OpenCrane CLI Reference
oc is the first-class command-line interface for the OpenCrane platform. Every administrative capability available through the API is reachable via oc.
Installation
# From the monorepo
pnpm --filter @opencrane/cli build
node apps/cli/dist/index.js --help
# Or link globally after building
pnpm --filter @opencrane/cli build
npm link apps/cli
oc --helpGlobal Options
These options apply to every command and can be set via environment variables.
| Flag | Env var | Default | Description |
|---|---|---|---|
--url <url> | OPENCRANE_URL | http://localhost:8080 | Control-plane base URL |
--token <token> | OPENCRANE_TOKEN | — | Bearer token (break-glass / automation path) |
--output <format> | — | table | Output format: table or json |
Authentication note: Bearer token is the current automation path. OIDC is the planned human-operator path; see the oc auth commands. Projected ServiceAccount tokens will replace static bearer tokens once Kubernetes workload identity support lands.
Command Groups
oc tenants
Manage tenant lifecycle.
oc tenants list List all tenants
oc tenants get <name> Get a tenant by name
oc tenants create Create a tenant (reads JSON from stdin)
oc tenants update <name> Update a tenant (reads JSON from stdin)
oc tenants delete <name> Delete a tenant
oc tenants suspend <name> Suspend a tenant pod
oc tenants resume <name> Resume a suspended tenant
oc tenants datasets get <name> Get dataset memberships for a tenant
oc tenants datasets set <name> Update dataset memberships (reads JSON from stdin)
oc tenants contract <name> Print the compiled effective runtime contractoc policies
Manage AccessPolicy resources.
oc policies list List all access policies
oc policies get <name> Get a policy by name
oc policies create Create a policy (reads JSON from stdin)
oc policies update <name> Update a policy (reads JSON from stdin)
oc policies delete <name> Delete a policyoc mcp
Manage MCP server registrations.
oc mcp list List MCP servers
oc mcp get <id> Get an MCP server
oc mcp create Register an MCP server (reads JSON from stdin)
oc mcp update <id> Update an MCP server (reads JSON from stdin)
oc mcp delete <id> Delete an MCP serveroc skills
Manage the skill catalogue.
oc skills list List skill bundles
oc skills get <id> Get a skill bundle
oc skills publish Publish a skill bundle (reads JSON from stdin)
oc skills update <id> Update a skill bundle (reads JSON from stdin)
oc skills delete <id> Remove a skill bundleoc budget
Inspect and manage AI budgets and LiteLLM virtual keys.
oc budget global get Get global budget settings
oc budget global set Update global budget settings (reads JSON from stdin)
oc budget accounts list List per-user account budgets
oc budget accounts set <userId> Set a user account budget (reads JSON from stdin)
oc budget accounts delete <userId> Remove a user account budget
oc budget spend <tenantName> Show current spend for a tenant
oc budget key get <tenantName> Get a tenant's LiteLLM virtual key
oc budget key revoke <tenantName> Revoke a tenant's LiteLLM virtual keyoc audit
Query the audit log.
oc audit list List audit log entries
--tenant <name> Filter to a specific tenant
--limit <n> Maximum entries (default 100)
--cursor <cursor> Pagination cursor from a previous responseOutputs a cursor hint when more pages are available:
More results available. Next cursor: eyJ...
Run with --cursor eyJ... to fetch the next page.oc tokens
Manage access tokens.
oc tokens list List access tokens
oc tokens create Create an access token (reads JSON from stdin)
oc tokens delete <id> Revoke an access tokenoc providers
Manage provider API keys (e.g. OpenAI, Anthropic).
oc providers list List configured provider keys
oc providers set Set a provider key (reads JSON from stdin)
oc providers delete <provider> Remove a provider keyoc metrics
Inspect platform metrics.
oc metrics server Server health and aggregate platform metrics
oc metrics drift Projection drift counts, lag, and alert stateoc auth
Manage session and OIDC authentication.
oc auth me Print the current session principal
oc auth logout End the current sessionOIDC login is browser-initiated: open <OPENCRANE_URL>/api/v1/auth/login in a browser to start the flow and receive a session cookie.
Output Formats
Table (default) — human-readable columns printed to stdout.
JSON — machine-readable output, suitable for piping to jq:
oc tenants list --output json | jq '.[].name'
oc audit list --output json --tenant acme | jq '.[].action'Exit Codes
| Code | Meaning |
|---|---|
0 | Success |
1 | Error (API error, validation failure, or unexpected exception) |
All destructive commands (delete, revoke, suspend) are non-interactive and exit immediately. There are no confirmation prompts — suitable for scripting.
Examples
# Provision a tenant
echo '{"name":"acme","email":"ops@acme.com","team":"platform"}' | oc tenants create
# Stream audit log across pages
cursor=""
while true; do
out=$(oc audit list --limit 200 --cursor "$cursor" --output json)
echo "$out" | jq '.[]'
cursor=$(oc audit list --limit 200 --cursor "$cursor" | grep 'Next cursor:' | awk '{print $NF}')
[ -z "$cursor" ] && break
done
# Check projection drift before a deploy
oc metrics drift --output json | jq '.tenants.mismatchCount'
# Revoke a key and verify it's gone
oc budget key revoke acme
oc budget key get acme # should 404