tvault CLI

The Token Vault command-line interface — manage credentials, agents, and grants from your terminal.

tvault is the Token Vault command-line client. It mirrors the web console: manage tokens, agents, grants, and the vault lock, with a browser-based login and kubectl-style contexts for switching between admin and agent personas.

tvault login                # browser-based admin login
tvault ls                   # list tokens
tvault get github           # print a credential to stdout — safe for $(...)
tvault add stripe --value sk_test_...     # create a token
tvault set stripe --value sk_test_new     # rotate it

The CLI is a single Go binary; full source at c-lgrant/tvault.

Install

With the Go toolchain:

go install github.com/c-lgrant/tvault@latest

Or grab a prebuilt binary (Linux/macOS, amd64/arm64). The installer detects your OS/arch, downloads the matching GitHub release, and verifies its SHA256:

curl -fsSL https://raw.githubusercontent.com/c-lgrant/tvault/main/install.sh | bash

Contexts: admin vs. agent

tvault stores one or more contexts, each holding either an admin login (Firebase identity, full console access) or an agent login (a tvagent_* key, scoped to its grants). Commands resolve the active context automatically; override it per-invocation with --context <name> (alias --ctx).

Command	Purpose
`tvault login`	Browser-based admin login. `--as <name>` names the context; `--key <tvagent_*>` does a non-interactive agent login; `--no-launch-browser` uses the manual code-paste flow for SSH/headless sessions.
`tvault logout`	Remove the stored credentials for a context.
`tvault whoami` (`who`)	Show the active context's identity.
`tvault use <name>`	Switch the active context (shortcut for `tvault ctx use`).
`tvault context` (`ctx`)	`list`/`ls`, `use <name>`, `current`, `rm <name>` — manage stored contexts.

Top-level shortcuts

The most common verbs are available at the root level so you don't have to type tokens / context / agents grants for every operation.

Shortcut	Equivalent
`tvault ls`	`tvault tokens list`
`tvault get <svc>`	`tvault tokens get <svc>`
`tvault add <svc>`	`tvault tokens create --service <svc>` (defaults `--type PlainText`)
`tvault set <svc>`	`tvault tokens set <svc>`
`tvault show <svc>`	`tvault tokens show <svc>`
`tvault rm <svc>...`	`tvault tokens rm <svc>...`
`tvault use <ctx>`	`tvault ctx use <ctx>`
`tvault grant <agent> <svc>...`	`tvault agents grants add <agent> <svc>...`

The bare tvault <service> form is the legacy back-compat shim and still works — it prints that service's credential to stdout.

Tokens — `tvault tokens` (`tk`)

Command	Purpose
`tk list` (`ls`)	List tokens.
`tk get <service>`	Print a credential value to stdout — safe for `$(...)`. `--check` exits 0 if the token has a value, 6 if empty — presence-only probe, never prints the secret.
`tk show <service>` (`info`)	Show token metadata (no secret).
`tk create` (`new`)	Create a token — interactive type-picker wizard, or fully flag-driven with `--type` / `--service` / `--value`. In Webhook mode vaults the secret auto-routes to the user's webhook (Token Vault never sees it).
`tk set <service>` (`up`)	Rotate a credential value (`--value`). Admin only. Auto-routes through the store-ticket flow in webhook-mode vaults.
`tk edit <service>`	Edit metadata: `--name`, `--notes`, `--tags`. Admin only.
`tk rm <service>...` (`del`, `d`)	Delete one or more tokens. Admin only.
`tk refresh <service>` (`ref`)	Force an OAuth token refresh. Admin only.
`tk history <service>` (`hist`)	Show a token's usage history.
`tk store-ticket <service>`	Webhook-mode escape hatch: store a secret on the user's webhook via a signed ticket. `set`/`create` use this automatically — call directly for power-user scripts or to print the raw ticket envelope.

Token types offered by tk new: JWT (OAuth · JWT), PlainText (API key / PAT), Certificate (X.509), SSHKey, RawCredential (raw blob), and TOTP (2FA).

Agents — `tvault agents` (`ag`)

Agent references (<name-or-id>) accept either the human-readable name or the backend-assigned ID — the CLI resolves names through agents list.

Command	Purpose
`ag list` (`ls`)	List agents.
`ag show <name-or-id>` (`info`)	Show agent details and grants.
`ag create` (`new`)	Create an agent — interactive name + grants wizard, or `--name`/`--grants`. The API key is shown once.
`ag rm <name-or-id>...` (`del`, `d`)	Delete one or more agents.
`ag suspend <name-or-id>` (`off`)	Suspend an agent.
`ag resume <name-or-id>` (`on`)	Resume a suspended agent.

