
Description |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths agent unlock
Unlock the agent (re-load keys)
| Flag |
Default |
Description |
--agent-key-alias <AGENT_KEY_ALIAS> |
default |
Key alias to unlock [aliases: --key] |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths agent install-service
auths agent install-service
Install as a system service (launchd on macOS, systemd on Linux)
| Flag |
Default |
Description |
--dry-run |
— |
Print service file without installing |
--force |
— |
Overwrite existing service file |
--manager <MANAGER> |
— |
Service manager (auto-detect by default) |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths agent uninstall-service
auths agent uninstall-service
Uninstall the system service
| Flag |
Default |
Description |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths witness start
Start the witness HTTP server
| Flag |
Default |
Description |
--bind <BIND> |
127.0.0.1:3333 |
Address to bind to (e.g., "127.0.0.1:3333") |
--db-path <DB_PATH> |
witness.db |
Path to the SQLite database for witness storage |
--identity <IDENTITY> |
— |
Path to the persisted witness signing-key keystore. The advertised AID derives from this key and is stable across restarts. Without it the witness runs with an EPHEMERAL (unpinnable) identity. The AUTHS_WITNESS_SEED env var (hex seed) takes precedence for containers [aliases: --id] |
--generate |
— |
Create the keystore at --identity if it does not exist. Without this, a missing keystore fails closed (never silently mints a fresh key) |
--curve <CURVE> |
p256 |
Signing curve for a newly generated identity: "p256" (default) or "ed25519" |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths witness add
Add a witness URL to the identity configuration
| Flag |
Default |
Description |
--url <URL> |
— |
Witness server URL (e.g., "http://127.0.0.1:3333") |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths witness remove
Remove a witness URL from the identity configuration
| Flag |
Default |
Description |
--url <URL> |
— |
Witness server URL to remove |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths witness list
List configured witnesses for the current identity
| Flag |
Default |
Description |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths scim serve
Start the SCIM provisioning server (in-process, KERI-authoritative)
| Flag |
Default |
Description |
--bind <BIND> |
0.0.0.0:8787 |
Listen address |
--tenant <TENANT> |
— |
Tenant id for the single-tenant bootstrap (matches the IdP's tenant) |
--org-prefix <ORG_PREFIX> |
— |
Auths org prefix this tenant provisions into |
--token <TOKEN> |
— |
Bearer token authenticating the provisioning channel |
--org-key <ORG_KEY> |
— |
Org signing-key alias (default: derived org-<slug>) |
--base-url <BASE_URL> |
— |
Base URL used for SCIM meta.location |
--passphrase <PASSPHRASE> |
— |
Passphrase for the org signing key (single-host custody) |
--registry-path <REGISTRY_PATH> |
— |
Path to the Auths registry Git repository (default: ~/.auths) |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths scim quickstart
Zero-config quickstart: generate a token and run a single-tenant server
| Flag |
Default |
Description |
--bind <BIND> |
0.0.0.0:8787 |
Listen address |
--org-prefix <ORG_PREFIX> |
— |
Auths org prefix to provision into (must already exist on this host) |
--tenant <TENANT> |
quickstart |
Tenant id (defaults to quickstart) |
--passphrase <PASSPHRASE> |
— |
Passphrase for the org signing key (single-host custody) |
--registry-path <REGISTRY_PATH> |
— |
Path to the Auths registry Git repository (default: ~/.auths) |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths scim test-connection
auths scim test-connection
Validate the full SCIM pipeline: create -> get -> patch -> delete
| Flag |
Default |
Description |
--url <URL> |
http://localhost:8787 |
Server URL |
--token <TOKEN> |
— |
Bearer token |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths scim tenants
List SCIM tenants (process-configured in this model)
| Flag |
Default |
Description |
--json |
— |
Output as JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths scim add-tenant
Mint a bearer token for an IdP provisioning channel
| Flag |
Default |
Description |
--name <NAME> |
— |
Tenant name |
--org-prefix <ORG_PREFIX> |
— |
Auths org prefix this tenant provisions into |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths scim rotate-token
Mint a replacement bearer token to rotate a tenant's channel
| Flag |
Default |
Description |
--name <NAME> |
— |
Tenant name |
-j, --json |
— |
Emit machine-readable JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |
auths scim status
Probe a running SCIM server's health and discovery surface
| Flag |
Default |
Description |
--url <URL> |
http://localhost:8787 |
Server URL |
--json |
— |
Output as JSON |
-q, --quiet |
— |
Suppress non-essential output |
--repo <REPO> |
— |
Override the local storage directory (default: ~/.auths) |