talon-cli is the administrative entry point for common control-plane tasks.
Global flags
--gateway: gRPC gateway address, defaulthttp://localhost:50051--password: basic-auth password--token: bearer token--jwt-secret: shared JWT secret for short-lived admin tokens--grpc-web: use gRPC-Web over HTTP/1.1 instead of native gRPC
Commands
auth
Authenticate to the gateway or mint JWTs for clients when the gateway is
running with GATEWAY_JWT_SECRET.
auth login: sign in through Google OIDC and store a Talon access tokenauth logout: remove stored CLI authauth whoami: show stored CLI authauth root-token: unrestricted root tokenauth agent-token --namespace <ns> --agent <agent>: namespace and agent scoped tokenauth session-token --namespace <ns> --agent <agent> --session <session-id>: namespace, agent, and session scoped tokenauth channel-token --namespace <ns> --channel <channel>: namespace and channel scoped token
All token commands accept --subject and --ttl-seconds.
auth login accepts --google-client-id and --google-client-secret, with
environment fallbacks TALON_GOOGLE_CLIENT_ID and
TALON_GOOGLE_CLIENT_SECRET.
knowledge
Manage namespace knowledge artifacts directly by path.
knowledge getknowledge setknowledge deleteknowledge sync
apply
Apply a manifest file, optionally with template variables.
render
Render a manifest file after template substitution in YAML or JSON.
get
Fetch a resource by kind, name, and optional namespace.
delete
Delete a resource by kind, name, and optional namespace.
gen
Generate a TypeScript client SDK from manifest files.
Notes
- The CLI is best thought of as an operator/admin tool, not the only integration surface.
- The CLI talks to the gateway RPC surface directly. Use native gRPC by default, and
--grpc-webfor Cloudflare-backed gateways that do not expose native gRPC. - For service-to-service integrations, prefer the generated gateway contracts directly.