Documentation

pangolin CLI

pangolin-pp-cli

Install

npx -y @mvanhorn/printing-press-library install pangolin

Installs the CLI binary and the agent skill for Claude Code, Codex, Cursor, Gemini CLI, Copilot, and more. Add --cli-only or --skill-only for one half. Requires Node.

Documentation

The first agent-native CLI for Pangolin — every endpoint, plus offline SQLite, cross-org audits, and one-shot config backup and restore the dashboard cannot do.

Pangolin is the open-source, self-hosted alternative to Cloudflare Tunnels. This CLI exposes all 157 integration-API endpoints with --json, --select, --csv, and --dry-run, mirrors the full configuration into a local SQLite store, and adds commands that span orgs — audit, cert-watch, access-graph, backup, restore, expose — that no Pangolin tool offers today.

Authentication

Authentication is a single Bearer integration token. Set PANGOLIN_TOKEN in your environment; the base URL is typically https:///api/v1 (note: the OpenAPI spec advertises /v1 but real EE deployments mount the API under /api/v1). Set PANGOLIN_BASE_URL accordingly and run pangolin-pp-cli doctor to confirm.

Quick Start

# Confirm auth and base URL are correct before doing anything else
pangolin-pp-cli doctor


# Mirror every org, site, resource, target, role, and IdP into local SQLite
pangolin-pp-cli sync --full


# Cross-org health: stale targets, missing roles, orphaned resources
pangolin-pp-cli audit --json


# List certificates expiring in the next 30 days
pangolin-pp-cli cert-watch --days 30 --json


# Snapshot the full configuration for version control or DR
pangolin-pp-cli backup --out pangolin-backup.json

Unique Features

These capabilities aren't available in any other tool for this API.

Local state that compounds

  • audit — Find stale targets, orphaned resources, and missing role bindings across every org you administer, in one command.

    When the user asks 'is anything broken in my Pangolin stack?', this is the single command that answers it — no dashboard tab-clicking.

    pangolin-pp-cli audit --json --select issues
    
  • cert-watch — List certificates sorted by days-until-expiry across every org, with a configurable warning window.

    When the user asks 'what certs expire soon?', skip the dashboard and get an actionable list with one call.

    pangolin-pp-cli cert-watch --days 30 --json
    
  • access-graph — Answer 'who can reach what' by joining users, roles, resources, and orgs into one queryable view.

    When the user asks 'what does $person have access to?' or 'who can hit this resource?', this is the answer.

    pangolin-pp-cli access-graph --user $USER_ID --json
    

Disaster recovery

  • backup — Export the complete Pangolin configuration — orgs, sites, resources, targets, roles, IdPs — as version-controllable JSON.

    When the user wants a disaster-recovery snapshot or a config diff between dates, this is the artifact.

    pangolin-pp-cli backup --out pangolin-backup.json
    
  • restore — Re-apply a backup against a fresh Pangolin install, in the correct dependency order, with dry-run preview.

    When the user rebuilds a Pangolin host or moves between machines, this is the way back up.

    pangolin-pp-cli restore pangolin-backup.json --dry-run
    

Agent-native plumbing

  • expose — Create site (if needed), create resource, attach target, bind a role — in one command, with dry-run preview.

    When the user (or an agent) wants to expose a homelab service, this is the entire workflow in one line.

    pangolin-pp-cli expose grafana --target 192.168.1.50:3000 --site site_42 --role admins --dry-run
    
  • doctor — Validate auth, probe both /v1 and /api/v1 mount paths, and report the working integration-API base URL with environment-variable guidance.

    When the user sets up the CLI for the first time, this catches the single most common misconfiguration before any other command fails.

    pangolin-pp-cli doctor
    

Usage

Run pangolin-pp-cli --help for the full command reference and flag list.

Commands

access-token

Manage access token

  • pangolin-pp-cli access-token <accessTokenId> - Delete a access token.

certificate

Manage certificate

  • pangolin-pp-cli certificate <certId> <orgId> - Restart a certificate by ID.

client

Manage client

  • pangolin-pp-cli client create - Update a client by its client ID.
  • pangolin-pp-cli client delete - Delete a client by its client ID.
  • pangolin-pp-cli client get - Get a client by its client ID.

domain

Manage domain

  • pangolin-pp-cli domain - Check if a domain namespace is available based on subdomain

domains

Manage domains

  • pangolin-pp-cli domains - List all domain namespaces in the system

idp

Manage idp

  • pangolin-pp-cli idp delete - Delete IDP.
  • pangolin-pp-cli idp get - Get an IDP by its IDP ID.
  • pangolin-pp-cli idp list - List all IDP in the system.
  • pangolin-pp-cli idp update - Create an OIDC IdP.

