CLI Reference
The Arcan CLI communicates with the server over HTTPS. Global flags: --api-url (default http://localhost:9797), --debug, --version.
Server & Setup
| Command | Description | Example |
|---|---|---|
arcan server | Start the server | arcan server --port 9090 |
arcan login | Save server URL and token | arcan login --token arc_abc123 |
arcan doctor | Run 6-step local diagnostics | arcan doctor |
Server flags: --port (-p, default 9797), --host (default 0.0.0.0), --data-dir (default ~/.arcan/data), --database-url (enables multi-node mode).
Environment variables: ARCAN_PORT, ARCAN_DATA_DIR, ARCAN_DATABASE_URL, DATABASE_URL, ARCAN_JWT_SECRET.
Secrets (KV)
Aliases: arcan secret, arcan secrets, arcan kv.
| Command | Description | Example |
|---|---|---|
arcan kv set <key> <value> | Store a secret | arcan kv set DB_URL "postgres://..." -r myapp -e prod |
arcan kv get <key> | Retrieve a secret | arcan kv get DB_URL -r myapp -e prod |
arcan kv list | List secrets | arcan kv list -r myapp -e prod |
arcan kv delete <key> | Delete a secret | arcan kv delete OLD_KEY -r myapp |
arcan kv export | Export as dotenv or JSON | arcan kv export -r myapp -e prod --format=json |
arcan kv run -- <cmd> | Inject secrets into a process | arcan kv run -r myapp -e prod -- node server.js |
arcan kv encrypt [value] | Encrypt a plaintext value | arcan kv encrypt "my-secret" |
arcan apply -f <file> | Bulk-apply secrets from YAML | arcan apply -f secrets.yaml --dry-run |
Common flags: --realm (-r, default default), --env (-e, default dev).
Realms
Aliases: arcan realm, arcan realms.
| Command | Description | Example |
|---|---|---|
arcan realm create <slug> <name> | Create a realm | arcan realm create myapp "My App" |
arcan realm list | List all realms | arcan realm list |
arcan realm delete <slug> | Soft-delete a realm | arcan realm delete myapp |
Auth & Tokens
Aliases: arcan token, arcan tokens.
| Command | Description | Example |
|---|---|---|
arcan token create | Create API token | arcan token create --name ci --scopes read,write |
arcan token list | List tokens | arcan token list |
arcan token revoke <id> | Revoke a token | arcan token revoke <uuid> |
Scopes: read (secrets, realms, audit), write (create/update), delete (delete secrets, revoke tokens).
SSO
| Command | Description | Example |
|---|---|---|
arcan auth setup | Configure OIDC/SAML/LDAP | arcan auth setup --type oidc --name okta |
arcan auth test <name> | Test provider connectivity | arcan auth test okta --debug |
arcan auth update-presets | Refresh provider presets | arcan auth update-presets |
See SSO Authentication for detailed provider setup.
Policy (RBAC)
| Command | Description | Example |
|---|---|---|
arcan policy roles | List roles and capabilities | arcan policy roles |
arcan policy bind | Assign role to user in realm | arcan policy bind -r myapp --user-id abc --role member |
arcan policy unbind | Remove role binding | arcan policy unbind -r myapp --user-id abc |
arcan policy list | List bindings in realm | arcan policy list -r myapp |
Operations
| Command | Description | Example |
|---|---|---|
arcan audit list | Query audit log | arcan audit list --realm myapp --type secret.set |
arcan master-key verify | Validate encryption key | arcan master-key verify |
arcan master-key generate | Generate new master key | arcan master-key generate --force |
Plugins
| Command | Description | Example |
|---|---|---|
arcan plugin init | Scaffold a new plugin | arcan plugin init --name my-engine |
arcan plugin list | List installed engines | arcan plugin list |
arcan plugin remove <name> | Remove a plugin | arcan plugin remove my-engine |
Docker Integration
Docker Compose
Generate .env files from Arcan secrets for use with Docker Compose.
| Command | Description | Example |
|---|---|---|
arcan docker compose | Generate .env file | arcan docker compose -r myapp -e prod |
Flags:
| Flag | Default | Description |
|---|---|---|
--realm, -r | default | Realm slug |
--env, -e | dev | Environment (dev, staging, prod) |
--output, -o | .env | Output file path |
--stdout | false | Print to stdout instead of writing file |
--format | env | Output format: env or json |
Docker Swarm
Sync secrets to Docker Swarm's built-in secrets store.
| Command | Description | Example |
|---|---|---|
arcan docker swarm sync | Push secrets to Swarm | arcan docker swarm sync -r myapp -e prod |
arcan docker swarm ls | List Arcan-managed secrets | arcan docker swarm ls |
arcan docker swarm rm | Remove Arcan-managed secrets | arcan docker swarm rm --all |
See Docker Integration for full usage examples.
Generate
Generate deployment manifests for various platforms.
| Command | Description | Example |
|---|---|---|
arcan generate docker | Docker Compose file | arcan generate docker > docker-compose.yaml |
arcan generate k8s | Kubernetes manifests | arcan generate k8s > arcan-k8s.yaml |
arcan generate systemd | systemd unit file | arcan generate systemd > arcan.service |
arcan generate eso | ESO manifests | arcan generate eso --realm=prod --env=prod |
arcan generate sidecar | Sidecar/init container | arcan generate sidecar --realm=prod --mode=init |
arcan generate helm | Helm chart (coming soon) | arcan generate helm |
See Sidecar Pattern for details on generate sidecar.
MCP Server
Start a Model Context Protocol server for AI assistant integration (Claude Desktop, Cursor, Windsurf).
arcan mcp
Communicates via JSON-RPC 2.0 over stdio. Secret values are never exposed to the AI -- sensitive operations direct the user to enter values via the CLI.
Available tools: arcan_health, arcan_kv_list, arcan_kv_set, arcan_kv_delete, arcan_realm_list, arcan_realm_create, arcan_audit_query, arcan_doctor, arcan_plugin_list, arcan_auth_providers.
Claude Desktop configuration:
{
"mcpServers": {
"arcan": {
"command": "arcan",
"args": ["mcp"]
}
}
}
Activation
| Command | Description | Example |
|---|---|---|
arcan activate <key> | Activate enterprise features | arcan activate ENT-XXXX-XXXX |