CLI Reference
The Shyntr Identity Hub includes a built-in CLI for tenant management, client registration, connection management, and key operations.
Usage Syntax
./shyntr [command] [flags]
Getting Help
Use --help on any command:
./shyntr --help
./shyntr create-client --help
System Commands
migrate
Runs database migration and initialization tasks.
./shyntr migrate
This command ensures:
- schema updates are applied
- system scopes are seeded
- default outbound policy data is initialized where required
serve
Starts the public and admin HTTP servers and the background workers.
./shyntr serve
Tenant Management
create-tenant
Creates a new tenant.
./shyntr create-tenant [flags]
| Flag | Required | Default | Description |
|---|---|---|---|
--id | No | Auto-generated UUID | Tenant ID |
--name | No | Same as --id | Tenant name |
--display-name | No | Same as --name | Human-readable display name |
--desc | No | CLI Created | Description |
Examples:
Create tenant with generated UUID
./shyntr create-tenant --name "Acme Corporation"
Create tenant with explicit ID
./shyntr create-tenant \
--id acme \
--name "Acme Corporation" \
--display-name "Acme Corp" \
--desc "Production tenant for Acme"
get-tenant
./shyntr get-tenant [id]
update-tenant
./shyntr update-tenant [id] [flags]
Supported flags:
--name--display-name
delete-tenant
./shyntr delete-tenant [id]
Cascading Deletion
Deleting a tenant removes its associated clients, connections, sessions, and related tenant-scoped records. The default tenant cannot be deleted through the CLI.
Scope Management
create-scope
./shyntr create-scope [flags]
| Flag | Required | Default | Description |
|---|---|---|---|
--tenant-id | No | default | Tenant ID |
--name | Yes | - | Scope name |
--claims | No | - | Comma-separated mapped claims |
--desc | No | - | Description |
--system | No | false | Mark as system scope |
get-scope, update-scope, delete-scope
./shyntr get-scope [id]./shyntr update-scope [id] [--name] [--desc] [--claims]./shyntr delete-scope [id]
OIDC Client Management
create-client
Registers an OIDC client.
./shyntr create-client [flags]
| Flag | Required | Default | Description |
|---|---|---|---|
--tenant-id | No | default | Tenant ID |
--client-id | No | Auto-generated UUID | Client ID |
--name | No | New Client <id> | Client name |
--secret | No | Auto-generated 32-byte hex | Client secret for confidential clients |
--auth-method | No | client_secret_basic for confidential clients, none for public clients | Token endpoint authentication method |
--redirect-uris | No | http://localhost:8080/callback | Redirect URIs |
--post-logout-uris | No | - | Post-logout redirect URIs |
--scopes | No | openid,profile,email,offline_access | Allowed scopes |
--audience | No | - | Requested audiences |
--public | No | false | Public client mode |
--skip-consent | No | false | Skip consent screen |
Notes:
- If
--client-idis omitted, Shyntr generates a UUID-based client ID. - If
--secretis omitted for a confidential client, Shyntr generates a 32-byte hex secret and prints it once at creation time. - Public clients force
token_endpoint_auth_method=none.
Examples:
Create confidential client
./shyntr create-client \
--name "Backend Service" \
--redirect-uris "https://api.example.com/callback" \
--scopes "openid,profile,email,read:api"
Create public client
./shyntr create-client \
--name "React Dashboard" \
--redirect-uris "https://app.example.com/callback" \
--post-logout-uris "https://app.example.com/login" \
--public
Create client with explicit auth method
./shyntr create-client \
--name "Token Client" \
--redirect-uris "https://client.example.com/callback" \
--auth-method client_secret_post
get-client
./shyntr get-client [client_id]
update-client
./shyntr update-client [client_id] [flags]
Supported flags:
--name--redirect-uris--post-logout-uris--scopes--secret
delete-client
./shyntr delete-client [client_id]
inject-jwks
Injects a JWKS JSON payload into an existing OIDC client record.
./shyntr inject-jwks [client_id] [jwks_file]
This is primarily useful when a client needs explicit JSON Web Keys stored for verification workflows.
SAML Client (Service Provider) Management
create-saml-client
Registers a SAML service provider.
./shyntr create-saml-client [flags]
| Flag | Required | Default | Description |
|---|---|---|---|
--entity-id | Yes | - | Service Provider entity ID |
--acs-url | Yes | - | Assertion Consumer Service URL |
--slo-url | No | - | Single Logout URL |
--allowed-scopes | No | - | Allowed scopes mapped into assertions |
--tenant-id | No | default | Tenant ID |
--name | No | SAML App | Application name |
--force-authn | No | false | Force re-authentication |
--sign-response | No | false | Sign the SAML response |
--sign-assertion | No | false | Sign the SAML assertion |
Example:
./shyntr create-saml-client \
--name "Salesforce" \
--entity-id "https://acme.my.salesforce.com" \
--acs-url "https://acme.my.salesforce.com/sso/saml" \
--allowed-scopes "openid,profile,email" \
--sign-response \
--sign-assertion
get-saml-client
./shyntr get-saml-client [entity_id]
update-saml-client
./shyntr update-saml-client [entity_id] [flags]
Supported flags:
--acs-url--slo-url--allowed-scopes--name
delete-saml-client
./shyntr delete-saml-client [entity_id]
SAML Connection (Identity Provider) Management
create-saml-connection
Registers an external SAML IdP.
