CLI Guide
Overview
Section titled “Overview”The Zann CLI is token-based and intended for automation and CI/CD workflows. Tokens are issued and managed by the server (service account tokens).
Getting a token
Section titled “Getting a token”Create a service account token on the server:
zann-server token create ci-prod infra:/Store the token securely (CI secret store or vault).
Authentication model
Section titled “Authentication model”- Service account token: long-lived token issued by the server (
zann_sa_...). - Access token: short-lived token exchanged by the CLI when needed.
The CLI will exchange a service account token for an access token automatically.
Supplying tokens
Section titled “Supplying tokens”Provide a token in one of these ways:
--token--token-fileZANN_TOKENenvironment variablezann config set-context ... --token ...
Basic usage
Section titled “Basic usage”# Verify connectivity and identityzann --addr https://zann.example.com --token "$TOKEN" whoami
# List shared itemszann --addr https://zann.example.com --token "$TOKEN" list --vault infra --format json
# Fetch a single itemzann --addr https://zann.example.com --token "$TOKEN" get infra/db/creds passwordConfiguring contexts
Section titled “Configuring contexts”Store server and token information in a local context:
zann config set-context ci \ --addr https://zann.example.com \ --token "$TOKEN" \ --vault infraThen use the context without repeating flags:
zann --context ci list --format jsonOutput formats
Section titled “Output formats”list --format table|jsonget --format json|kv|env
Examples:
zann get infra/db/creds --format envzann list --vault infra --format jsonTemplates and materialization
Section titled “Templates and materialization”Render templates with secrets:
zann render --vault infra --template template.txt --out app.envMaterialize secrets to files:
zann materialize --vault infra --out ./secrets --field passwordRunning commands with secrets
Section titled “Running commands with secrets”zann run injects secrets as environment variables for a subprocess:
zann run --vault infra app/db/creds -- sh -c 'echo "$password"'Security notes
Section titled “Security notes”- Prefer HTTPS.
--insecuredisables TLS checks and allows http. - You can pin fingerprints with
ZANN_SERVER_FINGERPRINT. - Tokens should be scoped and rotated on the server.
Troubleshooting
Section titled “Troubleshooting”token is required: provide--token,--token-file, or set a context.refusing to use http://: add--insecurefor local testing.- Use
-vor-vvfor more logs.