Skip to main content
Version: 1.0.0

CLI Reference

The Shyntr Identity Hub includes a powerful Command Line Interface (CLI) built into the main binary. It allows administrators to manage tenants, configure OIDC/SAML clients, and register external identity providers without directly accessing the database or API.

Usage Syntax


./shyntr [command] [subcommand] [flags]


Getting Help

Use --help with any command to see available options:


./shyntr --help
./shyntr create-client --help


System Commands

These commands manage the core application state.

migrate

Runs the GORM database auto-migration to ensure all schema definitions are up to date.


./shyntr migrate

FlagDescription
(none)This command has no flags
Automatic Migration

Migrations run automatically when starting the serve command. Use this command for manual migration or CI/CD pipelines.

serve

Starts the public and admin HTTP servers, including background cleanup workers.


./shyntr serve

FlagDescription
(none)Configuration via environment variables

This command:

  • Runs database migrations
  • Starts the Public API on PORT
  • Starts the Admin API on ADMIN_PORT
  • Starts background workers for session cleanup

Tenant Management

Tenants are the core isolation boundaries within Shyntr.

create-tenant

Creates a new isolated tenant environment.


./shyntr create-tenant [flags]

FlagRequiredDefaultDescription
--idNoAuto-generated 4-byte hexUnique slug identifier
--nameNoSame as --idOperational name
--display-nameNoSame as --nameHuman-readable display name
--descNoCLI CreatedShort description

Examples:

 title="Create tenant with auto-generated ID"
./shyntr create-tenant --name "Acme Corporation"

 title="Create tenant with custom ID"
./shyntr create-tenant \
  --id acme \
  --name "Acme Corporation" \
  --display-name "Acme Corp" \
  --desc "Production tenant for Acme"

get-tenant

Retrieves the details of a specific tenant.


./shyntr get-tenant [id]

ArgumentRequiredDescription
idYesUnique tenant ID

Example:


./shyntr get-tenant acme

update-tenant

Updates an existing tenant's configuration.


./shyntr update-tenant [id] [flags]

ArgumentRequiredDescription
idYesUnique tenant ID
FlagDescription
--nameUpdate operational name
--display-nameUpdate display name

Example:


./shyntr update-tenant acme --display-name "Acme Industries"

delete-tenant

Deletes a tenant and cascades deletion to all associated resources.


./shyntr delete-tenant [id]

ArgumentRequiredDescription
idYesUnique tenant ID
Cascading Deletion

This permanently deletes the tenant and ALL associated:

  • OIDC clients
  • SAML clients
  • Identity Provider connections
  • Sessions and tokens

The default tenant cannot be deleted.

Example:


./shyntr delete-tenant acme

OIDC Client Management

Manage applications (Service Providers) that authenticate users via OpenID Connect or OAuth2.

create-client

Registers a new OIDC client.


./shyntr create-client [flags]

FlagRequiredDefaultDescription
--tenant-idNodefaultTenant this client belongs to
--client-idNoAuto-generated 8-byte hexUnique Client ID
--nameNoNew Client <id>Application name
--secretNoAuto-generated 16-byte hexClient Secret (ignored if --public)
--redirect-urisNohttp://localhost:8080/callbackComma-separated callback URLs
--publicNofalsePublic client (SPA/Mobile)

Examples:

 title="Create confidential client"
./shyntr create-client \
  --name "Backend Service" \
  --redirect-uris "https://api.example.com/callback"

 title="Create public client (SPA)"
./shyntr create-client \
  --name "React Dashboard" \
  --redirect-uris "https://app.example.com/callback" \
  --public

 title="Create client with custom secret"
./shyntr create-client \
  --client-id my-custom-id \
  --name "Custom App" \
  --secret "my-secure-secret-value" \
  --redirect-uris "https://custom.example.com/callback"

get-client

Retrieves details of an OIDC client.


./shyntr get-client [client_id]

update-client

Updates an OIDC client's configuration.


./shyntr update-client [client_id] [flags]

FlagDescription
--nameUpdate application name
--redirect-urisUpdate callback URLs
--secretRegenerate client secret

Example:


./shyntr update-client abc123 \
  --name "Updated App Name" \
  --redirect-uris "https://new-url.example.com/callback"

delete-client

Deletes an OIDC client.


