CLI Reference

CLI Reference

The tap CLI manages credentials, agents, and roles via SQLite with encrypted credential storage (AES-256-GCM). It is primarily useful for self-hosted deployments. For managed hosting, the admin API provides the same functionality and is the recommended interface.

All management commands use --encryption-key (or AGENTSEC_ENCRYPTION_KEY env var) and --db (default ./agentsec.db).

tap add

Add a new credential to the database. Runs interactively if --name is omitted.

# Non-interactive
tap add \
  --db agentsec.db \
  --encryption-key $AGENTSEC_ENCRYPTION_KEY \
  --name slack \
  --description "Slack API" \
  --auth api-key \
  --api-base https://slack.com/api
 
# Interactive mode
tap add --db agentsec.db --encryption-key $AGENTSEC_ENCRYPTION_KEY
FlagDefaultDescription
--db./agentsec.dbSQLite database path
--encryption-key$AGENTSEC_ENCRYPTION_KEY64 hex chars for AES-256-GCM
--name(interactive)Credential name
--description(interactive)Human-readable description
--auth(interactive)Auth type: api-key, oauth2, oauth1, custom
--api-base(interactive)API base URL or sidecar URL
--relative-targetfalseTarget is a relative path (for protocol translators)

Auth type mapping:

Auth typeConnectorDefault api_base
api-keydirectuser-provided
oauth2sidecarhttp://oauth2-refresher:8081
oauth1sidecarhttp://oauth-signer:8080
customsidecaruser-provided

tap status

Check proxy health.

tap status [--proxy-url http://localhost:3100]
FlagDefaultDescription
--proxy-urlhttp://localhost:3100Proxy URL to health-check

tap logs

Display formatted audit log entries from the JSON lines file.

tap logs [--log-file ./audit.jsonl] [--tail 20]
FlagDefaultDescription
-l, --log-file./audit.jsonlPath to audit log
-t, --tail20Number of recent entries (0 = all)

Agent Management

tap agent list

List all agents with their status.

tap agent list --db agentsec.db --encryption-key $AGENTSEC_ENCRYPTION_KEY

tap agent create

Create a new agent. Generates an API key and prints it once.

tap agent create \
  --db agentsec.db \
  --encryption-key $AGENTSEC_ENCRYPTION_KEY \
  --name my-agent \
  --description "My research agent" \
  --roles reader,writer \
  --credentials slack \
  --rate-limit 100
FlagDescription
--nameAgent identifier (required)
--descriptionHuman-readable description
--rolesComma-separated role names to assign
--credentialsComma-separated direct credential names
--rate-limitMax requests per hour (omit for unlimited)

tap agent show

Show agent details and effective permissions (union of roles’ credentials and direct assignments).

tap agent show --db agentsec.db --encryption-key $AGENTSEC_ENCRYPTION_KEY my-agent

tap agent enable

Re-enable a disabled agent.

tap agent enable --db agentsec.db --encryption-key $AGENTSEC_ENCRYPTION_KEY my-agent

tap agent disable

Disable an agent. All requests from this agent will be rejected.

tap agent disable --db agentsec.db --encryption-key $AGENTSEC_ENCRYPTION_KEY my-agent

tap agent delete

Delete an agent.

tap agent delete --db agentsec.db --encryption-key $AGENTSEC_ENCRYPTION_KEY my-agent

Role Management

Roles provide RBAC for credential access. An agent’s effective permissions are the union of all its roles’ credentials plus its direct credential assignments.

tap role list

tap role list --db agentsec.db --encryption-key $AGENTSEC_ENCRYPTION_KEY

tap role create

tap role create \
  --db agentsec.db \
  --encryption-key $AGENTSEC_ENCRYPTION_KEY \
  --name reader \
  --description "Read-only access" \
  --credentials slack,github \
  --rate-limit 50

tap role add-credential

Grant a credential to a role.

tap role add-credential \
  --db agentsec.db \
  --encryption-key $AGENTSEC_ENCRYPTION_KEY \
  reader slack

tap role remove-credential

Revoke a credential from a role.

tap role remove-credential \
  --db agentsec.db \
  --encryption-key $AGENTSEC_ENCRYPTION_KEY \
  reader slack

tap role delete

Delete a role. Cascades — removes the role from all agents that have it.

tap role delete --db agentsec.db --encryption-key $AGENTSEC_ENCRYPTION_KEY reader
Proxy APIPolicies & Approval