maintenance

Manage maintenance

  • pangolin-pp-cli maintenance - Get maintenance information for a resource by domain.

openapi-json

Manage openapi json

  • pangolin-pp-cli openapi-json - Get OpenAPI specification as JSON

openapi-yaml

Manage openapi yaml

  • pangolin-pp-cli openapi-yaml - Get OpenAPI specification as YAML

org

Manage org

  • pangolin-pp-cli org create - Update an organization
  • pangolin-pp-cli org delete - Delete an organization
  • pangolin-pp-cli org get - Get an organization
  • pangolin-pp-cli org update - Create a new organization

orgs

Manage orgs

  • pangolin-pp-cli orgs - List all organizations in the system.

resource

Manage resource

  • pangolin-pp-cli resource create - Update a resource.
  • pangolin-pp-cli resource delete - Delete a resource.
  • pangolin-pp-cli resource get - Get a resource by resourceId.

role

Manage role

  • pangolin-pp-cli role create - Update a role.
  • pangolin-pp-cli role delete - Delete a role.
  • pangolin-pp-cli role get - Get a role.

site

Manage site

  • pangolin-pp-cli site create - Update a site.
  • pangolin-pp-cli site delete - Delete a site and all its associated data.
  • pangolin-pp-cli site get - Get a site by siteId.

site-resource

Manage site resource

  • pangolin-pp-cli site-resource create - Update a site resource.
  • pangolin-pp-cli site-resource delete - Delete a site resource.
  • pangolin-pp-cli site-resource get - Get a specific site resource by siteResourceId.

target

Manage target

  • pangolin-pp-cli target create - Update a target.
  • pangolin-pp-cli target delete - Delete a target.
  • pangolin-pp-cli target get - Get a target.

user

Manage user

  • pangolin-pp-cli user <userId> - Get a user by ID.

users

Manage users

  • pangolin-pp-cli users - List non–server-admin users (server admin).

Output Formats

# Human-readable table (default in terminal, JSON when piped)
pangolin-pp-cli client get mock-value

# JSON for scripting and agents
pangolin-pp-cli client get mock-value --json

# Filter to specific fields
pangolin-pp-cli client get mock-value --json --select id,name,status

# Dry run — show the request without sending
pangolin-pp-cli client get mock-value --dry-run

# Agent mode — JSON + compact + no prompts in one flag
pangolin-pp-cli client get mock-value --agent

Agent Usage

This CLI is designed for AI agent consumption:

  • Non-interactive - never prompts, every input is a flag
  • Pipeable - --json output to stdout, errors to stderr
  • Filterable - --select id,name returns only fields you need
  • Previewable - --dry-run shows the request without sending
  • Explicit retries - add --idempotent to create retries and --ignore-missing to delete retries when a no-op success is acceptable
  • Confirmable - --yes for explicit confirmation of destructive actions
  • Piped input - write commands can accept structured input when their help lists --stdin
  • Offline-friendly - sync/search commands can use the local SQLite store when available
  • Agent-safe by default - no colors or formatting unless --human-friendly is set

Exit codes: 0 success, 2 usage error, 3 not found, 4 auth error, 5 API error, 7 rate limited, 10 config error.

Health Check

pangolin-pp-cli doctor

Verifies configuration, credentials, and connectivity to the API.

Configuration

Config file: ~/.config/pangolin-integration-pp-cli/config.toml

Static request headers can be configured under headers; per-command header overrides take precedence.

Environment variables:

NameKindRequiredDescription
PANGOLIN_TOKENper_callYesSet to your API credential.

Troubleshooting

Authentication errors (exit code 4)

  • Run pangolin-pp-cli doctor to check credentials
  • Verify the environment variable is set: echo $PANGOLIN_TOKEN Not found errors (exit code 3)
  • Check the resource ID is correct
  • Run the list command to see available items

API-specific

  • 404 on every command — The OpenAPI spec says /v1 but most EE deployments mount the API at /api/v1. Set PANGOLIN_BASE_URL=https:///api/v1 and rerun pangolin-pp-cli doctor.
  • 401 unauthorized — Verify PANGOLIN_TOKEN is set to a valid integration token (created in the dashboard under Integration Tokens). Run pangolin-pp-cli doctor to confirm.
  • Empty results from a list command — Local store may be stale. Run pangolin-pp-cli sync --full first, then retry.

Generated by CLI Printing Press

For agents: pass /documentation/pangolin/agents.md to install this CLI from a prompt.