CLI reference

Commands default to colored human-readable output. Many list/status commands accept --verbose / -v for full JSON; invoke also has dedicated json and markdown subcommands for structured output.

Command groups

Group	Purpose
Vault lifecycle	`status`, `init`, `unlock`, `lock`, `rotate-master`, `audit`
Secrets	`secrets create`, `list`, `update`, `rotate`, `delete`, `import`
Credentials	`credential create`, `list`, `delete`
Capabilities	`capability list`, `describe`, `create`, `delete`, `policy`, `bind`, `unbind`, `bindings`
Invoke	`invoke`, `json`, `markdown`
OAuth	`oauth setup`

Top-level shortcuts

These shortcuts avoid typing capability invoke ... for the most common operation:

aivault invoke <id> ...       # same as: aivault capability invoke <id>
aivault json <id> ...         # same as: aivault capability json <id>
aivault markdown <id> ...     # same as: aivault capability markdown <id>
aivault md <id> ...           # alias for markdown

Global behavior

Auto-initialization: if no vault exists, the first command that needs it will auto-initialize with safe defaults
Daemon boundary: on unix platforms, invoke commands connect to the aivaultd daemon (auto-started) for secret isolation. See Daemon
Output modes: human-readable (default); JSON via --verbose / -v on commands that support it; or structured JSON/markdown via the json/markdown subcommands

Start

Core

CLI

Security

Registry

Ops

Command groups

Top-level shortcuts

Global behavior

Start

Core

CLI

Security

Registry

Ops

​Command groups

​Top-level shortcuts

​Global behavior

Command groups

Top-level shortcuts

Global behavior