Grants — `tvault grants` (`gr`)

Command	Purpose
`gr list <agent>` (`ls`)	List an agent's grants.
`gr add <agent> <service>...`	Grant services to an agent.
`gr rm <agent> <service>...`	Revoke grants from an agent.

tvault grant <agent> <service>... is the flat-verb shortcut for gr add.

Vault — `tvault vault`

Command	Purpose
`vault status` (`stat`)	Show the vault lock state.
`vault lock`	Lock the vault — blocks all mutating operations.
`vault unlock`	Unlock the vault. Admin only.

Webhook — `tvault webhook` (`wh`)

Deploy and connect your own Webhook Mode vault. The CLI generates the Docker Compose project and binds the webhook to your vault without a browser, reusing your admin context's session.

Command	Purpose
`wh init`	Generate a `docker-compose.yml` + `.env` for a webhook deployment. Interactive method picker, or `--method` + `--set KEY=VALUE`. Methods: `ngrok`, `cloudflare`, `tailscale`, `custom`.
`wh up`	`docker compose up -d`, then wait for the webhook to report healthy.
`wh bind`	Fetch the one-time code from the running webhook and bind it to your vault — no browser. Admin only.
`wh status` (`stat`)	Show local container state next to the backend's view of the webhook. Admin only.
`wh down`	`docker compose down`.

Typical first run:

tvault webhook init          # pick a method, answer the prompts
cd tvault-webhook
tvault webhook up            # start it
tvault webhook bind          # connect it to your vault

Global flags

Flag	Effect
`--context <name>` (alias `--ctx`)	Override the active context for this command.
`--format json\|table\|wide\|name`	Output format. `name` prints just the primary key — convenient for piping.
`--no-color`	Disable colored output.
`--debug`	Print HTTP request/response diagnostics to stderr.
`--dry-run`	On write commands, print the request that would be sent without sending it.

Examples

Use tokens in API calls

# GitHub
curl -H "Authorization: token $(tvault get github)" https://api.github.com/user

# Anthropic Claude
curl https://api.anthropic.com/v1/messages \
  -H "x-api-key: $(tvault get anthropic)" \
  -H "anthropic-version: 2023-06-01" \
  -H "content-type: application/json" \
  -d '{"model":"claude-sonnet-4-5","max_tokens":1024,"messages":[{"role":"user","content":"Hello"}]}'

# OpenAI
curl https://api.openai.com/v1/chat/completions \
  -H "Authorization: Bearer $(tvault get openai)" \
  -H "Content-Type: application/json" \
  -d '{"model":"gpt-4o","messages":[{"role":"user","content":"Hello"}]}'

Use in CI/CD

GitHub Actions

- name: Set up tvault
  env:
    TV_AGENT_KEY: ${{ secrets.TV_AGENT_KEY }}
  run: |
    curl -fsSL https://raw.githubusercontent.com/c-lgrant/tvault/main/install.sh | bash
    tvault login --key "$TV_AGENT_KEY" --as ci

- name: Deploy
  run: |
    export DEPLOY_TOKEN=$(tvault get deploy-service)
    ./deploy.sh

Check whether a token exists before using it

--check is a presence-only probe — exits 0 when the token has a value, 6 when it's an empty placeholder, and never prints the secret:

if tvault get stripe --check >/dev/null 2>&1; then
  ./pay-with-stripe
else
  echo "no stripe token yet — set one with: tvault set stripe --value <key>"
fi

Switch contexts mid-pipeline

tvault --ctx production get github   # read from prod context
tvault --ctx staging set github --value $(tvault --ctx production get github)

How agent fetches work

Create an agent in the dashboard (or via tvault ag new) and copy the tvagent_* API key.
Grant the agent access to specific services. Grants are time-limited and revocable; every access is logged in the audit trail.
The agent calls GET /api/agents/credentials?service=<name> with the key in X-Agent-Key. In Webhook mode the request 307-redirects to the user's webhook so the secret never traverses Token Vault.
The CLI prints the credential to stdout — $(tvault get <svc>) captures it inline without writing to disk.

Claude Code integration

Once tvault is installed and logged in, Claude Code can fetch credentials using the same $(tvault get <svc>) pattern. The credential lives on stdout for the lifetime of one shell substitution; no token ever lands in your config files or environment unless you explicitly export it.

Requirements

Linux or macOS (amd64 or arm64). Windows is not currently supported.
A working browser for the initial admin login, or an existing tvagent_* key for tvault login --key.

On this page