./shyntr delete-client [client_id]

SAML Client (Service Provider) Management

Manage legacy applications that require SAML 2.0 authentication.

create-saml-client

Registers a new SAML Service Provider.


./shyntr create-saml-client [flags]

FlagRequiredDefaultDescription
--entity-idYes-Exact Entity ID expected by the SP
--acs-urlYes-Assertion Consumer Service URL (POST)
--tenant-idNodefaultTenant this client belongs to
--nameNoSAML AppApplication name

Example:


./shyntr create-saml-client \
  --name "Salesforce" \
  --entity-id "https://acme.my.salesforce.com" \
  --acs-url "https://acme.my.salesforce.com/sso/saml"

get-saml-client

Retrieves details of a SAML Client.


./shyntr get-saml-client [entity_id]

update-saml-client

Updates a SAML Client's configuration.


./shyntr update-saml-client [entity_id] [flags]

FlagDescription
--acs-urlUpdate ACS URL
--nameUpdate application name

delete-saml-client

Deletes a SAML Client.


./shyntr delete-saml-client [entity_id]

SAML Connection (Identity Provider) Management

Manage external SAML Identity Providers that Shyntr will trust.

create-saml-connection

Registers a new external SAML IdP using its Metadata XML.


./shyntr create-saml-connection [flags]

FlagRequiredDefaultDescription
--metadata-fileYes-Local path to IdP metadata XML
--tenant-idNodefaultTenant this connection belongs to
--nameNoSAML IDPIdentity Provider name

Example:


./shyntr create-saml-connection \
  --name "Okta Enterprise" \
  --metadata-file /path/to/okta-metadata.xml \
  --tenant-id acme

get-saml-connection

Retrieves details of a SAML Connection.


./shyntr get-saml-connection [id]

delete-saml-connection

Deletes a SAML Connection.


./shyntr delete-saml-connection [id]

OIDC Connection (Identity Provider) Management

Manage external OpenID Connect Identity Providers that Shyntr will trust.

create-oidc-connection

Registers a new external OIDC Provider.


./shyntr create-oidc-connection [flags]

FlagRequiredDefaultDescription
--issuerYes-Issuer URL (for OIDC Discovery)
--client-idYes-Client ID from external IdP
--client-secretYes-Client Secret from external IdP
--tenant-idNodefaultTenant this connection belongs to
--nameNoOIDC ProviderIdentity Provider name

Examples:

 title="Connect Google"
./shyntr create-oidc-connection \
  --name "Google Workspace" \
  --issuer "https://accounts.google.com" \
  --client-id "xxx.apps.googleusercontent.com" \
  --client-secret "GOCSPX-xxx"

 title="Connect Azure AD"
./shyntr create-oidc-connection \
  --name "Azure AD" \
  --issuer "https://login.microsoftonline.com/tenant-id/v2.0" \
  --client-id "azure-client-id" \
  --client-secret "azure-secret" \
  --tenant-id acme

get-oidc-connection

Retrieves details of an OIDC Connection.


./shyntr get-oidc-connection [id]

delete-oidc-connection

Deletes an OIDC Connection.


./shyntr delete-oidc-connection [id]

Command Quick Reference

CategoryCommandDescription
SystemmigrateRun database migrations
serveStart the servers
Tenantscreate-tenantCreate new tenant
get-tenantView tenant details
update-tenantUpdate tenant
delete-tenantDelete tenant
OIDC Clientscreate-clientRegister OIDC client
get-clientView client details
update-clientUpdate client
delete-clientDelete client
SAML Clientscreate-saml-clientRegister SAML SP
get-saml-clientView SAML client
update-saml-clientUpdate SAML client
delete-saml-clientDelete SAML client
SAML IdPscreate-saml-connectionRegister SAML IdP
get-saml-connectionView connection
delete-saml-connectionDelete connection
OIDC IdPscreate-oidc-connectionRegister OIDC IdP
get-oidc-connectionView connection
delete-oidc-connectionDelete connection

Exit Codes

CodeMeaning
0Success
1General error
2Invalid arguments
3Database connection failed
4Resource not found

Next Steps