./shyntr create-saml-connection [flags]
| Flag | Required | Default | Description |
|---|---|---|---|
--metadata-file | Yes* | - | Path to metadata XML |
--metadata-url | Yes* | - | URL for metadata retrieval |
--tenant-id | No | default | Tenant ID |
--name | No | SAML IDP | Connection name |
--sign-request | No | false | Sign outbound AuthnRequests |
* One of --metadata-file or --metadata-url is required.
get-saml-connection
./shyntr get-saml-connection [id]
delete-saml-connection
./shyntr delete-saml-connection [id]
OIDC Connection (Identity Provider) Management
create-oidc-connection
Registers an external OIDC provider.
./shyntr create-oidc-connection [flags]
| Flag | Required | Default | Description |
|---|---|---|---|
--issuer | Yes | - | OIDC issuer URL |
--client-id | Yes | - | Upstream client ID |
--client-secret | Yes | - | Upstream client secret |
--tenant-id | No | default | Tenant ID |
--name | No | OIDC Provider | Connection name |
--scopes | No | openid,profile,email | Requested upstream scopes |
get-oidc-connection
./shyntr get-oidc-connection [id]
delete-oidc-connection
./shyntr delete-oidc-connection [id]
LDAP Connection Management
create-ldap-connection
Registers an LDAP or Active Directory connection.
./shyntr create-ldap-connection [flags]
| Flag | Required | Default | Description |
|---|---|---|---|
--tenant-id | No | default | Tenant ID |
--name | No | LDAP Directory | Connection name |
--server-url | Yes | - | LDAP server URL using ldap:// or ldaps:// |
--bind-dn | No | - | Bind DN |
--bind-password | No | - | Bind password |
--base-dn | Yes | - | Base DN used for directory searches |
--start-tls | No | false | Enable StartTLS |
--insecure-skip-verify | No | false | Skip TLS certificate verification |
Example:
./shyntr create-ldap-connection \
--tenant-id acme \
--name "Acme Directory" \
--server-url "ldaps://ldap.acme.internal:636" \
--bind-dn "cn=svc-shyntr,ou=service,dc=acme,dc=internal" \
--bind-password "super-secret-password" \
--base-dn "dc=acme,dc=internal"
get-ldap-connection
./shyntr get-ldap-connection [id] --tenant-id <tenant_id>
delete-ldap-connection
./shyntr delete-ldap-connection [id] --tenant-id <tenant_id>
Cryptographic Key Management
import-key
Imports a CA-signed keypair into the Identity Hub.
./shyntr import-key [flags]
| Flag | Required | Default | Description |
|---|---|---|---|
--use | No | sig | Key purpose: sig or enc |
--cert | Yes | - | Certificate path |
--key | Yes | - | Private key path |
Command Quick Reference
| Category | Command | Description |
|---|---|---|
| System | migrate | Run migrations |
serve | Start the servers | |
| Tenants | create-tenant | Create tenant |
get-tenant | View tenant | |
update-tenant | Update tenant | |
delete-tenant | Delete tenant | |
| Scopes | create-scope | Create scope |
get-scope | View scope | |
update-scope | Update scope | |
delete-scope | Delete scope | |
| OIDC Clients | create-client | Register OIDC client |
get-client | View client | |
update-client | Update client | |
delete-client | Delete client | |
inject-jwks | Inject client JWKS | |
| SAML Clients | create-saml-client | Register SAML client |
get-saml-client | View SAML client | |
update-saml-client | Update SAML client | |
delete-saml-client | Delete SAML client | |
| SAML Connections | create-saml-connection | Register SAML IdP |
get-saml-connection | View SAML connection | |
delete-saml-connection | Delete SAML connection | |
| OIDC Connections | create-oidc-connection | Register OIDC provider |
get-oidc-connection | View OIDC connection | |
delete-oidc-connection | Delete OIDC connection | |
| LDAP Connections | create-ldap-connection | Register LDAP directory |
get-ldap-connection | View LDAP connection | |
delete-ldap-connection | Delete LDAP connection | |
| Keys | import-key | Import CA-signed keypair |
Next Steps
- Configure Environment Variables
- Deploy with Docker Compose
- Review Architecture before exposing admin endpoints