CLI Reference
The humanauth CLI is a thin scriptable layer over the HumanAuth platform API plus the in-process @humanauth/verifier. Every command supports --json for pipelines.
Installation
Section titled “Installation”# Run without installingnpx @humanauth/cli <command>
# Or install globallynpm install -g @humanauth/clihumanauth <command>Global flags
Section titled “Global flags”| Flag | Default | Description |
|---|---|---|
--json | false | Emit a single JSON document to stdout. Errors go to stderr as { "error": { "code", "message" } }. |
--verbose | false | Print HTTP request/response traces to stderr. Authorization headers are masked. |
Authentication
Section titled “Authentication”humanauth login
Section titled “humanauth login”Save your API key locally to ~/.humanauth/config.json (mode 600).
humanauth login --api-key ha_test_…humanauth login --api-key ha_live_… --base-url https://api.humanauth.aihumanauth logout
Section titled “humanauth logout”humanauth logouthumanauth status
Section titled “humanauth status”humanauth statusHumans
Section titled “Humans”humanauth humans listhumanauth humans invite alice@example.com --role adminhumanauth humans remove huid_abc123Groups
Section titled “Groups”humanauth groups listhumanauth groups create finance --members huid_a,huid_b,huid_c --quorum 2humanauth groups delete grp_xyzDevices
Section titled “Devices”humanauth devices list huid_abc123Output:
device_id kind paired_at last_active_at receipts_signed─────────────────────────────────────────────────────────────────────────────────────dev_iphone_1 ios 2026-01-15T09:32:11Z 2026-06-02T14:01:02Z 37humanauth devices revoke <device_id> ships as a stub today — the server endpoint hasn’t shipped yet.
Requests
Section titled “Requests”humanauth requests get req_abchumanauth requests cancel req_abc --yeshumanauth requests list is a stub pending the platform’s GET /v1/requests endpoint.
Receipts
Section titled “Receipts”humanauth receipts list --limit 20humanauth receipts get rct_…humanauth receipts get rct_… --decodehumanauth receipts get rct_… --verify \ --audience ten_test \ --action transfer:create \ --plan-file ./plan.json--decode prints the JWS header + payload (device signatures are masked as <redacted>).
--verify runs the same pipeline as humanauth verify — useful when the JWS is stored
server-side and you only have the receipt id.
Webhooks
Section titled “Webhooks”List & inspect
Section titled “List & inspect”humanauth webhooks listhumanauth webhooks get sub_…Subscribe
Section titled “Subscribe”humanauth webhooks subscribe \ --url https://hooks.example.com/humanauth \ --events request.decided,request.reportedThe response prints the signing secret once inside a red box. The CLI cannot show it again — copy it into your secret manager before continuing.
Update
Section titled “Update”humanauth webhooks update sub_… --status pausedhumanauth webhooks update sub_… --events request.decidedhumanauth webhooks update sub_… --url https://new.example.comDestructive ops
Section titled “Destructive ops”humanauth webhooks delete sub_… --yeshumanauth webhooks rotate-secret sub_… --yesWithout --yes, you’ll be prompted to retype the subscription id verbatim. rotate-secret keeps the old secret valid for 24h so consumers can roll over without dropped deliveries.
Test & deliveries
Section titled “Test & deliveries”humanauth webhooks test sub_…humanauth webhooks deliveries sub_… --status exhausted --limit 20humanauth webhooks redeliver sub_… wdl_…Verifier
Section titled “Verifier”The CLI bundles @humanauth/verifier so you can verify receipts and inspect platform metadata without writing any code.
humanauth verify <jws>
Section titled “humanauth verify <jws>”Runs the full verifier pipeline (signature → envelope → cosig → plan hash → action → replay-claim) and prints the verified subject.
humanauth verify "$JWS" \ --audience ten_test \ --action test:hello \ --plan-file ./plan.jsonFailure paths exit 1 with a typed error code: PLAN_HASH_MISMATCH, ACTION_MISMATCH, JWS_SIGNATURE, AUD_MISMATCH, etc. Pipe --json to consume them.
humanauth keys and humanauth discover
Section titled “humanauth keys and humanauth discover”humanauth keyshumanauth discover --platform-url https://api.humanauth.aihumanauth fixtures mint
Section titled “humanauth fixtures mint”Generates ephemeral platform + device keys, mints a signed v2 receipt, and prints both the JWS and the matching JWKS. Round-trip with humanauth verify for a hermetic test:
humanauth fixtures mint --action test:hello --json > /tmp/fix.jsonJWS=$(jq -r .jws /tmp/fix.json)echo "$(jq .plan /tmp/fix.json)" > /tmp/plan.json# (verify here would need a JWKS server; use the verifier inline-jwks option in real tests)Secret handling
Section titled “Secret handling”The CLI is strict about credential PII:
- API keys are masked in
--verbosetraces (Authorization: Bearer ha_live_ab****). - Webhook secrets only appear on the one response that returns them (
webhooks subscribe,webhooks rotate-secret), inside a red “Save this now” box. - Receipt JWS bodies are safe to print, but
--decodemasks the per-approverdevice_sigfields as<redacted>.
Scripting with --json
Section titled “Scripting with --json”Every command emits a single, parseable JSON document under --json:
# List every webhook URLhumanauth webhooks list --json | jq -r '.[].url'
# Filter exhausted deliveries to a CSVhumanauth webhooks deliveries sub_… --json --status exhausted \ | jq -r '.deliveries[] | [.delivery_id,.event_type,.attempt_count] | @csv'
# Branch on verify failureif ! humanauth verify "$JWS" --json \ --audience ten_x --action transfer:create --plan-file ./plan.json > /tmp/ok.json 2>/tmp/err.jsonthen code=$(jq -r '.error.code' /tmp/err.json) echo "Receipt rejected: $code"fiExit codes
Section titled “Exit codes”| Code | Meaning |
|---|---|
0 | Success |
1 | API error, validation error, verifier error, or user abort |