Skip to content

CLI Reference

The kanoniv-auth CLI provides the full Kanoniv Auth workflow from the terminal: generate keys, delegate authority, verify scopes, sign execution envelopes, and manage agents.

Install

bash
pip install kanoniv-auth

Two entry points are installed:

CommandPurpose
kanoniv-authLocal delegation, verification, signing, audit
ktCloud commands - agent registry, delegation, provenance (requires pip install kanoniv-auth[cloud])

Commands

Key Management

kanoniv-auth init

Generate a root key pair.

bash
kanoniv-auth init
kanoniv-auth init --output /path/to/root.key
kanoniv-auth init --force  # Overwrite existing
OptionDefaultDescription
--output, -o~/.kanoniv/root.keyOutput path
--forcefalseOverwrite existing key

WARNING

The root key file contains your private key. Treat it like an SSH key. Do not commit it to version control or share it.

Delegation

kanoniv-auth delegate

Issue a delegation token.

bash
kanoniv-auth delegate --scopes code.edit,test.run --ttl 4h --name my-agent
kanoniv-auth delegate -s deploy.staging -t 1h -n ci-agent --export
kanoniv-auth delegate -s resolve --parent "$PARENT_TOKEN"  # Sub-delegation
OptionDefaultDescription
--scopes, -s(required)Comma-separated scopes
--ttl, -tno expiryTTL string (4h, 30m, 1d)
--name, -nnonePersistent agent name (same name produces same DID across sessions)
--key, -k~/.kanoniv/root.keyRoot key file
--parentnoneParent token for sub-delegation
--exportfalseOutput as export KANONIV_TOKEN=... (eval-able)
--dry-runfalsePreview without signing

The token is saved to ~/.kanoniv/tokens/ automatically. The most recent token is symlinked as latest.token.

kanoniv-auth revoke

Revoke a delegation.

bash
kanoniv-auth revoke --token "$TOKEN"
kanoniv-auth revoke --service https://auth.kanoniv.com --delegation-id abc123
OptionDefaultDescription
--token, -tnoneToken string to revoke locally (deletes from ~/.kanoniv/tokens/)
--servicenoneDelegation service URL for remote revocation
--delegation-idnoneDelegation ID to revoke on service (used with --service)

Verification

kanoniv-auth verify

Check scope authorization. Verification is offline - no server calls, no network required.

bash
kanoniv-auth verify --scope code.edit
kanoniv-auth verify --scope deploy.prod --token "$TOKEN"
kanoniv-auth verify -s git.push.main --agent my-agent
OptionDefaultDescription
--scope, -s(required)Scope to verify
--token, -t$KANONIV_TOKEN or latest.tokenToken
--agent, -anoneLoad token by agent name

Exit codes: 0 = PASS, 1 = DENIED/EXPIRED.

Output on success:

VERIFIED
  Agent:   did:agent:5e06a3...
  Root:    did:agent:a1b2c3...
  Scopes:  ['code.edit', 'test.run']
  Expires: 3.9h remaining
  Chain:   1 link(s)

kanoniv-auth sign

Sign an execution envelope.

bash
kanoniv-auth sign --action deploy.staging --target app-v2.3.1
kanoniv-auth sign -a code.edit --target src/main.py --result success
OptionDefaultDescription
--action, -a(required)Action performed
--token, -tlatest tokenToken
--agentnoneAgent name
--target""Target of action
--resultsuccessOutcome (success/failure/partial)

Outputs a base64url-encoded signed envelope.

kanoniv-auth exec

Verify, execute, and sign in one command. If the scope check fails, the command never runs.

bash
kanoniv-auth exec --scope deploy.staging -- ./deploy.sh staging
kanoniv-auth exec -s test.run -- npm test
kanoniv-auth exec -s build --agent ci-agent -- make release
OptionDefaultDescription
--scope, -s(required)Required scope
--token, -tlatest tokenToken
--agent, -anoneAgent name

The exit code matches the executed command. The result is signed automatically and logged to the audit trail.

INFO

exec is the "sudo" experience. Verify before execution, sign after. If verification fails, the command never runs. If it succeeds, the result is signed and logged.

Status and Audit

kanoniv-auth status

Check current delegation status.

bash
kanoniv-auth status
kanoniv-auth status --agent my-agent
OptionDefaultDescription
--token, -tlatest tokenToken
--agent, -anoneLoad token by agent name

Output when active:

ACTIVE
  Agent:  my-agent
  DID:    did:agent:5e06a3...
  Scopes: code.edit, test.run
  TTL:    1h 42m

Output when expired:

EXPIRED
  Agent:  my-agent
  Died:   23m ago

  Re-delegate:
    kanoniv-auth delegate --name my-agent --scopes code.edit,test.run --ttl 4h

kanoniv-auth whoami

Show identity behind a token.

bash
kanoniv-auth whoami
kanoniv-auth whoami --token "$TOKEN"
OptionDefaultDescription
--token, -tlatest tokenToken
--agent, -anoneLoad token by agent name

Shows agent name, DID, root DID, scopes, TTL remaining, chain depth, and whether the embedded key supports sub-delegation and signing.

kanoniv-auth audit TOKEN_OR_ENVELOPE

Pretty-print a delegation chain or execution envelope.

bash
kanoniv-auth audit "$TOKEN"

Takes a base64url-encoded token or envelope as a positional argument. Shows the full delegation chain with each link's issuer, delegate, and scopes.

kanoniv-auth audit-log

View the local audit trail.

bash
kanoniv-auth audit-log
kanoniv-auth audit-log --agent my-agent --action verify --since 2026-03-22 --limit 20
OptionDefaultDescription
--agent, -aallFilter by agent name
--actionallFilter: delegate, verify, sign, exec
--sinceallISO date filter (e.g. 2026-03-22)
--limit, -n50Max entries

kanoniv-auth tokens

List all saved delegation tokens.

bash
kanoniv-auth tokens

Shows each token's file path, agent DID, scopes, TTL remaining, and active/expired status.

Agent Management

kanoniv-auth agents list

List all registered agents (local persistent identities).

bash
kanoniv-auth agents list

kanoniv-auth agents show NAME

Show agent details - full DID and public key hex.

bash
kanoniv-auth agents show my-agent

kanoniv-auth agents remove NAME

Remove a registered agent. Prompts for confirmation.

bash
kanoniv-auth agents remove my-agent

kanoniv-auth agents rename OLD NEW

Rename agent. Keeps the same DID and key material.

bash
kanoniv-auth agents rename old-name new-name

Installation

kanoniv-auth install-skill

Install five Claude Code skills: /delegate, /scope, /ttl, /status, /audit.

bash
kanoniv-auth install-skill

Skills are installed to ~/.claude/skills/. Each skill includes a SKILL.md and supporting scripts for PreToolUse/PostToolUse hooks.

kanoniv-auth install-hook

Install git pre-push hook for scope enforcement.

bash
kanoniv-auth install-hook
kanoniv-auth install-hook --repo /path/to/repo --force
OptionDefaultDescription
--repo, -r. (current directory)Path to git repository
--forcefalseOverwrite existing pre-push hook

The hook verifies git.push.{repo}.{branch} scope before allowing pushes. Remove with rm .git/hooks/pre-push.

Cloud Commands (kt)

The kt command provides access to the Observatory cloud API. Requires pip install kanoniv-auth[cloud].

bash
kt --help
kt --url https://auth.kanoniv.com --api-key kt_live_... agents
OptionDefaultDescription
--urlhttps://trust.kanoniv.comTrust API URL (also: KT_URL env var)
--api-key~/.kanoniv/cloud.keyAPI key (also: KT_API_KEY env var)
CommandPurpose
kt signupCreate account (saves API key to ~/.kanoniv/cloud.key)
kt loginLog in and save API key
kt meShow tenant info and usage
kt register NAME -c CAPSRegister an agent with capabilities
kt agentsList all agents with reputation scores
kt agent NAMEAgent details as JSON
kt delete NAMEDelete agent and revoke delegations
kt delegate FROM TO -s SCOPESGrant delegation between agents
kt delegations [AGENT]List active delegations
kt revoke IDRevoke a delegation
kt action AGENT ACTIONRecord a provenance entry (enforced)
kt logShow recent provenance log
kt memorize AGENT TITLESave a memory entry
kt memoriesList memory entries
kt feedback DID ACTION RESULTSubmit feedback (success/failure/partial)
kt demoRun a live demo scenario

Cloud commands are also accessible as subcommands of kanoniv-auth cloud:

bash
kanoniv-auth cloud agents
kanoniv-auth cloud delegate coordinator sdr-agent -s resolve,search

Token Resolution Order

When you run a CLI command without --token, the CLI resolves the token in this order:

  1. --token flag (explicit token string)
  2. --agent flag (loads the most recent token for that named agent from ~/.kanoniv/tokens/)
  3. KANONIV_TOKEN environment variable
  4. ~/.kanoniv/tokens/latest.token (the most recently issued token)

Environment Variables

VariablePurpose
KANONIV_TOKENDefault delegation token (used by verify, sign, exec)
KANONIV_ROOT_KEYPath to root key file (default: ~/.kanoniv/root.key)
KT_API_KEYAPI key for cloud commands
KT_URLObservatory API URL for cloud commands

File Locations

PathPurpose
~/.kanoniv/root.keyRoot key pair (JSON, chmod 600)
~/.kanoniv/tokens/latest.tokenMost recent delegation token
~/.kanoniv/tokens/All saved delegation tokens
~/.kanoniv/cloud.keyObservatory API key (saved by kt login)
~/.kanoniv/audit.logAppend-only local audit trail
~/.claude/skills/Claude Code skills (installed by install-skill)
.git/hooks/pre-pushGit pre-push scope enforcement (installed by install-hook)

Next Steps

The identity and delegation layer for AI agents.